| Offset 1, 6 lines modified | Offset 1, 6 lines modified | ||
| 1 | · | 1 | ·b2ffbc18a5380b9fd40e39f46deefeba·135460·admin·optional·ssg-applications_0.1.39-2_all.deb |
| 2 | ·4c0015be793df1ca99454c137ac6ffdb·22640·admin·optional·ssg-base_0.1.39-2_all.deb | 2 | ·4c0015be793df1ca99454c137ac6ffdb·22640·admin·optional·ssg-base_0.1.39-2_all.deb |
| 3 | · | 3 | ·bf02caa4d092b6cda46075b6dabb5e13·167408·admin·optional·ssg-debderived_0.1.39-2_all.deb |
| 4 | · | 4 | ·7168b4d1d8a95272fe7849255be0d6e9·155464·admin·optional·ssg-debian_0.1.39-2_all.deb |
| 5 | ·b8 | 5 | ·60b89670ab698377c7aa57c0bb1ea682·5252052·admin·optional·ssg-nondebian_0.1.39-2_all.deb |
| Offset 1, 3 lines modified | Offset 1, 3 lines modified | ||
| 1 | -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary | 1 | -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary |
| 2 | -rw-r--r--···0········0········0·····18 | 2 | -rw-r--r--···0········0········0·····1812·2018-07-26·14:58:28.000000·control.tar.xz |
| 3 | -rw-r--r--···0········0········0···1334 | 3 | -rw-r--r--···0········0········0···133456·2018-07-26·14:58:28.000000·data.tar.xz |
| Offset 393, 25 lines modified | Offset 393, 25 lines modified | ||
| 393 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 393 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 394 | if·!·[·$?·-eq·0·]·;·then | 394 | if·!·[·$?·-eq·0·]·;·then |
| 395 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 395 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 396 | else | 396 | else |
| 397 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 397 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 398 | fi | 398 | fi |
| 399 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_disable_ | 399 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_disable_popups"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chromium_disable_popups"·id="guide-tree-leaf-idm1562"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_chromium"><td·style="padding-left:·38px"><h4·id="xccdf_org.ssgproject.content_rule_chromium_disable_popups">Disable·Popups |
| 400 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_disable_ | 400 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_disable_popups">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Chromium·allows·you·to·manage·whether·or·not·unwanted·pop-up·windows·appear. |
| 401 | T | 401 | To·disable·pop-ups,·set·<code>DefaultPopupsSetting</code>·to·<code>2</code>· |
| 402 | 402 | in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p>Pop-up·windows·should·be·disabled·to·prevent·malicious·websites·from·controlling | |
| 403 | 403 | pop-up·windows·or·fooling·users·into·clicking·on·the·wrong·window.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 404 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 404 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 405 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 405 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 406 | ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC00 | 406 | ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC0004</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm1570">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1570"><pre><code>CHROME_POL_FILE="chrome_stig_policy.json" |
| 407 | CHROME_POL_DIR="/etc/chromium/policies/managed/" | 407 | CHROME_POL_DIR="/etc/chromium/policies/managed/" |
| 408 | POL_SETTING=" | 408 | POL_SETTING="DefaultPopupsSetting" |
| 409 | POL_SETTING_VAL=" | 409 | POL_SETTING_VAL="2" |
| 410 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 410 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 411 | if·!·[·$?·-eq·0·]·;·then | 411 | if·!·[·$?·-eq·0·]·;·then |
| 412 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 412 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 413 | else | 413 | else |
| 414 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 414 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| Offset 492, 23 lines modified | Offset 492, 24 lines modified | ||
| 492 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 492 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 493 | if·!·[·$?·-eq·0·]·;·then | 493 | if·!·[·$?·-eq·0·]·;·then |
| 494 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 494 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 495 | else | 495 | else |
| 496 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 496 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 497 | fi | 497 | fi |
| 498 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_ | 498 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_plugins_require_authorization"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chromium_plugins_require_authorization"·id="guide-tree-leaf-idm1629"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_chromium"><td·style="padding-left:·38px"><h4·id="xccdf_org.ssgproject.content_rule_chromium_plugins_require_authorization">Require·Outdated·Plugins·to·be·Authorized |
| 499 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_ | 499 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_plugins_require_authorization">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Chromium·should·prompt·users·for·authorization·to·run·outdated·plugins.·This |
| 500 | 500 | can·be·enabled·by·setting·<code>AlwaysAuthorizePlugins</code>·to·<code>false</code> | |
| 501 | in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p> | 501 | in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p>Outdated·plugins·can·compromise·security·and·should·request·authorization·from |
| 502 | the·user·before·running.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 502 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 503 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 503 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 504 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 504 | ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC001 | 505 | ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC0014</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm1637">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1637"><pre><code>CHROME_POL_FILE="chrome_stig_policy.json" |
| 505 | CHROME_POL_DIR="/etc/chromium/policies/managed/" | 506 | CHROME_POL_DIR="/etc/chromium/policies/managed/" |
| 506 | POL_SETTING=" | 507 | POL_SETTING="AlwaysAuthorizePlugins" |
| 507 | POL_SETTING_VAL="false" | 508 | POL_SETTING_VAL="false" |
| 508 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 509 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 509 | if·!·[·$?·-eq·0·]·;·then | 510 | if·!·[·$?·-eq·0·]·;·then |
| 510 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 511 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 511 | else | 512 | else |
| Offset 653, 24 lines modified | Offset 654, 26 lines modified | ||
| 653 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 654 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 654 | if·!·[·$?·-eq·0·]·;·then | 655 | if·!·[·$?·-eq·0·]·;·then |
| 655 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 656 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 656 | else | 657 | else |
| 657 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 658 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 658 | fi | 659 | fi |
| 659 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_disable_ | 660 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_disable_google_sync"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chromium_disable_google_sync"·id="guide-tree-leaf-idm1741"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_chromium"><td·style="padding-left:·38px"><h4·id="xccdf_org.ssgproject.content_rule_chromium_disable_google_sync">Disable·Data·Synchronization·to·Google |
| 660 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_disable_ | 661 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_disable_google_sync">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p><code>SyncDisabled</code>·to·<code>true</code>·in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p>Google·Sync·is·used·to·sync·information·between·different·user·devices, |
| 661 | t | 662 | this·data·is·then·stored·on·Google·owned·servers.·The·synced·data·may·consist |
| 662 | 663 | of·information·such·as·email,·calendars,·viewing·history,·etc.·This·feature·must | |
| 664 | be·disabled·because·the·organization·does·not·have·control·over·the·servers·the | ||
| 665 | data·is·stored·on.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 663 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 666 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 664 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 667 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 665 | ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC002 | 668 | ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC0020</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm1749">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1749"><pre><code>CHROME_POL_FILE="chrome_stig_policy.json" |
| 666 | CHROME_POL_DIR="/etc/chromium/policies/managed/" | 669 | CHROME_POL_DIR="/etc/chromium/policies/managed/" |
| 667 | POL_SETTING=" | 670 | POL_SETTING="SyncDisabled" |
| 668 | POL_SETTING_VAL=" | 671 | POL_SETTING_VAL="true" |
| 669 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 672 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 670 | if·!·[·$?·-eq·0·]·;·then | 673 | if·!·[·$?·-eq·0·]·;·then |
| 671 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 674 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 672 | else | 675 | else |
| 673 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 676 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| Offset 692, 25 lines modified | Offset 695, 25 lines modified | ||
| 692 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 695 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 693 | if·!·[·$?·-eq·0·]·;·then | 696 | if·!·[·$?·-eq·0·]·;·then |
| 694 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 697 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 695 | else | 698 | else |
| 696 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 699 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 697 | fi | 700 | fi |
| 698 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_disable_po | 701 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_disable_metrics_reporting"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chromium_disable_metrics_reporting"·id="guide-tree-leaf-idm1767"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_chromium"><td·style="padding-left:·38px"><h4·id="xccdf_org.ssgproject.content_rule_chromium_disable_metrics_reporting">Disable·Metrics·Reporting |
| 699 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_disable_po | 702 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_disable_metrics_reporting">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Whenever·Chromium·crashes,·it·sends·its·usage·and·crash-related·data·to·Google. |
| 700 | To·disable | 703 | This·should·be·disabled·by·setting·<code>MetricsReportingEnabled</code>·to· |
| 701 | in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p> | 704 | <code>false</code>·in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p>Anonymous·reporting·of·usage·and·crash-related·data·is·sent·to·Google. |
| 702 | 705 | A·crash·report·could·contain·sensitive·information·from·the·computer's·memory.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 703 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 706 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 704 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 707 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 705 | ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC00 | 708 | ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC0026</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm1775">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1775"><pre><code>CHROME_POL_FILE="chrome_stig_policy.json" |
| 706 | CHROME_POL_DIR="/etc/chromium/policies/managed/" | 709 | CHROME_POL_DIR="/etc/chromium/policies/managed/" |
| 707 | POL_SETTING=" | 710 | POL_SETTING="MetricsReportingEnabled" |
| 708 | POL_SETTING_VAL=" | 711 | POL_SETTING_VAL="false" |
| 709 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 712 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 710 | if·!·[·$?·-eq·0·]·;·then | 713 | if·!·[·$?·-eq·0·]·;·then |
| 711 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 714 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 712 | else | 715 | else |
| 713 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 716 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| Offset 776, 26 lines modified | Offset 779, 24 lines modified | ||
| 776 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 779 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 777 | if·!·[·$?·-eq·0·]·;·then | 780 | if·!·[·$?·-eq·0·]·;·then |
| 778 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 781 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 779 | else | 782 | else |
| 780 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 783 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 781 | fi | 784 | fi |
| 782 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_disable_ | 785 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_disable_network_prediction"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chromium_disable_network_prediction"·id="guide-tree-leaf-idm1821"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_chromium"><td·style="padding-left:·38px"><h4·id="xccdf_org.ssgproject.content_rule_chromium_disable_network_prediction">Disable·Network·Prediction |
| 783 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_disable_ | 786 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_disable_network_prediction">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·disable·the·network·prediction·feature,·set·<code>DnsPrefetchingEnabled</code> |
| 784 | t | 787 | to·<code>false</code>·in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p>This·controls·not·only·DNS·prefetching·but·also·TCP·and·SSL·preconnection |
| 785 | 788 | and·prerendering·of·web·pages.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 786 | be·disabled·because·the·organization·does·not·have·control·over·the·servers·the | ||
| 787 | data·is·stored·on.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 788 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 789 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 789 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 790 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 790 | ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC002 | 791 | ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC0025</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm1829">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1829"><pre><code>CHROME_POL_FILE="chrome_stig_policy.json" |
| 791 | CHROME_POL_DIR="/etc/chromium/policies/managed/" | 792 | CHROME_POL_DIR="/etc/chromium/policies/managed/" |
| 792 | POL_SETTING=" | 793 | POL_SETTING="DnsPrefetchingEnabled" |
| 793 | POL_SETTING_VAL=" | 794 | POL_SETTING_VAL="false" |
| 794 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 795 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 795 | if·!·[·$?·-eq·0·]·;·then | 796 | if·!·[·$?·-eq·0·]·;·then |
| Max diff block lines reached; 4518/26862 bytes (16.82%) of diff not shown. | |||
| Offset 48, 31 lines modified | Offset 48, 31 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/a:mozilla:firefox</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox">Firefox</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences- | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/a:mozilla:firefox</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox">Firefox</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">Clearing·Cookies·And·Other·Data</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">The·DoD·Root·Certificate·Is·Required</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_firefox">Firefox | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_firefox">Firefox |
| 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·is·an·open-source·web·browser·and·developed·by·Mozilla. | 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·is·an·open-source·web·browser·and·developed·by·Mozilla. |
| 58 | Web·browsers·such·as·Firefox·are·used·for·a·number·of·reasons.·This·section· | 58 | Web·browsers·such·as·Firefox·are·used·for·a·number·of·reasons.·This·section· |
| 59 | provides·settings·for·configuring·Firefox·policies·to·meet·compliance· | 59 | provides·settings·for·configuring·Firefox·policies·to·meet·compliance· |
| 60 | settings·for·Firefox·running·on·Red·Hat·Enterprise·Linux·systems. | 60 | settings·for·Firefox·running·on·Red·Hat·Enterprise·Linux·systems. |
| 61 | <ul>Refer·to·<li><a·href="http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries">http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries</a></li> | 61 | <ul>Refer·to·<li><a·href="http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries">http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries</a></li> |
| 62 | for·a·list·of·currently·supported·Firefox·settings.</ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences- | 62 | for·a·list·of·currently·supported·Firefox·settings.</ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies">Clearing·Cookies·And·Other·Data |
| 63 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Browser·preferences·should·be·set·to·perform·a·Clear·Private·Data | ||
| 64 | operation·when·closing·the·browser·in·order·to·clear·cookies·and·other | ||
| 65 | data·installed·by·websites·visited·during·the·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings | ||
| 66 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·required·security·preferences·cannot·be·changed·by·users.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">The·DoD·Root·Certificate·Is·Required | ||
| 63 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Shared·System·Certificates·store·contains·certificates·that | 67 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Shared·System·Certificates·store·contains·certificates·that |
| 64 | applications·can·access·for·a·single·certificate·repository. | 68 | applications·can·access·for·a·single·certificate·repository. |
| 65 | If·enabled,·Firefox·can·access·that·single·system·certificate | 69 | If·enabled,·Firefox·can·access·that·single·system·certificate |
| 66 | repository.·If·the·DoD·root·certificate·is·also·installed·into | 70 | repository.·If·the·DoD·root·certificate·is·also·installed·into |
| 67 | the·shared·system·certificate·repository,·Firefox·will·see·and· | 71 | the·shared·system·certificate·repository,·Firefox·will·see·and· |
| 68 | use·the·DoD·root·certificate·as·a·valid·certificate·authority.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"></td></tr><t | 72 | use·the·DoD·root·certificate·as·a·valid·certificate·authority.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"></td></tr></tbody></table></div><div·id="rear-matter"><div·class="row·top-spacer-10"><div·class="col-md-12·well·well-lg"><div·class="rear-matter">Red·Hat·and·Red·Hat·Enterprise·Linux·are·either·registered |
| 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Browser·preferences·should·be·set·to·perform·a·Clear·Private·Data | ||
| 70 | operation·when·closing·the·browser·in·order·to·clear·cookies·and·other | ||
| 71 | data·installed·by·websites·visited·during·the·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings | ||
| 72 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·required·security·preferences·cannot·be·changed·by·users.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"></td></tr></tbody></table></div><div·id="rear-matter"><div·class="row·top-spacer-10"><div·class="col-md-12·well·well-lg"><div·class="rear-matter">Red·Hat·and·Red·Hat·Enterprise·Linux·are·either·registered | ||
| 73 | trademarks·or·trademarks·of·Red·Hat,·Inc.·in·the·United·States·and·other | 73 | trademarks·or·trademarks·of·Red·Hat,·Inc.·in·the·United·States·and·other |
| 74 | countries.·All·other·names·are·registered·trademarks·or·trademarks·of·their | 74 | countries.·All·other·names·are·registered·trademarks·or·trademarks·of·their |
| 75 | respective·companies. | 75 | respective·companies. |
| 76 | </div></div></div></div></div></div><footer·id="footer"><div·class="container"><p·class="muted·credit"> | 76 | </div></div></div></div></div></div><footer·id="footer"><div·class="container"><p·class="muted·credit"> |
| 77 | ················Generated·using·<a·href="http://open-scap.org">OpenSCAP</a>·1.2.16</p></div></footer></body></html> | 77 | ················Generated·using·<a·href="http://open-scap.org">OpenSCAP</a>·1.2.16</p></div></footer></body></html> |
| Offset 59, 67 lines modified | Offset 59, 34 lines modified | ||
| 59 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 59 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 60 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 60 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 61 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 61 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 62 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 62 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 63 | quality,·reliability,·or·any·other·characteristic. | 63 | quality,·reliability,·or·any·other·characteristic. |
| 64 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Upstream·Firefox·STIG</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-firefox-upstream</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 64 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Upstream·Firefox·STIG</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-firefox-upstream</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 65 | ····························(as·of·2018-07-26) | 65 | ····························(as·of·2018-07-26) |
| 66 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/a:mozilla:firefox</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_firefox">Firefox</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences- | 66 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/a:mozilla:firefox</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_firefox">Firefox</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">Clearing·Cookies·And·Other·Data</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">The·DoD·Root·Certificate·Is·Required</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·0px"><small>contains·28·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_firefox">Firefox |
| 67 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·is·an·open-source·web·browser·and·developed·by·Mozilla. | 67 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·is·an·open-source·web·browser·and·developed·by·Mozilla. |
| 68 | Web·browsers·such·as·Firefox·are·used·for·a·number·of·reasons.·This·section· | 68 | Web·browsers·such·as·Firefox·are·used·for·a·number·of·reasons.·This·section· |
| 69 | provides·settings·for·configuring·Firefox·policies·to·meet·compliance· | 69 | provides·settings·for·configuring·Firefox·policies·to·meet·compliance· |
| 70 | settings·for·Firefox·running·on·Red·Hat·Enterprise·Linux·systems. | 70 | settings·for·Firefox·running·on·Red·Hat·Enterprise·Linux·systems. |
| 71 | <ul>Refer·to·<li><a·href="http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries">http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries</a></li> | 71 | <ul>Refer·to·<li><a·href="http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries">http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries</a></li> |
| 72 | for·a·list·of·currently·supported·Firefox·settings.</ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><small>contains·28·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences- | 72 | for·a·list·of·currently·supported·Firefox·settings.</ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><small>contains·28·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies">Clearing·Cookies·And·Other·Data |
| 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Shared·System·Certificates·store·contains·certificates·that | ||
| 74 | applications·can·access·for·a·single·certificate·repository. | ||
| 75 | If·enabled,·Firefox·can·access·that·single·system·certificate | ||
| 76 | repository.·If·the·DoD·root·certificate·is·also·installed·into | ||
| 77 | the·shared·system·certificate·repository,·Firefox·will·see·and· | ||
| 78 | use·the·DoD·root·certificate·as·a·valid·certificate·authority.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-dod_root_certificate_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-dod_root_certificate_installed"·id="guide-tree-leaf-idm1055"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-dod_root_certificate_installed">The·DoD·Root·Certificate·Exists | ||
| 79 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-dod_root_certificate_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·DoD·root·certificate·should·be·installed·in·the·Shared·System·Certificates·store | ||
| 80 | for·Firefox·to·be·able·to·access·the·DoD·certificate.·To·install·the·root·certificated | ||
| 81 | into·the·Shared·System·Certificates·store,·copy·the·DoD·root·certificate·into | ||
| 82 | <code>/etc/pki/ca-trust/source/anchors</code>.·Once·the·file·is·copied,·run·the·following | ||
| 83 | command: | ||
| 84 | <pre>$·sudo·update-ca-trust·extract</pre></p><span·class="label·label-primary">Rationale:</span><p>The·DOD·root·certificate·will·ensure·that·the·trust·chain·is | ||
| 85 | established·for·server·certificates·issued·from·the·DOD·CA.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 86 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 87 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27457-1">CCE-27457-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 88 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000054</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-10</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-enable_ca_trust"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-enable_ca_trust"·id="guide-tree-leaf-idm1066"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-enable_ca_trust">Enable·Shared·System·Certificates | ||
| 89 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-enable_ca_trust">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Shared·System·Certificates·store·makes·NSS,·GnuTLS,·OpenSSL,·and·Java | ||
| 90 | share·a·default·source·for·retrieving·system·certificate·anchors·and·blacklist | ||
| 91 | information.·Firefox·has·the·capability·of·using·this·centralized·store·for·its | ||
| 92 | CA·certificates.·If·the·Shared·System·Certificates·store·is·disabled,·it·can | ||
| 93 | be·enabled·by·running·the·following·command: | ||
| 94 | <pre>$·sudo·update-ca-trust·enable</pre></p><span·class="label·label-primary">Rationale:</span><p>The·DOD·root·certificate·will·ensure·that·the·trust·chain·is | ||
| 95 | established·for·server·certificates·issued·from·the·DOD·CA.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 96 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 97 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27457-1">CCE-27457-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 98 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000054</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-10</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm1074">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1074"><pre><code>P11=$(readlink·/etc/alternatives/libnssckbi.so*) | ||
| 99 | P11LIB="/usr/lib/pkcs11/p11-kit-trust.so" | ||
| 100 | P11LIB64="/usr/lib64/pkcs11/p11-kit-trust.so" | ||
| 101 | if·!·[[·${P11}·==·"${P11LIB64}"·]]·||·!·[[·${P11}·==·"${P11LIB}"·]]·;·then | ||
| 102 | ···/usr/bin/update-ca-trust·enable | ||
| 103 | fi | ||
| 104 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies">Clearing·Cookies·And·Other·Data | ||
| 105 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Browser·preferences·should·be·set·to·perform·a·Clear·Private·Data | 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Browser·preferences·should·be·set·to·perform·a·Clear·Private·Data |
| 106 | operation·when·closing·the·browser·in·order·to·clear·cookies·and·other | 74 | operation·when·closing·the·browser·in·order·to·clear·cookies·and·other |
| 107 | data·installed·by·websites·visited·during·the·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice"·id="guide-tree-leaf-idm10 | 75 | data·installed·by·websites·visited·during·the·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice"·id="guide-tree-leaf-idm1055"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice">Disable·User·Prompt·When·Data·Is·Cleared |
| 108 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>By·default,·users·are·asked·if·it·is·okay·to·clear·out·cookies·and·data | 76 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>By·default,·users·are·asked·if·it·is·okay·to·clear·out·cookies·and·data |
| 109 | when·Firefox·closes.·This·can·be·disabled·by· | 77 | when·Firefox·closes.·This·can·be·disabled·by· |
| 110 | setting·<code>privacy.sanitize.promptOnSanitize</code>·to·<code>false</code>.</p><span·class="label·label-primary">Rationale:</span><p>Cookies·can·help·websites·perform·better·but·can·also·be·part·of·spyware. | 78 | setting·<code>privacy.sanitize.promptOnSanitize</code>·to·<code>false</code>.</p><span·class="label·label-primary">Rationale:</span><p>Cookies·can·help·websites·perform·better·but·can·also·be·part·of·spyware. |
| 111 | To·mitigate·this·risk,·set·browser·preferences·to·perform·a·Clear·Private | 79 | To·mitigate·this·risk,·set·browser·preferences·to·perform·a·Clear·Private |
| 112 | Data·operation·when·closing·the·browser·in·order·to·clear·cookies·and | 80 | Data·operation·when·closing·the·browser·in·order·to·clear·cookies·and |
| 113 | other·data·installed·by·websites·visited·during·the·session.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 81 | other·data·installed·by·websites·visited·during·the·session.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 114 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 82 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 115 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 83 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 116 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</a>,·<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DTBF170</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-16716r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm10 | 84 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</a>,·<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DTBF170</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-16716r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm1065">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1065"><pre><code>#·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the |
| 117 | #·preference·if·it·does·not·exist. | 85 | #·preference·if·it·does·not·exist. |
| 118 | # | 86 | # |
| 119 | #·Expects·three·arguments: | 87 | #·Expects·three·arguments: |
| 120 | # | 88 | # |
| 121 | #·config_file:··········Configuration·file·that·will·be·modified | 89 | #·config_file:··········Configuration·file·that·will·be·modified |
| 122 | #·key:··················Configuration·option·to·change | 90 | #·key:··················Configuration·option·to·change |
| 123 | #·value:················Value·of·the·configuration·option·to·change | 91 | #·value:················Value·of·the·configuration·option·to·change |
| Offset 168, 24 lines modified | Offset 135, 24 lines modified | ||
| 168 | ········echo·"lockPref(\"${key}\",·${value});"·>>·"${firefox_dir}/${firefox_cfg}" | 135 | ········echo·"lockPref(\"${key}\",·${value});"·>>·"${firefox_dir}/${firefox_cfg}" |
| 169 | ······fi | 136 | ······fi |
| 170 | ····fi | 137 | ····fi |
| 171 | ··done | 138 | ··done |
| 172 | } | 139 | } |
| 173 | firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.promptOnSanitize"·"false" | 140 | firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.promptOnSanitize"·"false" |
| 174 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear"·id="guide-tree-leaf-idm10 | 141 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear"·id="guide-tree-leaf-idm1071"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear">Clear·Data·When·Firefox·Closes |
| 175 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>When·a·user·browses·to·a·website,·cookies·and·other·types·of·data | 142 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>When·a·user·browses·to·a·website,·cookies·and·other·types·of·data |
| 176 | get·stored·on·the·system.·This·can·be·disabled·by·setting | 143 | get·stored·on·the·system.·This·can·be·disabled·by·setting |
| 177 | <code>privacy.sanitize.sanitizeOnShutdown</code>·to·<code>true</code>.</p><span·class="label·label-primary">Rationale:</span><p>Cookies·can·help·websites·perform·better·but·can·also·be·part·of·spyware. | 144 | <code>privacy.sanitize.sanitizeOnShutdown</code>·to·<code>true</code>.</p><span·class="label·label-primary">Rationale:</span><p>Cookies·can·help·websites·perform·better·but·can·also·be·part·of·spyware. |
| 178 | To·mitigate·this·risk,·set·browser·preferences·to·perform·a·Clear·Private | 145 | To·mitigate·this·risk,·set·browser·preferences·to·perform·a·Clear·Private |
| 179 | Data·operation·when·closing·the·browser·in·order·to·clear·cookies·and | 146 | Data·operation·when·closing·the·browser·in·order·to·clear·cookies·and |
| 180 | other·data·installed·by·websites·visited·during·the·session.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 147 | other·data·installed·by·websites·visited·during·the·session.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 181 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 148 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 182 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 149 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 183 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</a>,·<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DTBF170</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-16716r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm1 | 150 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</a>,·<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DTBF170</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-16716r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm1081">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1081"><pre><code>#·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the |
| 184 | #·preference·if·it·does·not·exist. | 151 | #·preference·if·it·does·not·exist. |
| 185 | # | 152 | # |
| 186 | #·Expects·three·arguments: | 153 | #·Expects·three·arguments: |
| 187 | # | 154 | # |
| 188 | #·config_file:··········Configuration·file·that·will·be·modified | 155 | #·config_file:··········Configuration·file·that·will·be·modified |
| 189 | #·key:··················Configuration·option·to·change | 156 | #·key:··················Configuration·option·to·change |
| 190 | #·value:················Value·of·the·configuration·option·to·change | 157 | #·value:················Value·of·the·configuration·option·to·change |
| Offset 235, 22 lines modified | Offset 202, 22 lines modified | ||
| 235 | ······fi | 202 | ······fi |
| 236 | ····fi | 203 | ····fi |
| 237 | ··done | 204 | ··done |
| 238 | } | 205 | } |
| 239 | firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.sanitizeOnShutdown"·"true" | 206 | firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.sanitizeOnShutdown"·"true" |
| 240 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings | 207 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings |
| 241 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·required·security·preferences·cannot·be·changed·by·users.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure"·id="guide-tree-leaf-idm1 | 208 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·required·security·preferences·cannot·be·changed·by·users.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure"·id="guide-tree-leaf-idm1090"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure">Disable·Firefox·Configuration·File·ROT-13·Encoding |
| 242 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Disable·ROT-13·encoding·by·setting·<code>general.config.obscure_value</code> | 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Disable·ROT-13·encoding·by·setting·<code>general.config.obscure_value</code> |
| 243 | to·<code>0</code>.</p><span·class="label·label-primary">Rationale:</span><p>ROT-13·encoded·prevents·system·adminstrators·from·easily·configuring | 210 | to·<code>0</code>.</p><span·class="label·label-primary">Rationale:</span><p>ROT-13·encoded·prevents·system·adminstrators·from·easily·configuring |
| 244 | and·deploying·Firefox·configuration·settings.·It·also·prevents·validating | 211 | and·deploying·Firefox·configuration·settings.·It·also·prevents·validating |
| 245 | settings·easily·from·automated·security·tools.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 212 | settings·easily·from·automated·security·tools.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 246 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 213 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 247 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 214 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 248 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</a>,·<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DTBF070</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-21889r3_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm11 | 215 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</a>,·<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DTBF070</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-21889r3_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm1100">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1100"><pre><code>#·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the |
| 249 | #·preference·if·it·does·not·exist. | 216 | #·preference·if·it·does·not·exist. |
| 250 | # | 217 | # |
| 251 | #·Expects·three·arguments: | 218 | #·Expects·three·arguments: |
| 252 | # | 219 | # |
| 253 | #·config_file:··········Configuration·file·that·will·be·modified | 220 | #·config_file:··········Configuration·file·that·will·be·modified |
| 254 | #·key:··················Configuration·option·to·change | 221 | #·key:··················Configuration·option·to·change |
| 255 | #·value:················Value·of·the·configuration·option·to·change | 222 | #·value:················Value·of·the·configuration·option·to·change |
| Offset 312, 22 lines modified | Offset 279, 22 lines modified | ||
| 312 | ······fi | 279 | ······fi |
| 313 | ····fi | 280 | ····fi |
| 314 | ··done | 281 | ··done |
| 315 | } | 282 | } |
| 316 | firefox_js_setting·"stig_settings.js"·"general.config.obscure_value"·"0" | 283 | firefox_js_setting·"stig_settings.js"·"general.config.obscure_value"·"0" |
| 317 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file"·id="guide-tree-leaf-idm11 | 284 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file"·id="guide-tree-leaf-idm1106"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file">Set·Firefox·Configuration·File·Location |
| 318 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Specify·the·Firefox·configuration·file·location·by·setting· | 285 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Specify·the·Firefox·configuration·file·location·by·setting· |
| 319 | <code>general.config.filename</code>·to·the·configuration·(i.e.·<code>mozilla.cfg</code>) | 286 | <code>general.config.filename</code>·to·the·configuration·(i.e.·<code>mozilla.cfg</code>) |
| 320 | filename·that·contains·the·Firefox·security·preferences.</p><span·class="label·label-primary">Rationale:</span><p>Locked·settings·prevents·users·from·accessing·about:config·and·changing | 287 | filename·that·contains·the·Firefox·security·preferences.</p><span·class="label·label-primary">Rationale:</span><p>Locked·settings·prevents·users·from·accessing·about:config·and·changing |
| Max diff block lines reached; 24041/52247 bytes (46.01%) of diff not shown. | |||
| Offset 318, 30 lines modified | Offset 318, 30 lines modified | ||
| 318 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 318 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 319 | else | 319 | else |
| 320 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 320 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 321 | fi | 321 | fi |
| 322 | #·END·fix·for·'chromium_disable_saved_passwords' | 322 | #·END·fix·for·'chromium_disable_saved_passwords' |
| 323 | ############################################################################### | 323 | ############################################################################### |
| 324 | #·BEGIN·fix·(16·/·37)·for·'chromium_disable_ | 324 | #·BEGIN·fix·(16·/·37)·for·'chromium_disable_popups' |
| 325 | ############################################################################### | 325 | ############################################################################### |
| 326 | (>&2·echo·"Remediating·rule·16/37:·'chromium_disable_ | 326 | (>&2·echo·"Remediating·rule·16/37:·'chromium_disable_popups'") |
| 327 | CHROME_POL_FILE="chrome_stig_policy.json" | 327 | CHROME_POL_FILE="chrome_stig_policy.json" |
| 328 | CHROME_POL_DIR="/etc/chromium/policies/managed/" | 328 | CHROME_POL_DIR="/etc/chromium/policies/managed/" |
| 329 | POL_SETTING=" | 329 | POL_SETTING="DefaultPopupsSetting" |
| 330 | POL_SETTING_VAL=" | 330 | POL_SETTING_VAL="2" |
| 331 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 331 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 332 | if·!·[·$?·-eq·0·]·;·then | 332 | if·!·[·$?·-eq·0·]·;·then |
| 333 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 333 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 334 | else | 334 | else |
| 335 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 335 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 336 | fi | 336 | fi |
| 337 | #·END·fix·for·'chromium_disable_ | 337 | #·END·fix·for·'chromium_disable_popups' |
| 338 | ############################################################################### | 338 | ############################################################################### |
| 339 | #·BEGIN·fix·(17·/·37)·for·'chromium_disable_incognito_mode' | 339 | #·BEGIN·fix·(17·/·37)·for·'chromium_disable_incognito_mode' |
| 340 | ############################################################################### | 340 | ############################################################################### |
| 341 | (>&2·echo·"Remediating·rule·17/37:·'chromium_disable_incognito_mode'") | 341 | (>&2·echo·"Remediating·rule·17/37:·'chromium_disable_incognito_mode'") |
| 342 | CHROME_POL_FILE="chrome_stig_policy.json" | 342 | CHROME_POL_FILE="chrome_stig_policy.json" |
| 343 | CHROME_POL_DIR="/etc/chromium/policies/managed/" | 343 | CHROME_POL_DIR="/etc/chromium/policies/managed/" |
| Offset 409, 30 lines modified | Offset 409, 30 lines modified | ||
| 409 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 409 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 410 | else | 410 | else |
| 411 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 411 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 412 | fi | 412 | fi |
| 413 | #·END·fix·for·'chromium_enable_safe_browsing' | 413 | #·END·fix·for·'chromium_enable_safe_browsing' |
| 414 | ############################################################################### | 414 | ############################################################################### |
| 415 | #·BEGIN·fix·(21·/·37)·for·'chromium_ | 415 | #·BEGIN·fix·(21·/·37)·for·'chromium_plugins_require_authorization' |
| 416 | ############################################################################### | 416 | ############################################################################### |
| 417 | (>&2·echo·"Remediating·rule·21/37:·'chromium_ | 417 | (>&2·echo·"Remediating·rule·21/37:·'chromium_plugins_require_authorization'") |
| 418 | CHROME_POL_FILE="chrome_stig_policy.json" | 418 | CHROME_POL_FILE="chrome_stig_policy.json" |
| 419 | CHROME_POL_DIR="/etc/chromium/policies/managed/" | 419 | CHROME_POL_DIR="/etc/chromium/policies/managed/" |
| 420 | POL_SETTING=" | 420 | POL_SETTING="AlwaysAuthorizePlugins" |
| 421 | POL_SETTING_VAL="false" | 421 | POL_SETTING_VAL="false" |
| 422 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 422 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 423 | if·!·[·$?·-eq·0·]·;·then | 423 | if·!·[·$?·-eq·0·]·;·then |
| 424 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 424 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 425 | else | 425 | else |
| 426 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 426 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 427 | fi | 427 | fi |
| 428 | #·END·fix·for·'chromium_ | 428 | #·END·fix·for·'chromium_plugins_require_authorization' |
| 429 | ############################################################################### | 429 | ############################################################################### |
| 430 | #·BEGIN·fix·(22·/·37)·for·'chromium_default_block_plugins' | 430 | #·BEGIN·fix·(22·/·37)·for·'chromium_default_block_plugins' |
| 431 | ############################################################################### | 431 | ############################################################################### |
| 432 | (>&2·echo·"Remediating·rule·22/37:·'chromium_default_block_plugins'") | 432 | (>&2·echo·"Remediating·rule·22/37:·'chromium_default_block_plugins'") |
| 433 | CHROME_POL_FILE="chrome_stig_policy.json" | 433 | CHROME_POL_FILE="chrome_stig_policy.json" |
| 434 | CHROME_POL_DIR="/etc/chromium/policies/managed/" | 434 | CHROME_POL_DIR="/etc/chromium/policies/managed/" |
| Offset 557, 30 lines modified | Offset 557, 30 lines modified | ||
| 557 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 557 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 558 | else | 558 | else |
| 559 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 559 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 560 | fi | 560 | fi |
| 561 | #·END·fix·for·'chromium_block_desktop_notifications' | 561 | #·END·fix·for·'chromium_block_desktop_notifications' |
| 562 | ############################################################################### | 562 | ############################################################################### |
| 563 | #·BEGIN·fix·(29·/·37)·for·'chromium_disable_ | 563 | #·BEGIN·fix·(29·/·37)·for·'chromium_disable_google_sync' |
| 564 | ############################################################################### | 564 | ############################################################################### |
| 565 | (>&2·echo·"Remediating·rule·29/37:·'chromium_disable_ | 565 | (>&2·echo·"Remediating·rule·29/37:·'chromium_disable_google_sync'") |
| 566 | CHROME_POL_FILE="chrome_stig_policy.json" | 566 | CHROME_POL_FILE="chrome_stig_policy.json" |
| 567 | CHROME_POL_DIR="/etc/chromium/policies/managed/" | 567 | CHROME_POL_DIR="/etc/chromium/policies/managed/" |
| 568 | POL_SETTING=" | 568 | POL_SETTING="SyncDisabled" |
| 569 | POL_SETTING_VAL=" | 569 | POL_SETTING_VAL="true" |
| 570 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 570 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 571 | if·!·[·$?·-eq·0·]·;·then | 571 | if·!·[·$?·-eq·0·]·;·then |
| 572 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 572 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 573 | else | 573 | else |
| 574 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 574 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 575 | fi | 575 | fi |
| 576 | #·END·fix·for·'chromium_disable_ | 576 | #·END·fix·for·'chromium_disable_google_sync' |
| 577 | ############################################################################### | 577 | ############################################################################### |
| 578 | #·BEGIN·fix·(30·/·37)·for·'chromium_disable_thirdparty_cookies' | 578 | #·BEGIN·fix·(30·/·37)·for·'chromium_disable_thirdparty_cookies' |
| 579 | ############################################################################### | 579 | ############################################################################### |
| 580 | (>&2·echo·"Remediating·rule·30/37:·'chromium_disable_thirdparty_cookies'") | 580 | (>&2·echo·"Remediating·rule·30/37:·'chromium_disable_thirdparty_cookies'") |
| 581 | CHROME_POL_FILE="chrome_stig_policy.json" | 581 | CHROME_POL_FILE="chrome_stig_policy.json" |
| 582 | CHROME_POL_DIR="/etc/chromium/policies/managed/" | 582 | CHROME_POL_DIR="/etc/chromium/policies/managed/" |
| Offset 593, 30 lines modified | Offset 593, 30 lines modified | ||
| 593 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 593 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 594 | else | 594 | else |
| 595 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 595 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 596 | fi | 596 | fi |
| 597 | #·END·fix·for·'chromium_disable_thirdparty_cookies' | 597 | #·END·fix·for·'chromium_disable_thirdparty_cookies' |
| 598 | ############################################################################### | 598 | ############################################################################### |
| 599 | #·BEGIN·fix·(31·/·37)·for·'chromium_disable_po | 599 | #·BEGIN·fix·(31·/·37)·for·'chromium_disable_metrics_reporting' |
| 600 | ############################################################################### | 600 | ############################################################################### |
| 601 | (>&2·echo·"Remediating·rule·31/37:·'chromium_disable_po | 601 | (>&2·echo·"Remediating·rule·31/37:·'chromium_disable_metrics_reporting'") |
| 602 | CHROME_POL_FILE="chrome_stig_policy.json" | 602 | CHROME_POL_FILE="chrome_stig_policy.json" |
| 603 | CHROME_POL_DIR="/etc/chromium/policies/managed/" | 603 | CHROME_POL_DIR="/etc/chromium/policies/managed/" |
| 604 | POL_SETTING=" | 604 | POL_SETTING="MetricsReportingEnabled" |
| 605 | POL_SETTING_VAL=" | 605 | POL_SETTING_VAL="false" |
| 606 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 606 | grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 607 | if·!·[·$?·-eq·0·]·;·then | 607 | if·!·[·$?·-eq·0·]·;·then |
| 608 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 608 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 609 | else | 609 | else |
| 610 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 610 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 611 | fi | 611 | fi |
| 612 | #·END·fix·for·'chromium_disable_po | 612 | #·END·fix·for·'chromium_disable_metrics_reporting' |
| 613 | ############################################################################### | 613 | ############################################################################### |
| 614 | #·BEGIN·fix·(32·/·37)·for·'chromium_disable_protocol_schemas' | 614 | #·BEGIN·fix·(32·/·37)·for·'chromium_disable_protocol_schemas' |
| 615 | ############################################################################### | 615 | ############################################################################### |
| 616 | (>&2·echo·"Remediating·rule·32/37:·'chromium_disable_protocol_schemas'") | 616 | (>&2·echo·"Remediating·rule·32/37:·'chromium_disable_protocol_schemas'") |
| 617 | populate·var_url_blacklist | 617 | populate·var_url_blacklist |
| Offset 667, 30 lines modified | Offset 667, 30 lines modified | ||
| 667 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 667 | ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| 668 | else | 668 | else |
| 669 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} | 669 | ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE} |
| Max diff block lines reached; 2931/10192 bytes (28.76%) of diff not shown. | |||
| Offset 29, 37 lines modified | Offset 29, 17 lines modified | ||
| 29 | # | 29 | # |
| 30 | #·How·to·apply·this·remediation·role: | 30 | #·How·to·apply·this·remediation·role: |
| 31 | #·$·sudo·./remediation-role.sh | 31 | #·$·sudo·./remediation-role.sh |
| 32 | # | 32 | # |
| 33 | ############################################################################### | 33 | ############################################################################### |
| 34 | ############################################################################### | 34 | ############################################################################### |
| 35 | #·BEGIN·fix·(1·/·28)·for·'firefox_preferences- | 35 | #·BEGIN·fix·(1·/·28)·for·'firefox_preferences-cookies_user_notice' |
| 36 | ############################################################################### | 36 | ############################################################################### |
| 37 | (>&2·echo·"Remediating·rule·1/28:·'firefox_preferences- | 37 | (>&2·echo·"Remediating·rule·1/28:·'firefox_preferences-cookies_user_notice'") |
| 38 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 39 | #·END·fix·for·'firefox_preferences-dod_root_certificate_installed' | ||
| 40 | ############################################################################### | ||
| 41 | #·BEGIN·fix·(2·/·28)·for·'firefox_preferences-enable_ca_trust' | ||
| 42 | ############################################################################### | ||
| 43 | (>&2·echo·"Remediating·rule·2/28:·'firefox_preferences-enable_ca_trust'") | ||
| 44 | P11=$(readlink·/etc/alternatives/libnssckbi.so*) | ||
| 45 | P11LIB="/usr/lib/pkcs11/p11-kit-trust.so" | ||
| 46 | P11LIB64="/usr/lib64/pkcs11/p11-kit-trust.so" | ||
| 47 | if·!·[[·${P11}·==·"${P11LIB64}"·]]·||·!·[[·${P11}·==·"${P11LIB}"·]]·;·then | ||
| 48 | ···/usr/bin/update-ca-trust·enable | ||
| 49 | fi | ||
| 50 | #·END·fix·for·'firefox_preferences-enable_ca_trust' | ||
| 51 | ############################################################################### | ||
| 52 | #·BEGIN·fix·(3·/·28)·for·'firefox_preferences-cookies_user_notice' | ||
| 53 | ############################################################################### | ||
| 54 | (>&2·echo·"Remediating·rule·3/28:·'firefox_preferences-cookies_user_notice'") | ||
| 55 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the | 38 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the |
| 56 | #·preference·if·it·does·not·exist. | 39 | #·preference·if·it·does·not·exist. |
| 57 | # | 40 | # |
| 58 | #·Expects·three·arguments: | 41 | #·Expects·three·arguments: |
| 59 | # | 42 | # |
| 60 | #·config_file:··········Configuration·file·that·will·be·modified | 43 | #·config_file:··········Configuration·file·that·will·be·modified |
| 61 | #·key:··················Configuration·option·to·change | 44 | #·key:··················Configuration·option·to·change |
| Offset 112, 17 lines modified | Offset 92, 17 lines modified | ||
| 112 | ··done | 92 | ··done |
| 113 | } | 93 | } |
| 114 | firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.promptOnSanitize"·"false" | 94 | firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.promptOnSanitize"·"false" |
| 115 | #·END·fix·for·'firefox_preferences-cookies_user_notice' | 95 | #·END·fix·for·'firefox_preferences-cookies_user_notice' |
| 116 | ############################################################################### | 96 | ############################################################################### |
| 117 | #·BEGIN·fix·( | 97 | #·BEGIN·fix·(2·/·28)·for·'firefox_preferences-cookies_clear' |
| 118 | ############################################################################### | 98 | ############################################################################### |
| 119 | (>&2·echo·"Remediating·rule· | 99 | (>&2·echo·"Remediating·rule·2/28:·'firefox_preferences-cookies_clear'") |
| 120 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the | 100 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the |
| 121 | #·preference·if·it·does·not·exist. | 101 | #·preference·if·it·does·not·exist. |
| 122 | # | 102 | # |
| 123 | #·Expects·three·arguments: | 103 | #·Expects·three·arguments: |
| 124 | # | 104 | # |
| 125 | #·config_file:··········Configuration·file·that·will·be·modified | 105 | #·config_file:··········Configuration·file·that·will·be·modified |
| 126 | #·key:··················Configuration·option·to·change | 106 | #·key:··················Configuration·option·to·change |
| Offset 175, 17 lines modified | Offset 155, 17 lines modified | ||
| 175 | ··done | 155 | ··done |
| 176 | } | 156 | } |
| 177 | firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.sanitizeOnShutdown"·"true" | 157 | firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.sanitizeOnShutdown"·"true" |
| 178 | #·END·fix·for·'firefox_preferences-cookies_clear' | 158 | #·END·fix·for·'firefox_preferences-cookies_clear' |
| 179 | ############################################################################### | 159 | ############################################################################### |
| 180 | #·BEGIN·fix·( | 160 | #·BEGIN·fix·(3·/·28)·for·'firefox_preferences-lock_settings_obscure' |
| 181 | ############################################################################### | 161 | ############################################################################### |
| 182 | (>&2·echo·"Remediating·rule· | 162 | (>&2·echo·"Remediating·rule·3/28:·'firefox_preferences-lock_settings_obscure'") |
| 183 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the | 163 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the |
| 184 | #·preference·if·it·does·not·exist. | 164 | #·preference·if·it·does·not·exist. |
| 185 | # | 165 | # |
| 186 | #·Expects·three·arguments: | 166 | #·Expects·three·arguments: |
| 187 | # | 167 | # |
| 188 | #·config_file:··········Configuration·file·that·will·be·modified | 168 | #·config_file:··········Configuration·file·that·will·be·modified |
| 189 | #·key:··················Configuration·option·to·change | 169 | #·key:··················Configuration·option·to·change |
| Offset 251, 17 lines modified | Offset 231, 17 lines modified | ||
| 251 | } | 231 | } |
| 252 | firefox_js_setting·"stig_settings.js"·"general.config.obscure_value"·"0" | 232 | firefox_js_setting·"stig_settings.js"·"general.config.obscure_value"·"0" |
| 253 | #·END·fix·for·'firefox_preferences-lock_settings_obscure' | 233 | #·END·fix·for·'firefox_preferences-lock_settings_obscure' |
| 254 | ############################################################################### | 234 | ############################################################################### |
| 255 | #·BEGIN·fix·( | 235 | #·BEGIN·fix·(4·/·28)·for·'firefox_preferences-lock_settings_config_file' |
| 256 | ############################################################################### | 236 | ############################################################################### |
| 257 | (>&2·echo·"Remediating·rule· | 237 | (>&2·echo·"Remediating·rule·4/28:·'firefox_preferences-lock_settings_config_file'") |
| 258 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the | 238 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the |
| 259 | #·preference·if·it·does·not·exist. | 239 | #·preference·if·it·does·not·exist. |
| 260 | # | 240 | # |
| 261 | #·Expects·three·arguments: | 241 | #·Expects·three·arguments: |
| 262 | # | 242 | # |
| 263 | #·config_file:··········Configuration·file·that·will·be·modified | 243 | #·config_file:··········Configuration·file·that·will·be·modified |
| 264 | #·key:··················Configuration·option·to·change | 244 | #·key:··················Configuration·option·to·change |
| Offset 327, 14 lines modified | Offset 307, 34 lines modified | ||
| 327 | } | 307 | } |
| 328 | firefox_js_setting·"stig_settings.js"·"general.config.filename"·"\"stig.cfg\"" | 308 | firefox_js_setting·"stig_settings.js"·"general.config.filename"·"\"stig.cfg\"" |
| 329 | #·END·fix·for·'firefox_preferences-lock_settings_config_file' | 309 | #·END·fix·for·'firefox_preferences-lock_settings_config_file' |
| 330 | ############################################################################### | 310 | ############################################################################### |
| 311 | #·BEGIN·fix·(5·/·28)·for·'firefox_preferences-dod_root_certificate_installed' | ||
| 312 | ############################################################################### | ||
| 313 | (>&2·echo·"Remediating·rule·5/28:·'firefox_preferences-dod_root_certificate_installed'") | ||
| 314 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 315 | #·END·fix·for·'firefox_preferences-dod_root_certificate_installed' | ||
| 316 | ############################################################################### | ||
| 317 | #·BEGIN·fix·(6·/·28)·for·'firefox_preferences-enable_ca_trust' | ||
| 318 | ############################################################################### | ||
| 319 | (>&2·echo·"Remediating·rule·6/28:·'firefox_preferences-enable_ca_trust'") | ||
| 320 | P11=$(readlink·/etc/alternatives/libnssckbi.so*) | ||
| 321 | P11LIB="/usr/lib/pkcs11/p11-kit-trust.so" | ||
| 322 | P11LIB64="/usr/lib64/pkcs11/p11-kit-trust.so" | ||
| 323 | if·!·[[·${P11}·==·"${P11LIB64}"·]]·||·!·[[·${P11}·==·"${P11LIB}"·]]·;·then | ||
| 324 | ···/usr/bin/update-ca-trust·enable | ||
| 325 | fi | ||
| 326 | #·END·fix·for·'firefox_preferences-enable_ca_trust' | ||
| 327 | ############################################################################### | ||
| 331 | #·BEGIN·fix·(7·/·28)·for·'firefox_preferences-ssl_protocol_tls' | 328 | #·BEGIN·fix·(7·/·28)·for·'firefox_preferences-ssl_protocol_tls' |
| 332 | ############################################################################### | 329 | ############################################################################### |
| 333 | (>&2·echo·"Remediating·rule·7/28:·'firefox_preferences-ssl_protocol_tls'") | 330 | (>&2·echo·"Remediating·rule·7/28:·'firefox_preferences-ssl_protocol_tls'") |
| 334 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the | 331 | #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the |
| 335 | #·preference·if·it·does·not·exist. | 332 | #·preference·if·it·does·not·exist. |
| 336 | # | 333 | # |
| 337 | #·Expects·three·arguments: | 334 | #·Expects·three·arguments: |
| Offset 1213, 17 lines modified | Offset 1213, 17 lines modified | ||
| Max diff block lines reached; 3214/9694 bytes (33.15%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>2020-07-12T0 | 7 | ····<ns2:timestamp>2020-07-12T04:17:30</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"·version="1"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Installed·operating·system·is·part·of·the·Unix·family</ns0:title> | 12 | ········<ns0:title>Installed·operating·system·is·part·of·the·Unix·family</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:product>Google·Chromium·Browser</ns0:product> | 14 | ··········<ns0:product>Google·Chromium·Browser</ns0:product> |
| Offset 18, 21 lines modified | Offset 18, 21 lines modified | ||
| 18 | ····</ds:checklists> | 18 | ····</ds:checklists> |
| 19 | ····<ds:checks> | 19 | ····<ds:checks> |
| 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-chromium-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-chromium-oval.xml"/> | 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-chromium-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-chromium-oval.xml"/> |
| 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-chromium-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-chromium-ocil.xml"/> | 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-chromium-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-chromium-ocil.xml"/> |
| 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-chromium-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-chromium-cpe-oval.xml"/> | 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-chromium-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-chromium-cpe-oval.xml"/> |
| 23 | ····</ds:checks> | 23 | ····</ds:checks> |
| 24 | ··</ds:data-stream> | 24 | ··</ds:data-stream> |
| 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-chromium-oval.xml"·timestamp="2020-07-1 | 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-chromium-oval.xml"·timestamp="2020-07-12T18:46:38"> |
| 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 27 | ······<ns0:generator> | 27 | ······<ns0:generator> |
| 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 30 | ········<ns2:schema_version>5.11</ns2:schema_version> | 30 | ········<ns2:schema_version>5.11</ns2:schema_version> |
| 31 | ········<ns2:timestamp>2020-07-12T0 | 31 | ········<ns2:timestamp>2020-07-12T04:17:30</ns2:timestamp> |
| 32 | ······</ns0:generator> | 32 | ······</ns0:generator> |
| 33 | ······<ns0:definitions> | 33 | ······<ns0:definitions> |
| 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-chromium_blacklist_extension_installation:def:1"·version="1"> | 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-chromium_blacklist_extension_installation:def:1"·version="1"> |
| 35 | ··········<ns0:metadata> | 35 | ··········<ns0:metadata> |
| 36 | ············<ns0:title>Blacklist·Extension·Installation</ns0:title> | 36 | ············<ns0:title>Blacklist·Extension·Installation</ns0:title> |
| 37 | ············<ns0:affected·family="unix"> | 37 | ············<ns0:affected·family="unix"> |
| 38 | ··············<ns0:platform>Google·Chromium·Browser</ns0:platform> | 38 | ··············<ns0:platform>Google·Chromium·Browser</ns0:platform> |
| Offset 896, 15 lines modified | Offset 896, 15 lines modified | ||
| 896 | ········<ns0:external_variable·comment="Expected·search·provider·name"·datatype="string"·id="oval:ssg-var_enable_encrypted_searching:var:1"·version="1"/> | 896 | ········<ns0:external_variable·comment="Expected·search·provider·name"·datatype="string"·id="oval:ssg-var_enable_encrypted_searching:var:1"·version="1"/> |
| 897 | ········<ns0:external_variable·comment="Expected·approved·extensions"·datatype="string"·id="oval:ssg-var_extension_whitelist:var:1"·version="1"/> | 897 | ········<ns0:external_variable·comment="Expected·approved·extensions"·datatype="string"·id="oval:ssg-var_extension_whitelist:var:1"·version="1"/> |
| 898 | ········<ns0:external_variable·comment="Expected·HTTP·authentication·type"·datatype="string"·id="oval:ssg-var_auth_schema:var:1"·version="1"/> | 898 | ········<ns0:external_variable·comment="Expected·HTTP·authentication·type"·datatype="string"·id="oval:ssg-var_auth_schema:var:1"·version="1"/> |
| 899 | ········<ns0:external_variable·comment="Expected·home·page"·datatype="string"·id="oval:ssg-var_trusted_home_page:var:1"·version="1"/> | 899 | ········<ns0:external_variable·comment="Expected·home·page"·datatype="string"·id="oval:ssg-var_trusted_home_page:var:1"·version="1"/> |
| 900 | ······</ns0:variables> | 900 | ······</ns0:variables> |
| 901 | ····</ns0:oval_definitions> | 901 | ····</ns0:oval_definitions> |
| 902 | ··</ds:component> | 902 | ··</ds:component> |
| 903 | ··<ds:component·id="scap_org.open-scap_comp_ssg-chromium-ocil.xml"·timestamp="2020-07-1 | 903 | ··<ds:component·id="scap_org.open-scap_comp_ssg-chromium-ocil.xml"·timestamp="2020-07-12T18:46:38"> |
| 904 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> | 904 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> |
| 905 | ······<ns0:generator> | 905 | ······<ns0:generator> |
| 906 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 906 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 907 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 907 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 908 | ········<ns0:schema_version>2.0</ns0:schema_version> | 908 | ········<ns0:schema_version>2.0</ns0:schema_version> |
| 909 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 909 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 910 | ······</ns0:generator> | 910 | ······</ns0:generator> |
| Offset 995, 18 lines modified | Offset 995, 18 lines modified | ||
| 995 | ········</ns0:questionnaire> | 995 | ········</ns0:questionnaire> |
| 996 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_saved_passwords_ocil:questionnaire:1"> | 996 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_saved_passwords_ocil:questionnaire:1"> |
| 997 | ··········<ns0:title>Disable·Saved·Passwords</ns0:title> | 997 | ··········<ns0:title>Disable·Saved·Passwords</ns0:title> |
| 998 | ··········<ns0:actions> | 998 | ··········<ns0:actions> |
| 999 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_saved_passwords_action:testaction:1</ns0:test_action_ref> | 999 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_saved_passwords_action:testaction:1</ns0:test_action_ref> |
| 1000 | ··········</ns0:actions> | 1000 | ··········</ns0:actions> |
| 1001 | ········</ns0:questionnaire> | 1001 | ········</ns0:questionnaire> |
| 1002 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_ | 1002 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_popups_ocil:questionnaire:1"> |
| 1003 | ··········<ns0:title>Disable· | 1003 | ··········<ns0:title>Disable·Popups</ns0:title> |
| 1004 | ··········<ns0:actions> | 1004 | ··········<ns0:actions> |
| 1005 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_ | 1005 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_popups_action:testaction:1</ns0:test_action_ref> |
| 1006 | ··········</ns0:actions> | 1006 | ··········</ns0:actions> |
| 1007 | ········</ns0:questionnaire> | 1007 | ········</ns0:questionnaire> |
| 1008 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_incognito_mode_ocil:questionnaire:1"> | 1008 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_incognito_mode_ocil:questionnaire:1"> |
| 1009 | ··········<ns0:title>Disable·Incognito·Mode</ns0:title> | 1009 | ··········<ns0:title>Disable·Incognito·Mode</ns0:title> |
| 1010 | ··········<ns0:actions> | 1010 | ··········<ns0:actions> |
| 1011 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_incognito_mode_action:testaction:1</ns0:test_action_ref> | 1011 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_incognito_mode_action:testaction:1</ns0:test_action_ref> |
| 1012 | ··········</ns0:actions> | 1012 | ··········</ns0:actions> |
| Offset 1025, 18 lines modified | Offset 1025, 18 lines modified | ||
| 1025 | ········</ns0:questionnaire> | 1025 | ········</ns0:questionnaire> |
| 1026 | ········<ns0:questionnaire·id="ocil:ssg-chromium_enable_safe_browsing_ocil:questionnaire:1"> | 1026 | ········<ns0:questionnaire·id="ocil:ssg-chromium_enable_safe_browsing_ocil:questionnaire:1"> |
| 1027 | ··········<ns0:title>Enable·the·Safe·Browsing·Feature</ns0:title> | 1027 | ··········<ns0:title>Enable·the·Safe·Browsing·Feature</ns0:title> |
| 1028 | ··········<ns0:actions> | 1028 | ··········<ns0:actions> |
| 1029 | ············<ns0:test_action_ref>ocil:ssg-chromium_enable_safe_browsing_action:testaction:1</ns0:test_action_ref> | 1029 | ············<ns0:test_action_ref>ocil:ssg-chromium_enable_safe_browsing_action:testaction:1</ns0:test_action_ref> |
| 1030 | ··········</ns0:actions> | 1030 | ··········</ns0:actions> |
| 1031 | ········</ns0:questionnaire> | 1031 | ········</ns0:questionnaire> |
| 1032 | ········<ns0:questionnaire·id="ocil:ssg-chromium_ | 1032 | ········<ns0:questionnaire·id="ocil:ssg-chromium_plugins_require_authorization_ocil:questionnaire:1"> |
| 1033 | ··········<ns0:title> | 1033 | ··········<ns0:title>Require·Outdated·Plugins·to·be·Authorized</ns0:title> |
| 1034 | ··········<ns0:actions> | 1034 | ··········<ns0:actions> |
| 1035 | ············<ns0:test_action_ref>ocil:ssg-chromium_ | 1035 | ············<ns0:test_action_ref>ocil:ssg-chromium_plugins_require_authorization_action:testaction:1</ns0:test_action_ref> |
| 1036 | ··········</ns0:actions> | 1036 | ··········</ns0:actions> |
| 1037 | ········</ns0:questionnaire> | 1037 | ········</ns0:questionnaire> |
| 1038 | ········<ns0:questionnaire·id="ocil:ssg-chromium_default_block_plugins_ocil:questionnaire:1"> | 1038 | ········<ns0:questionnaire·id="ocil:ssg-chromium_default_block_plugins_ocil:questionnaire:1"> |
| 1039 | ··········<ns0:title>Block·Plugins·by·Default</ns0:title> | 1039 | ··········<ns0:title>Block·Plugins·by·Default</ns0:title> |
| 1040 | ··········<ns0:actions> | 1040 | ··········<ns0:actions> |
| 1041 | ············<ns0:test_action_ref>ocil:ssg-chromium_default_block_plugins_action:testaction:1</ns0:test_action_ref> | 1041 | ············<ns0:test_action_ref>ocil:ssg-chromium_default_block_plugins_action:testaction:1</ns0:test_action_ref> |
| 1042 | ··········</ns0:actions> | 1042 | ··········</ns0:actions> |
| Offset 1073, 30 lines modified | Offset 1073, 30 lines modified | ||
| 1073 | ········</ns0:questionnaire> | 1073 | ········</ns0:questionnaire> |
| 1074 | ········<ns0:questionnaire·id="ocil:ssg-chromium_block_desktop_notifications_ocil:questionnaire:1"> | 1074 | ········<ns0:questionnaire·id="ocil:ssg-chromium_block_desktop_notifications_ocil:questionnaire:1"> |
| 1075 | ··········<ns0:title>Prevent·Desktop·Notifications</ns0:title> | 1075 | ··········<ns0:title>Prevent·Desktop·Notifications</ns0:title> |
| 1076 | ··········<ns0:actions> | 1076 | ··········<ns0:actions> |
| 1077 | ············<ns0:test_action_ref>ocil:ssg-chromium_block_desktop_notifications_action:testaction:1</ns0:test_action_ref> | 1077 | ············<ns0:test_action_ref>ocil:ssg-chromium_block_desktop_notifications_action:testaction:1</ns0:test_action_ref> |
| 1078 | ··········</ns0:actions> | 1078 | ··········</ns0:actions> |
| 1079 | ········</ns0:questionnaire> | 1079 | ········</ns0:questionnaire> |
| 1080 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_ | 1080 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_google_sync_ocil:questionnaire:1"> |
| 1081 | ··········<ns0:title>Disable· | 1081 | ··········<ns0:title>Disable·Data·Synchronization·to·Google</ns0:title> |
| 1082 | ··········<ns0:actions> | 1082 | ··········<ns0:actions> |
| 1083 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_ | 1083 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_google_sync_action:testaction:1</ns0:test_action_ref> |
| 1084 | ··········</ns0:actions> | 1084 | ··········</ns0:actions> |
| 1085 | ········</ns0:questionnaire> | 1085 | ········</ns0:questionnaire> |
| 1086 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_thirdparty_cookies_ocil:questionnaire:1"> | 1086 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_thirdparty_cookies_ocil:questionnaire:1"> |
| 1087 | ··········<ns0:title>Disable·3rd·Party·Cookies</ns0:title> | 1087 | ··········<ns0:title>Disable·3rd·Party·Cookies</ns0:title> |
| 1088 | ··········<ns0:actions> | 1088 | ··········<ns0:actions> |
| 1089 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1</ns0:test_action_ref> | 1089 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1</ns0:test_action_ref> |
| 1090 | ··········</ns0:actions> | 1090 | ··········</ns0:actions> |
| 1091 | ········</ns0:questionnaire> | 1091 | ········</ns0:questionnaire> |
| 1092 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_po | 1092 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_metrics_reporting_ocil:questionnaire:1"> |
| 1093 | ··········<ns0:title>Disable· | 1093 | ··········<ns0:title>Disable·Metrics·Reporting</ns0:title> |
| 1094 | ··········<ns0:actions> | 1094 | ··········<ns0:actions> |
| 1095 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_po | 1095 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_metrics_reporting_action:testaction:1</ns0:test_action_ref> |
| 1096 | ··········</ns0:actions> | 1096 | ··········</ns0:actions> |
| 1097 | ········</ns0:questionnaire> | 1097 | ········</ns0:questionnaire> |
| 1098 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_protocol_schemas_ocil:questionnaire:1"> | 1098 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_protocol_schemas_ocil:questionnaire:1"> |
| 1099 | ··········<ns0:title>Disable·Insecure·And·Obsolete·Protocol·Schemas</ns0:title> | 1099 | ··········<ns0:title>Disable·Insecure·And·Obsolete·Protocol·Schemas</ns0:title> |
| 1100 | ··········<ns0:actions> | 1100 | ··········<ns0:actions> |
| 1101 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_protocol_schemas_action:testaction:1</ns0:test_action_ref> | 1101 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_protocol_schemas_action:testaction:1</ns0:test_action_ref> |
| 1102 | ··········</ns0:actions> | 1102 | ··········</ns0:actions> |
| Offset 1109, 30 lines modified | Offset 1109, 30 lines modified | ||
| 1109 | ········</ns0:questionnaire> | 1109 | ········</ns0:questionnaire> |
| 1110 | ········<ns0:questionnaire·id="ocil:ssg-chromium_blacklist_extension_installation_ocil:questionnaire:1"> | 1110 | ········<ns0:questionnaire·id="ocil:ssg-chromium_blacklist_extension_installation_ocil:questionnaire:1"> |
| 1111 | ··········<ns0:title>Disable·All·Extensions·by·Default</ns0:title> | 1111 | ··········<ns0:title>Disable·All·Extensions·by·Default</ns0:title> |
| 1112 | ··········<ns0:actions> | 1112 | ··········<ns0:actions> |
| 1113 | ············<ns0:test_action_ref>ocil:ssg-chromium_blacklist_extension_installation_action:testaction:1</ns0:test_action_ref> | 1113 | ············<ns0:test_action_ref>ocil:ssg-chromium_blacklist_extension_installation_action:testaction:1</ns0:test_action_ref> |
| 1114 | ··········</ns0:actions> | 1114 | ··········</ns0:actions> |
| 1115 | ········</ns0:questionnaire> | 1115 | ········</ns0:questionnaire> |
| 1116 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_ | 1116 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_network_prediction_ocil:questionnaire:1"> |
| 1117 | ··········<ns0:title>Disable· | 1117 | ··········<ns0:title>Disable·Network·Prediction</ns0:title> |
| 1118 | ··········<ns0:actions> | 1118 | ··········<ns0:actions> |
| 1119 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_ | 1119 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_network_prediction_action:testaction:1</ns0:test_action_ref> |
| 1120 | ··········</ns0:actions> | 1120 | ··········</ns0:actions> |
| 1121 | ········</ns0:questionnaire> | 1121 | ········</ns0:questionnaire> |
| 1122 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_cloud_print_sharing_ocil:questionnaire:1"> | 1122 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_cloud_print_sharing_ocil:questionnaire:1"> |
| 1123 | ··········<ns0:title>Disable·Cloud·Print·Sharing</ns0:title> | 1123 | ··········<ns0:title>Disable·Cloud·Print·Sharing</ns0:title> |
| 1124 | ··········<ns0:actions> | 1124 | ··········<ns0:actions> |
| 1125 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1</ns0:test_action_ref> | 1125 | ············<ns0:test_action_ref>ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1</ns0:test_action_ref> |
| 1126 | ··········</ns0:actions> | 1126 | ··········</ns0:actions> |
| 1127 | ········</ns0:questionnaire> | 1127 | ········</ns0:questionnaire> |
| 1128 | ········<ns0:questionnaire·id="ocil:ssg-chromium_ | 1128 | ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_cleartext_passwords_ocil:questionnaire:1"> |
| Max diff block lines reached; 121818/132299 bytes (92.08%) of diff not shown. | |||
| Offset 93, 18 lines modified | Offset 93, 18 lines modified | ||
| 93 | ····</ns0:questionnaire> | 93 | ····</ns0:questionnaire> |
| 94 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_saved_passwords_ocil:questionnaire:1"> | 94 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_saved_passwords_ocil:questionnaire:1"> |
| 95 | ······<ns0:title>Disable·Saved·Passwords</ns0:title> | 95 | ······<ns0:title>Disable·Saved·Passwords</ns0:title> |
| 96 | ······<ns0:actions> | 96 | ······<ns0:actions> |
| 97 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_saved_passwords_action:testaction:1</ns0:test_action_ref> | 97 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_saved_passwords_action:testaction:1</ns0:test_action_ref> |
| 98 | ······</ns0:actions> | 98 | ······</ns0:actions> |
| 99 | ····</ns0:questionnaire> | 99 | ····</ns0:questionnaire> |
| 100 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_ | 100 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_popups_ocil:questionnaire:1"> |
| 101 | ······<ns0:title>Disable· | 101 | ······<ns0:title>Disable·Popups</ns0:title> |
| 102 | ······<ns0:actions> | 102 | ······<ns0:actions> |
| 103 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_ | 103 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_popups_action:testaction:1</ns0:test_action_ref> |
| 104 | ······</ns0:actions> | 104 | ······</ns0:actions> |
| 105 | ····</ns0:questionnaire> | 105 | ····</ns0:questionnaire> |
| 106 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_incognito_mode_ocil:questionnaire:1"> | 106 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_incognito_mode_ocil:questionnaire:1"> |
| 107 | ······<ns0:title>Disable·Incognito·Mode</ns0:title> | 107 | ······<ns0:title>Disable·Incognito·Mode</ns0:title> |
| 108 | ······<ns0:actions> | 108 | ······<ns0:actions> |
| 109 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_incognito_mode_action:testaction:1</ns0:test_action_ref> | 109 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_incognito_mode_action:testaction:1</ns0:test_action_ref> |
| 110 | ······</ns0:actions> | 110 | ······</ns0:actions> |
| Offset 123, 18 lines modified | Offset 123, 18 lines modified | ||
| 123 | ····</ns0:questionnaire> | 123 | ····</ns0:questionnaire> |
| 124 | ····<ns0:questionnaire·id="ocil:ssg-chromium_enable_safe_browsing_ocil:questionnaire:1"> | 124 | ····<ns0:questionnaire·id="ocil:ssg-chromium_enable_safe_browsing_ocil:questionnaire:1"> |
| 125 | ······<ns0:title>Enable·the·Safe·Browsing·Feature</ns0:title> | 125 | ······<ns0:title>Enable·the·Safe·Browsing·Feature</ns0:title> |
| 126 | ······<ns0:actions> | 126 | ······<ns0:actions> |
| 127 | ········<ns0:test_action_ref>ocil:ssg-chromium_enable_safe_browsing_action:testaction:1</ns0:test_action_ref> | 127 | ········<ns0:test_action_ref>ocil:ssg-chromium_enable_safe_browsing_action:testaction:1</ns0:test_action_ref> |
| 128 | ······</ns0:actions> | 128 | ······</ns0:actions> |
| 129 | ····</ns0:questionnaire> | 129 | ····</ns0:questionnaire> |
| 130 | ····<ns0:questionnaire·id="ocil:ssg-chromium_ | 130 | ····<ns0:questionnaire·id="ocil:ssg-chromium_plugins_require_authorization_ocil:questionnaire:1"> |
| 131 | ······<ns0:title> | 131 | ······<ns0:title>Require·Outdated·Plugins·to·be·Authorized</ns0:title> |
| 132 | ······<ns0:actions> | 132 | ······<ns0:actions> |
| 133 | ········<ns0:test_action_ref>ocil:ssg-chromium_ | 133 | ········<ns0:test_action_ref>ocil:ssg-chromium_plugins_require_authorization_action:testaction:1</ns0:test_action_ref> |
| 134 | ······</ns0:actions> | 134 | ······</ns0:actions> |
| 135 | ····</ns0:questionnaire> | 135 | ····</ns0:questionnaire> |
| 136 | ····<ns0:questionnaire·id="ocil:ssg-chromium_default_block_plugins_ocil:questionnaire:1"> | 136 | ····<ns0:questionnaire·id="ocil:ssg-chromium_default_block_plugins_ocil:questionnaire:1"> |
| 137 | ······<ns0:title>Block·Plugins·by·Default</ns0:title> | 137 | ······<ns0:title>Block·Plugins·by·Default</ns0:title> |
| 138 | ······<ns0:actions> | 138 | ······<ns0:actions> |
| 139 | ········<ns0:test_action_ref>ocil:ssg-chromium_default_block_plugins_action:testaction:1</ns0:test_action_ref> | 139 | ········<ns0:test_action_ref>ocil:ssg-chromium_default_block_plugins_action:testaction:1</ns0:test_action_ref> |
| 140 | ······</ns0:actions> | 140 | ······</ns0:actions> |
| Offset 171, 30 lines modified | Offset 171, 30 lines modified | ||
| 171 | ····</ns0:questionnaire> | 171 | ····</ns0:questionnaire> |
| 172 | ····<ns0:questionnaire·id="ocil:ssg-chromium_block_desktop_notifications_ocil:questionnaire:1"> | 172 | ····<ns0:questionnaire·id="ocil:ssg-chromium_block_desktop_notifications_ocil:questionnaire:1"> |
| 173 | ······<ns0:title>Prevent·Desktop·Notifications</ns0:title> | 173 | ······<ns0:title>Prevent·Desktop·Notifications</ns0:title> |
| 174 | ······<ns0:actions> | 174 | ······<ns0:actions> |
| 175 | ········<ns0:test_action_ref>ocil:ssg-chromium_block_desktop_notifications_action:testaction:1</ns0:test_action_ref> | 175 | ········<ns0:test_action_ref>ocil:ssg-chromium_block_desktop_notifications_action:testaction:1</ns0:test_action_ref> |
| 176 | ······</ns0:actions> | 176 | ······</ns0:actions> |
| 177 | ····</ns0:questionnaire> | 177 | ····</ns0:questionnaire> |
| 178 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_ | 178 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_google_sync_ocil:questionnaire:1"> |
| 179 | ······<ns0:title>Disable· | 179 | ······<ns0:title>Disable·Data·Synchronization·to·Google</ns0:title> |
| 180 | ······<ns0:actions> | 180 | ······<ns0:actions> |
| 181 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_ | 181 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_google_sync_action:testaction:1</ns0:test_action_ref> |
| 182 | ······</ns0:actions> | 182 | ······</ns0:actions> |
| 183 | ····</ns0:questionnaire> | 183 | ····</ns0:questionnaire> |
| 184 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_thirdparty_cookies_ocil:questionnaire:1"> | 184 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_thirdparty_cookies_ocil:questionnaire:1"> |
| 185 | ······<ns0:title>Disable·3rd·Party·Cookies</ns0:title> | 185 | ······<ns0:title>Disable·3rd·Party·Cookies</ns0:title> |
| 186 | ······<ns0:actions> | 186 | ······<ns0:actions> |
| 187 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1</ns0:test_action_ref> | 187 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1</ns0:test_action_ref> |
| 188 | ······</ns0:actions> | 188 | ······</ns0:actions> |
| 189 | ····</ns0:questionnaire> | 189 | ····</ns0:questionnaire> |
| 190 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_po | 190 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_metrics_reporting_ocil:questionnaire:1"> |
| 191 | ······<ns0:title>Disable· | 191 | ······<ns0:title>Disable·Metrics·Reporting</ns0:title> |
| 192 | ······<ns0:actions> | 192 | ······<ns0:actions> |
| 193 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_po | 193 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_metrics_reporting_action:testaction:1</ns0:test_action_ref> |
| 194 | ······</ns0:actions> | 194 | ······</ns0:actions> |
| 195 | ····</ns0:questionnaire> | 195 | ····</ns0:questionnaire> |
| 196 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_protocol_schemas_ocil:questionnaire:1"> | 196 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_protocol_schemas_ocil:questionnaire:1"> |
| 197 | ······<ns0:title>Disable·Insecure·And·Obsolete·Protocol·Schemas</ns0:title> | 197 | ······<ns0:title>Disable·Insecure·And·Obsolete·Protocol·Schemas</ns0:title> |
| 198 | ······<ns0:actions> | 198 | ······<ns0:actions> |
| 199 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_protocol_schemas_action:testaction:1</ns0:test_action_ref> | 199 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_protocol_schemas_action:testaction:1</ns0:test_action_ref> |
| 200 | ······</ns0:actions> | 200 | ······</ns0:actions> |
| Offset 207, 30 lines modified | Offset 207, 30 lines modified | ||
| 207 | ····</ns0:questionnaire> | 207 | ····</ns0:questionnaire> |
| 208 | ····<ns0:questionnaire·id="ocil:ssg-chromium_blacklist_extension_installation_ocil:questionnaire:1"> | 208 | ····<ns0:questionnaire·id="ocil:ssg-chromium_blacklist_extension_installation_ocil:questionnaire:1"> |
| 209 | ······<ns0:title>Disable·All·Extensions·by·Default</ns0:title> | 209 | ······<ns0:title>Disable·All·Extensions·by·Default</ns0:title> |
| 210 | ······<ns0:actions> | 210 | ······<ns0:actions> |
| 211 | ········<ns0:test_action_ref>ocil:ssg-chromium_blacklist_extension_installation_action:testaction:1</ns0:test_action_ref> | 211 | ········<ns0:test_action_ref>ocil:ssg-chromium_blacklist_extension_installation_action:testaction:1</ns0:test_action_ref> |
| 212 | ······</ns0:actions> | 212 | ······</ns0:actions> |
| 213 | ····</ns0:questionnaire> | 213 | ····</ns0:questionnaire> |
| 214 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_ | 214 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_network_prediction_ocil:questionnaire:1"> |
| 215 | ······<ns0:title>Disable· | 215 | ······<ns0:title>Disable·Network·Prediction</ns0:title> |
| 216 | ······<ns0:actions> | 216 | ······<ns0:actions> |
| 217 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_ | 217 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_network_prediction_action:testaction:1</ns0:test_action_ref> |
| 218 | ······</ns0:actions> | 218 | ······</ns0:actions> |
| 219 | ····</ns0:questionnaire> | 219 | ····</ns0:questionnaire> |
| 220 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_cloud_print_sharing_ocil:questionnaire:1"> | 220 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_cloud_print_sharing_ocil:questionnaire:1"> |
| 221 | ······<ns0:title>Disable·Cloud·Print·Sharing</ns0:title> | 221 | ······<ns0:title>Disable·Cloud·Print·Sharing</ns0:title> |
| 222 | ······<ns0:actions> | 222 | ······<ns0:actions> |
| 223 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1</ns0:test_action_ref> | 223 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1</ns0:test_action_ref> |
| 224 | ······</ns0:actions> | 224 | ······</ns0:actions> |
| 225 | ····</ns0:questionnaire> | 225 | ····</ns0:questionnaire> |
| 226 | ····<ns0:questionnaire·id="ocil:ssg-chromium_ | 226 | ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_cleartext_passwords_ocil:questionnaire:1"> |
| 227 | ······<ns0:title> | 227 | ······<ns0:title>Disable·Use·of·Cleartext·Passwords</ns0:title> |
| 228 | ······<ns0:actions> | 228 | ······<ns0:actions> |
| 229 | ········<ns0:test_action_ref>ocil:ssg-chromium_ | 229 | ········<ns0:test_action_ref>ocil:ssg-chromium_disable_cleartext_passwords_action:testaction:1</ns0:test_action_ref> |
| 230 | ······</ns0:actions> | 230 | ······</ns0:actions> |
| 231 | ····</ns0:questionnaire> | 231 | ····</ns0:questionnaire> |
| 232 | ··</ns0:questionnaires> | 232 | ··</ns0:questionnaires> |
| 233 | ··<ns0:test_actions> | 233 | ··<ns0:test_actions> |
| 234 | ····<ns0:boolean_question_test_action·id="ocil:ssg-chromium_disable_session_cookies_action:testaction:1"·question_ref="ocil:ssg-chromium_disable_session_cookies_question:question:1"> | 234 | ····<ns0:boolean_question_test_action·id="ocil:ssg-chromium_disable_session_cookies_action:testaction:1"·question_ref="ocil:ssg-chromium_disable_session_cookies_question:question:1"> |
| 235 | ······<ns0:when_true> | 235 | ······<ns0:when_true> |
| 236 | ········<ns0:result>PASS</ns0:result> | 236 | ········<ns0:result>PASS</ns0:result> |
| Offset 347, 15 lines modified | Offset 347, 15 lines modified | ||
| 347 | ······<ns0:when_true> | 347 | ······<ns0:when_true> |
| 348 | ········<ns0:result>PASS</ns0:result> | 348 | ········<ns0:result>PASS</ns0:result> |
| 349 | ······</ns0:when_true> | 349 | ······</ns0:when_true> |
| 350 | ······<ns0:when_false> | 350 | ······<ns0:when_false> |
| 351 | ········<ns0:result>FAIL</ns0:result> | 351 | ········<ns0:result>FAIL</ns0:result> |
| 352 | ······</ns0:when_false> | 352 | ······</ns0:when_false> |
| 353 | ····</ns0:boolean_question_test_action> | 353 | ····</ns0:boolean_question_test_action> |
| 354 | ····<ns0:boolean_question_test_action·id="ocil:ssg-chromium_disable_ | 354 | ····<ns0:boolean_question_test_action·id="ocil:ssg-chromium_disable_popups_action:testaction:1"·question_ref="ocil:ssg-chromium_disable_popups_question:question:1"> |
| 355 | ······<ns0:when_true> | 355 | ······<ns0:when_true> |
| 356 | ········<ns0:result>PASS</ns0:result> | 356 | ········<ns0:result>PASS</ns0:result> |
| 357 | ······</ns0:when_true> | 357 | ······</ns0:when_true> |
| 358 | ······<ns0:when_false> | 358 | ······<ns0:when_false> |
| 359 | ········<ns0:result>FAIL</ns0:result> | 359 | ········<ns0:result>FAIL</ns0:result> |
| 360 | ······</ns0:when_false> | 360 | ······</ns0:when_false> |
| 361 | ····</ns0:boolean_question_test_action> | 361 | ····</ns0:boolean_question_test_action> |
| Offset 387, 15 lines modified | Offset 387, 15 lines modified | ||
| 387 | ······<ns0:when_true> | 387 | ······<ns0:when_true> |
| 388 | ········<ns0:result>PASS</ns0:result> | 388 | ········<ns0:result>PASS</ns0:result> |
| 389 | ······</ns0:when_true> | 389 | ······</ns0:when_true> |
| 390 | ······<ns0:when_false> | 390 | ······<ns0:when_false> |
| 391 | ········<ns0:result>FAIL</ns0:result> | 391 | ········<ns0:result>FAIL</ns0:result> |
| 392 | ······</ns0:when_false> | 392 | ······</ns0:when_false> |
| 393 | ····</ns0:boolean_question_test_action> | 393 | ····</ns0:boolean_question_test_action> |
| 394 | ····<ns0:boolean_question_test_action·id="ocil:ssg-chromium_ | 394 | ····<ns0:boolean_question_test_action·id="ocil:ssg-chromium_plugins_require_authorization_action:testaction:1"·question_ref="ocil:ssg-chromium_plugins_require_authorization_question:question:1"> |
| 395 | ······<ns0:when_true> | 395 | ······<ns0:when_true> |
| 396 | ········<ns0:result>PASS</ns0:result> | 396 | ········<ns0:result>PASS</ns0:result> |
| 397 | ······</ns0:when_true> | 397 | ······</ns0:when_true> |
| Max diff block lines reached; 11720/20354 bytes (57.58%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>2020-07-12T0 | 7 | ····<ns2:timestamp>2020-07-12T04:17:30</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-chromium_blacklist_extension_installation:def:1"·version="1"> | 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-chromium_blacklist_extension_installation:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Blacklist·Extension·Installation</ns0:title> | 12 | ········<ns0:title>Blacklist·Extension·Installation</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:platform>Google·Chromium·Browser</ns0:platform> | 14 | ··········<ns0:platform>Google·Chromium·Browser</ns0:platform> |
| Offset 222, 219 lines modified | Offset 222, 14 lines modified | ||
| 222 | ····<refine-value·idref="var_extension_whitelist"·selector="none"/> | 222 | ····<refine-value·idref="var_extension_whitelist"·selector="none"/> |
| 223 | ····<refine-value·idref="var_auth_schema"·selector="negotiate"/> | 223 | ····<refine-value·idref="var_auth_schema"·selector="negotiate"/> |
| 224 | ····<refine-value·idref="var_trusted_home_page"·selector="blank"/> | 224 | ····<refine-value·idref="var_trusted_home_page"·selector="blank"/> |
| 225 | ··</Profile> | 225 | ··</Profile> |
| 226 | ··<Group·id="remediation_functions"> | 226 | ··<Group·id="remediation_functions"> |
| 227 | ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title> | 227 | ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title> |
| 228 | ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description> | 228 | ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description> |
| 229 | ····<Value·hidden="true"·id="function_fix_audit_watch_rule"·operator="equals"·prohibitChanges="true"·type="string"> | ||
| 230 | ······<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·function·fix_audit_watch_rule</title> | ||
| 231 | ······<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Shared·bash·remediation·function.·Not·intended·to·be·changed·by·tailoring.</description> | ||
| 232 | ······<value>#·Function·to·fix·audit·file·system·object·watch·rule·for·given·path: | ||
| 233 | #·*·if·rule·exists,·also·verifies·the·-w·bits·match·the·requirements | ||
| 234 | #·*·if·rule·doesn't·exist·yet,·appends·expected·rule·form·to·$files_to_inspect | ||
| 235 | #···audit·rules·file,·depending·on·the·tool·which·was·used·to·load·audit·rules | ||
| 236 | # | ||
| 237 | #·Expects·four·arguments·(each·of·them·is·required)·in·the·form·of: | ||
| 238 | #·*·audit·tool» » » » tool·used·to·load·audit·rules, | ||
| 239 | #·» » » » » either·'auditctl',·or·'augenrules' | ||
| 240 | #·*·path························» value·of·-w·audit·rule's·argument | ||
| 241 | #·*·required·access·bits········» value·of·-p·audit·rule's·argument | ||
| 242 | #·*·key·························» value·of·-k·audit·rule's·argument | ||
| 243 | # | ||
| 244 | #·Example·call: | ||
| 245 | # | ||
| 246 | #·······fix_audit_watch_rule·"auditctl"·"/etc/localtime"·"wa"·"audit_time_rules" | ||
| 247 | # | ||
| 248 | function·fix_audit_watch_rule·{ | ||
| 249 | #·Load·function·arguments·into·local·variables | ||
| 250 | local·tool="$1" | ||
| 251 | local·path="$2" | ||
| 252 | local·required_access_bits="$3" | ||
| 253 | local·key="$4" | ||
| 254 | #·Check·sanity·of·the·input | ||
| 255 | if·[·$#·-ne·"4"·] | ||
| 256 | then | ||
| 257 | » echo·"Usage:·fix_audit_watch_rule·'tool'·'path'·'bits'·'key'" | ||
| 258 | » echo·"Aborting." | ||
| 259 | » exit·1 | ||
| 260 | fi | ||
| 261 | #·Create·a·list·of·audit·*.rules·files·that·should·be·inspected·for·presence·and·correctness | ||
| 262 | #·of·a·particular·audit·rule.·The·scheme·is·as·follows: | ||
| 263 | # | ||
| 264 | #·----------------------------------------------------------------------------------------- | ||
| 265 | #·Tool·used·to·load·audit·rules» |·Rule·already·defined» |··Audit·rules·file·to·inspect» ··| | ||
| 266 | #·----------------------------------------------------------------------------------------- | ||
| 267 | #» auditctl» » |·····Doesn't·matter»|··/etc/audit/audit.rules» ··| | ||
| 268 | #·----------------------------------------------------------------------------------------- | ||
| 269 | #·» augenrules» » |··········Yes»»|··/etc/audit/rules.d/*.rules» ··| | ||
| 270 | #·» augenrules» » |··········No» » |··/etc/audit/rules.d/$key.rules··| | ||
| 271 | #·----------------------------------------------------------------------------------------- | ||
| 272 | declare·-a·files_to_inspect | ||
| 273 | #·Check·sanity·of·the·specified·audit·tool | ||
| 274 | if·[·"$tool"·!=·'auditctl'·]·&&·[·"$tool"·!=·'augenrules'·] | ||
| 275 | then | ||
| 276 | » echo·"Unknown·audit·rules·loading·tool:·$1.·Aborting." | ||
| 277 | » echo·"Use·either·'auditctl'·or·'augenrules'!" | ||
| 278 | » exit·1 | ||
| 279 | #·If·the·audit·tool·is·'auditctl',·then·add·'/etc/audit/audit.rules' | ||
| 280 | #·into·the·list·of·files·to·be·inspected | ||
| 281 | elif·[·"$tool"·==·'auditctl'·] | ||
| 282 | then | ||
| 283 | » files_to_inspect=("${files_to_inspect[@]}"·'/etc/audit/audit.rules') | ||
| 284 | #·If·the·audit·is·'augenrules',·then·check·if·rule·is·already·defined | ||
| 285 | #·If·rule·is·defined,·add·'/etc/audit/rules.d/*.rules'·to·list·of·files·for·inspection. | ||
| 286 | #·If·rule·isn't·defined,·add·'/etc/audit/rules.d/$key.rules'·to·list·of·files·for·inspection. | ||
| 287 | elif·[·"$tool"·==·'augenrules'·] | ||
| 288 | then | ||
| 289 | » #·Case·when·particular·audit·rule·is·already·defined·in·some·of·/etc/audit/rules.d/*.rules·file | ||
| 290 | » #·Get·pair·--·filepath·:·matching_row·into·@matches·array | ||
| 291 | » IFS=$'\n'·matches=($(grep·-P·"[\s]*-w[\s]+$path"·/etc/audit/rules.d/*.rules)) | ||
| 292 | » #·Reset·IFS·back·to·default | ||
| 293 | » unset·IFS | ||
| 294 | » #·For·each·of·the·matched·entries | ||
| 295 | » for·match·in·"${matches[@]}" | ||
| 296 | » do | ||
| 297 | » » #·Extract·filepath·from·the·match | ||
| 298 | » » rulesd_audit_file=$(echo·$match·|·cut·-f1·-d·':') | ||
| 299 | » » #·Append·that·path·into·list·of·files·for·inspection | ||
| 300 | » » files_to_inspect=("${files_to_inspect[@]}"·"$rulesd_audit_file") | ||
| 301 | » done | ||
| 302 | » #·Case·when·particular·audit·rule·isn't·defined·yet | ||
| 303 | » if·[·${#files_to_inspect[@]}·-eq·"0"·] | ||
| 304 | » then | ||
| 305 | » » #·Append·'/etc/audit/rules.d/$key.rules'·into·list·of·files·for·inspection | ||
| 306 | » » files_to_inspect="/etc/audit/rules.d/$key.rules" | ||
| 307 | » » #·If·the·$key.rules·file·doesn't·exist·yet,·create·it·with·correct·permissions | ||
| 308 | » » if·[·!·-e·"$files_to_inspect"·] | ||
| 309 | » » then | ||
| 310 | » » » touch·"$files_to_inspect" | ||
| 311 | » » » chmod·0640·"$files_to_inspect" | ||
| 312 | » » fi | ||
| 313 | » fi | ||
| 314 | fi | ||
| 315 | #·Finally·perform·the·inspection·and·possible·subsequent·audit·rule | ||
| 316 | #·correction·for·each·of·the·files·previously·identified·for·inspection | ||
| 317 | for·audit_rules_file·in·"${files_to_inspect[@]}" | ||
| 318 | do | ||
| 319 | » #·Check·if·audit·watch·file·system·object·rule·for·given·path·already·present | ||
| 320 | » if·grep·-q·-P·--·"[\s]*-w[\s]+$path"·"$audit_rules_file" | ||
| 321 | » then | ||
| 322 | » » #·Rule·is·found·=>·verify·yet·if·existing·rule·definition·contains | ||
| 323 | » » #·all·of·the·required·access·type·bits | ||
| 324 | » » #·Escape·slashes·in·path·for·use·in·sed·pattern·below | ||
| 325 | » » local·esc_path=${path//$'/'/$'\/'} | ||
| 326 | » » #·Define·BRE·whitespace·class·shortcut | ||
| 327 | » » local·sp="[[:space:]]" | ||
| 328 | » » #·Extract·current·permission·access·types·(e.g.·-p·[r|w|x|a]·values)·from·audit·rule | ||
| 329 | » » current_access_bits=$(sed·-ne·"s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p"·"$audit_rules_file") | ||
| 330 | » » #·Split·required·access·bits·string·into·characters·array | ||
| 331 | » » #·(to·check·bit's·presence·for·one·bit·at·a·time) | ||
| 332 | » » for·access_bit·in·$(echo·"$required_access_bits"·|·grep·-o·.) | ||
| 333 | » » do | ||
| 334 | » » » #·For·each·from·the·required·access·bits·(e.g.·'w',·'a')·check | ||
| 335 | » » » #·if·they·are·already·present·in·current·access·bits·for·rule. | ||
| 336 | » » » #·If·not,·append·that·bit·at·the·end | ||
| 337 | » » » if·!·grep·-q·"$access_bit"·<<<·"$current_access_bits" | ||
| 338 | » » » then | ||
| 339 | » » » » #·Concatenate·the·existing·mask·with·the·missing·bit | ||
| 340 | » » » » current_access_bits="$current_access_bits$access_bit" | ||
| 341 | » » » fi | ||
| Max diff block lines reached; 94296/104957 bytes (89.84%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>2020-07-12T0 | 7 | ····<ns2:timestamp>2020-07-12T04:17:30</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"·version="1"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Installed·operating·system·is·part·of·the·Unix·family</ns0:title> | 12 | ········<ns0:title>Installed·operating·system·is·part·of·the·Unix·family</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:product>Mozilla·Firefox</ns0:product> | 14 | ··········<ns0:product>Mozilla·Firefox</ns0:product> |
| Offset 7, 665 lines modified | Offset 7, 32 lines modified | ||
| 7 | ··········<cat:uri·name="ssg-firefox-cpe-oval.xml"·uri="#scap_org.open-scap_cref_ssg-firefox-cpe-oval.xml"/> | 7 | ··········<cat:uri·name="ssg-firefox-cpe-oval.xml"·uri="#scap_org.open-scap_cref_ssg-firefox-cpe-oval.xml"/> |
| 8 | ········</cat:catalog> | 8 | ········</cat:catalog> |
| 9 | ······</ds:component-ref> | 9 | ······</ds:component-ref> |
| 10 | ····</ds:dictionaries> | 10 | ····</ds:dictionaries> |
| 11 | ····<ds:checklists> | 11 | ····<ds:checklists> |
| 12 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-xccdf-1.2.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-xccdf-1.2.xml"> | 12 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-xccdf-1.2.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-xccdf-1.2.xml"> |
| 13 | ········<cat:catalog> | 13 | ········<cat:catalog> |
| 14 | ··········<cat:uri·name="ssg-firefox-ocil.xml"·uri="#scap_org.open-scap_cref_ssg-firefox-ocil.xml"/> | ||
| 15 | ··········<cat:uri·name="ssg-firefox-oval.xml"·uri="#scap_org.open-scap_cref_ssg-firefox-oval.xml"/> | 14 | ··········<cat:uri·name="ssg-firefox-oval.xml"·uri="#scap_org.open-scap_cref_ssg-firefox-oval.xml"/> |
| 15 | ··········<cat:uri·name="ssg-firefox-ocil.xml"·uri="#scap_org.open-scap_cref_ssg-firefox-ocil.xml"/> | ||
| 16 | ········</cat:catalog> | 16 | ········</cat:catalog> |
| 17 | ······</ds:component-ref> | 17 | ······</ds:component-ref> |
| 18 | ····</ds:checklists> | 18 | ····</ds:checklists> |
| 19 | ····<ds:checks> | 19 | ····<ds:checks> |
| 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-ocil.xml"/> | ||
| 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-oval.xml"/> | 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-oval.xml"/> |
| 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-ocil.xml"/> | ||
| 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-cpe-oval.xml"/> | 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-cpe-oval.xml"/> |
| 23 | ····</ds:checks> | 23 | ····</ds:checks> |
| 24 | ··</ds:data-stream> | 24 | ··</ds:data-stream> |
| 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-firefox-o | 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-firefox-oval.xml"·timestamp="2020-07-12T18:44:50"> |
| 26 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> | ||
| 27 | ······<ns0:generator> | ||
| 28 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | ||
| 29 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> | ||
| 30 | ········<ns0:schema_version>2.0</ns0:schema_version> | ||
| 31 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | ||
| 32 | ······</ns0:generator> | ||
| 33 | ······<ns0:questionnaires> | ||
| 34 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_ocil:questionnaire:1"> | ||
| 35 | ··········<ns0:title>The·DoD·Root·Certificate·Exists</ns0:title> | ||
| 36 | ··········<ns0:actions> | ||
| 37 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1</ns0:test_action_ref> | ||
| 38 | ··········</ns0:actions> | ||
| 39 | ········</ns0:questionnaire> | ||
| 40 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-enable_ca_trust_ocil:questionnaire:1"> | ||
| 41 | ··········<ns0:title>Enable·Shared·System·Certificates</ns0:title> | ||
| 42 | ··········<ns0:actions> | ||
| 43 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1</ns0:test_action_ref> | ||
| 44 | ··········</ns0:actions> | ||
| 45 | ········</ns0:questionnaire> | ||
| 46 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-cookies_user_notice_ocil:questionnaire:1"> | ||
| 47 | ··········<ns0:title>Disable·User·Prompt·When·Data·Is·Cleared</ns0:title> | ||
| 48 | ··········<ns0:actions> | ||
| 49 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-cookies_user_notice_action:testaction:1</ns0:test_action_ref> | ||
| 50 | ··········</ns0:actions> | ||
| 51 | ········</ns0:questionnaire> | ||
| 52 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-cookies_clear_ocil:questionnaire:1"> | ||
| 53 | ··········<ns0:title>Clear·Data·When·Firefox·Closes</ns0:title> | ||
| 54 | ··········<ns0:actions> | ||
| 55 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-cookies_clear_action:testaction:1</ns0:test_action_ref> | ||
| 56 | ··········</ns0:actions> | ||
| 57 | ········</ns0:questionnaire> | ||
| 58 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-lock_settings_obscure_ocil:questionnaire:1"> | ||
| 59 | ··········<ns0:title>Disable·Firefox·Configuration·File·ROT-13·Encoding</ns0:title> | ||
| 60 | ··········<ns0:actions> | ||
| 61 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-lock_settings_obscure_action:testaction:1</ns0:test_action_ref> | ||
| 62 | ··········</ns0:actions> | ||
| 63 | ········</ns0:questionnaire> | ||
| 64 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-lock_settings_config_file_ocil:questionnaire:1"> | ||
| 65 | ··········<ns0:title>Set·Firefox·Configuration·File·Location</ns0:title> | ||
| 66 | ··········<ns0:actions> | ||
| 67 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-lock_settings_config_file_action:testaction:1</ns0:test_action_ref> | ||
| 68 | ··········</ns0:actions> | ||
| 69 | ········</ns0:questionnaire> | ||
| 70 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-ssl_protocol_tls_ocil:questionnaire:1"> | ||
| 71 | ··········<ns0:title>Enable·TLS·Usage·in·Firefox</ns0:title> | ||
| 72 | ··········<ns0:actions> | ||
| 73 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-ssl_protocol_tls_action:testaction:1</ns0:test_action_ref> | ||
| 74 | ··········</ns0:actions> | ||
| 75 | ········</ns0:questionnaire> | ||
| 76 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-home_page_ocil:questionnaire:1"> | ||
| 77 | ··········<ns0:title>Default·Firefox·Home·Page·Configured</ns0:title> | ||
| 78 | ··········<ns0:actions> | ||
| 79 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-home_page_action:testaction:1</ns0:test_action_ref> | ||
| 80 | ··········</ns0:actions> | ||
| 81 | ········</ns0:questionnaire> | ||
| 82 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-shell_protocol_ocil:questionnaire:1"> | ||
| 83 | ··········<ns0:title>Disable·Firefox·Access·to·Shell·Protocols</ns0:title> | ||
| 84 | ··········<ns0:actions> | ||
| 85 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-shell_protocol_action:testaction:1</ns0:test_action_ref> | ||
| 86 | ··········</ns0:actions> | ||
| 87 | ········</ns0:questionnaire> | ||
| 88 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-auto-download_actions_ocil:questionnaire:1"> | ||
| 89 | ··········<ns0:title>Disable·Automatic·Downloads·of·MIME·Types</ns0:title> | ||
| 90 | ··········<ns0:actions> | ||
| 91 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1</ns0:test_action_ref> | ||
| 92 | ··········</ns0:actions> | ||
| 93 | ········</ns0:questionnaire> | ||
| 94 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-search_update_ocil:questionnaire:1"> | ||
| 95 | ··········<ns0:title>Disable·Installed·Search·Plugins·Update·Checking</ns0:title> | ||
| 96 | ··········<ns0:actions> | ||
| 97 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-search_update_action:testaction:1</ns0:test_action_ref> | ||
| 98 | ··········</ns0:actions> | ||
| 99 | ········</ns0:questionnaire> | ||
| 100 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-addons_plugin_updates_ocil:questionnaire:1"> | ||
| 101 | ··········<ns0:title>Disable·Addons·Plugin·Updates</ns0:title> | ||
| 102 | ··········<ns0:actions> | ||
| 103 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-addons_plugin_updates_action:testaction:1</ns0:test_action_ref> | ||
| 104 | ··········</ns0:actions> | ||
| 105 | ········</ns0:questionnaire> | ||
| 106 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-open_confirmation_ocil:questionnaire:1"> | ||
| 107 | ··········<ns0:title>Enable·Downloading·and·Opening·File·Confirmation</ns0:title> | ||
| 108 | ··········<ns0:actions> | ||
| 109 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-open_confirmation_action:testaction:1</ns0:test_action_ref> | ||
| 110 | ··········</ns0:actions> | ||
| 111 | ········</ns0:questionnaire> | ||
| 112 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-javascript_window_resizing_ocil:questionnaire:1"> | ||
| 113 | ··········<ns0:title>Disable·JavaScript's·Moving·Or·Resizing·Windows·Capability</ns0:title> | ||
| 114 | ··········<ns0:actions> | ||
| 115 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_window_resizing_action:testaction:1</ns0:test_action_ref> | ||
| 116 | ··········</ns0:actions> | ||
| 117 | ········</ns0:questionnaire> | ||
| 118 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-verification_ocil:questionnaire:1"> | ||
| 119 | ··········<ns0:title>Enable·Certificate·Verification</ns0:title> | ||
| 120 | ··········<ns0:actions> | ||
| 121 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-verification_action:testaction:1</ns0:test_action_ref> | ||
| 122 | ··········</ns0:actions> | ||
| 123 | ········</ns0:questionnaire> | ||
| 124 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-pop-up_windows_ocil:questionnaire:1"> | ||
| 125 | ··········<ns0:title>Enable·Firefox·Pop-up·Blocker</ns0:title> | ||
| 126 | ··········<ns0:actions> | ||
| 127 | ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-pop-up_windows_action:testaction:1</ns0:test_action_ref> | ||
| 128 | ··········</ns0:actions> | ||
| 129 | ········</ns0:questionnaire> | ||
| 130 | ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-ssl_version_2_ocil:questionnaire:1"> | ||
| 131 | ··········<ns0:title>Disable·SSL·Version·2.0·in·Firefox</ns0:title> | ||
| Max diff block lines reached; 140060/180097 bytes (77.77%) of diff not shown. | |||
| Offset 3, 26 lines modified | Offset 3, 14 lines modified | ||
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 4 | ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 5 | ····<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 5 | ····<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 6 | ····<ns0:schema_version>2.0</ns0:schema_version> | 6 | ····<ns0:schema_version>2.0</ns0:schema_version> |
| 7 | ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 7 | ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:questionnaires> | 9 | ··<ns0:questionnaires> |
| 10 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_ocil:questionnaire:1"> | ||
| 11 | ······<ns0:title>The·DoD·Root·Certificate·Exists</ns0:title> | ||
| 12 | ······<ns0:actions> | ||
| 13 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1</ns0:test_action_ref> | ||
| 14 | ······</ns0:actions> | ||
| 15 | ····</ns0:questionnaire> | ||
| 16 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-enable_ca_trust_ocil:questionnaire:1"> | ||
| 17 | ······<ns0:title>Enable·Shared·System·Certificates</ns0:title> | ||
| 18 | ······<ns0:actions> | ||
| 19 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1</ns0:test_action_ref> | ||
| 20 | ······</ns0:actions> | ||
| 21 | ····</ns0:questionnaire> | ||
| 22 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-cookies_user_notice_ocil:questionnaire:1"> | 10 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-cookies_user_notice_ocil:questionnaire:1"> |
| 23 | ······<ns0:title>Disable·User·Prompt·When·Data·Is·Cleared</ns0:title> | 11 | ······<ns0:title>Disable·User·Prompt·When·Data·Is·Cleared</ns0:title> |
| 24 | ······<ns0:actions> | 12 | ······<ns0:actions> |
| 25 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-cookies_user_notice_action:testaction:1</ns0:test_action_ref> | 13 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-cookies_user_notice_action:testaction:1</ns0:test_action_ref> |
| 26 | ······</ns0:actions> | 14 | ······</ns0:actions> |
| 27 | ····</ns0:questionnaire> | 15 | ····</ns0:questionnaire> |
| 28 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-cookies_clear_ocil:questionnaire:1"> | 16 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-cookies_clear_ocil:questionnaire:1"> |
| Offset 39, 14 lines modified | Offset 27, 26 lines modified | ||
| 39 | ····</ns0:questionnaire> | 27 | ····</ns0:questionnaire> |
| 40 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-lock_settings_config_file_ocil:questionnaire:1"> | 28 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-lock_settings_config_file_ocil:questionnaire:1"> |
| 41 | ······<ns0:title>Set·Firefox·Configuration·File·Location</ns0:title> | 29 | ······<ns0:title>Set·Firefox·Configuration·File·Location</ns0:title> |
| 42 | ······<ns0:actions> | 30 | ······<ns0:actions> |
| 43 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-lock_settings_config_file_action:testaction:1</ns0:test_action_ref> | 31 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-lock_settings_config_file_action:testaction:1</ns0:test_action_ref> |
| 44 | ······</ns0:actions> | 32 | ······</ns0:actions> |
| 45 | ····</ns0:questionnaire> | 33 | ····</ns0:questionnaire> |
| 34 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_ocil:questionnaire:1"> | ||
| 35 | ······<ns0:title>The·DoD·Root·Certificate·Exists</ns0:title> | ||
| 36 | ······<ns0:actions> | ||
| 37 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1</ns0:test_action_ref> | ||
| 38 | ······</ns0:actions> | ||
| 39 | ····</ns0:questionnaire> | ||
| 40 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-enable_ca_trust_ocil:questionnaire:1"> | ||
| 41 | ······<ns0:title>Enable·Shared·System·Certificates</ns0:title> | ||
| 42 | ······<ns0:actions> | ||
| 43 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1</ns0:test_action_ref> | ||
| 44 | ······</ns0:actions> | ||
| 45 | ····</ns0:questionnaire> | ||
| 46 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-ssl_protocol_tls_ocil:questionnaire:1"> | 46 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-ssl_protocol_tls_ocil:questionnaire:1"> |
| 47 | ······<ns0:title>Enable·TLS·Usage·in·Firefox</ns0:title> | 47 | ······<ns0:title>Enable·TLS·Usage·in·Firefox</ns0:title> |
| 48 | ······<ns0:actions> | 48 | ······<ns0:actions> |
| 49 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-ssl_protocol_tls_action:testaction:1</ns0:test_action_ref> | 49 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-ssl_protocol_tls_action:testaction:1</ns0:test_action_ref> |
| 50 | ······</ns0:actions> | 50 | ······</ns0:actions> |
| 51 | ····</ns0:questionnaire> | 51 | ····</ns0:questionnaire> |
| 52 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-home_page_ocil:questionnaire:1"> | 52 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-home_page_ocil:questionnaire:1"> |
| Offset 123, 18 lines modified | Offset 123, 18 lines modified | ||
| 123 | ····</ns0:questionnaire> | 123 | ····</ns0:questionnaire> |
| 124 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-javascript_window_changes_ocil:questionnaire:1"> | 124 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-javascript_window_changes_ocil:questionnaire:1"> |
| 125 | ······<ns0:title>Disable·JavaScript's·Raise·Or·Lower·Windows·Capability</ns0:title> | 125 | ······<ns0:title>Disable·JavaScript's·Raise·Or·Lower·Windows·Capability</ns0:title> |
| 126 | ······<ns0:actions> | 126 | ······<ns0:actions> |
| 127 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_window_changes_action:testaction:1</ns0:test_action_ref> | 127 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_window_changes_action:testaction:1</ns0:test_action_ref> |
| 128 | ······</ns0:actions> | 128 | ······</ns0:actions> |
| 129 | ····</ns0:questionnaire> | 129 | ····</ns0:questionnaire> |
| 130 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-javascript_ | 130 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-javascript_status_bar_text_ocil:questionnaire:1"> |
| 131 | ······<ns0:title>Disable·JavaScript· | 131 | ······<ns0:title>Disable·JavaScript's·Ability·To·Modify·The·Browser·Appearance</ns0:title> |
| 132 | ······<ns0:actions> | 132 | ······<ns0:actions> |
| 133 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_ | 133 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_status_bar_text_action:testaction:1</ns0:test_action_ref> |
| 134 | ······</ns0:actions> | 134 | ······</ns0:actions> |
| 135 | ····</ns0:questionnaire> | 135 | ····</ns0:questionnaire> |
| 136 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-javascript_status_bar_changes_ocil:questionnaire:1"> | 136 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-javascript_status_bar_changes_ocil:questionnaire:1"> |
| 137 | ······<ns0:title>Disable·JavaScript's·Ability·To·Change·The·Status·Bar</ns0:title> | 137 | ······<ns0:title>Disable·JavaScript's·Ability·To·Change·The·Status·Bar</ns0:title> |
| 138 | ······<ns0:actions> | 138 | ······<ns0:actions> |
| 139 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_status_bar_changes_action:testaction:1</ns0:test_action_ref> | 139 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_status_bar_changes_action:testaction:1</ns0:test_action_ref> |
| 140 | ······</ns0:actions> | 140 | ······</ns0:actions> |
| Offset 165, 63 lines modified | Offset 165, 63 lines modified | ||
| 165 | ····</ns0:questionnaire> | 165 | ····</ns0:questionnaire> |
| 166 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-password_store_ocil:questionnaire:1"> | 166 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-password_store_ocil:questionnaire:1"> |
| 167 | ······<ns0:title>Disable·the·Firefox·Password·Store</ns0:title> | 167 | ······<ns0:title>Disable·the·Firefox·Password·Store</ns0:title> |
| 168 | ······<ns0:actions> | 168 | ······<ns0:actions> |
| 169 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-password_store_action:testaction:1</ns0:test_action_ref> | 169 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-password_store_action:testaction:1</ns0:test_action_ref> |
| 170 | ······</ns0:actions> | 170 | ······</ns0:actions> |
| 171 | ····</ns0:questionnaire> | 171 | ····</ns0:questionnaire> |
| 172 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-javascript_ | 172 | ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-javascript_context_menus_ocil:questionnaire:1"> |
| 173 | ······<ns0:title>Disable·JavaScript | 173 | ······<ns0:title>Disable·JavaScript·Context·Menus</ns0:title> |
| 174 | ······<ns0:actions> | 174 | ······<ns0:actions> |
| 175 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_ | 175 | ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_context_menus_action:testaction:1</ns0:test_action_ref> |
| 176 | ······</ns0:actions> | 176 | ······</ns0:actions> |
| 177 | ····</ns0:questionnaire> | 177 | ····</ns0:questionnaire> |
| 178 | ··</ns0:questionnaires> | 178 | ··</ns0:questionnaires> |
| 179 | ··<ns0:test_actions> | 179 | ··<ns0:test_actions> |
| 180 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences- | 180 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-cookies_user_notice_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-cookies_user_notice_question:question:1"> |
| 181 | ······<ns0:when_true> | 181 | ······<ns0:when_true> |
| 182 | ········<ns0:result>PASS</ns0:result> | 182 | ········<ns0:result>PASS</ns0:result> |
| 183 | ······</ns0:when_true> | 183 | ······</ns0:when_true> |
| 184 | ······<ns0:when_false> | 184 | ······<ns0:when_false> |
| 185 | ········<ns0:result>FAIL</ns0:result> | 185 | ········<ns0:result>FAIL</ns0:result> |
| 186 | ······</ns0:when_false> | 186 | ······</ns0:when_false> |
| 187 | ····</ns0:boolean_question_test_action> | 187 | ····</ns0:boolean_question_test_action> |
| 188 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences- | 188 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-cookies_clear_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-cookies_clear_question:question:1"> |
| 189 | ······<ns0:when_true> | 189 | ······<ns0:when_true> |
| 190 | ········<ns0:result>PASS</ns0:result> | 190 | ········<ns0:result>PASS</ns0:result> |
| 191 | ······</ns0:when_true> | 191 | ······</ns0:when_true> |
| 192 | ······<ns0:when_false> | 192 | ······<ns0:when_false> |
| 193 | ········<ns0:result>FAIL</ns0:result> | 193 | ········<ns0:result>FAIL</ns0:result> |
| 194 | ······</ns0:when_false> | 194 | ······</ns0:when_false> |
| 195 | ····</ns0:boolean_question_test_action> | 195 | ····</ns0:boolean_question_test_action> |
| 196 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences- | 196 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-lock_settings_obscure_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-lock_settings_obscure_question:question:1"> |
| 197 | ······<ns0:when_true> | 197 | ······<ns0:when_true> |
| 198 | ········<ns0:result>PASS</ns0:result> | 198 | ········<ns0:result>PASS</ns0:result> |
| 199 | ······</ns0:when_true> | 199 | ······</ns0:when_true> |
| 200 | ······<ns0:when_false> | 200 | ······<ns0:when_false> |
| 201 | ········<ns0:result>FAIL</ns0:result> | 201 | ········<ns0:result>FAIL</ns0:result> |
| 202 | ······</ns0:when_false> | 202 | ······</ns0:when_false> |
| 203 | ····</ns0:boolean_question_test_action> | 203 | ····</ns0:boolean_question_test_action> |
| 204 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences- | 204 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-lock_settings_config_file_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-lock_settings_config_file_question:question:1"> |
| 205 | ······<ns0:when_true> | 205 | ······<ns0:when_true> |
| 206 | ········<ns0:result>PASS</ns0:result> | 206 | ········<ns0:result>PASS</ns0:result> |
| 207 | ······</ns0:when_true> | 207 | ······</ns0:when_true> |
| 208 | ······<ns0:when_false> | 208 | ······<ns0:when_false> |
| 209 | ········<ns0:result>FAIL</ns0:result> | 209 | ········<ns0:result>FAIL</ns0:result> |
| 210 | ······</ns0:when_false> | 210 | ······</ns0:when_false> |
| 211 | ····</ns0:boolean_question_test_action> | 211 | ····</ns0:boolean_question_test_action> |
| 212 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences- | 212 | ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-dod_root_certificate_installed_question:question:1"> |
| 213 | ······<ns0:when_true> | 213 | ······<ns0:when_true> |
| 214 | ········<ns0:result>PASS</ns0:result> | 214 | ········<ns0:result>PASS</ns0:result> |
| 215 | ······</ns0:when_true> | 215 | ······</ns0:when_true> |
| 216 | ······<ns0:when_false> | 216 | ······<ns0:when_false> |
| 217 | ········<ns0:result>FAIL</ns0:result> | 217 | ········<ns0:result>FAIL</ns0:result> |
| 218 | ······</ns0:when_false> | 218 | ······</ns0:when_false> |
| Max diff block lines reached; 8598/17391 bytes (49.44%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>2020-07-12T0 | 7 | ····<ns2:timestamp>2020-07-12T04:17:30</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-firefox_preferences-addons_plugin_updates:def:1"·version="1"> | 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-firefox_preferences-addons_plugin_updates:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Disable·Addons·Plugin·Updates</ns0:title> | 12 | ········<ns0:title>Disable·Addons·Plugin·Updates</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:platform>Mozilla·Firefox</ns0:platform> | 14 | ··········<ns0:platform>Mozilla·Firefox</ns0:platform> |
| Offset 209, 219 lines modified | Offset 209, 14 lines modified | ||
| 209 | ····<select·idref="remediation_functions"·selected="false"/> | 209 | ····<select·idref="remediation_functions"·selected="false"/> |
| 210 | ····<refine-value·idref="var_default_home_page"·selector="about_blank"/> | 210 | ····<refine-value·idref="var_default_home_page"·selector="about_blank"/> |
| 211 | ····<refine-value·idref="var_required_file_types"·selector="default"/> | 211 | ····<refine-value·idref="var_required_file_types"·selector="default"/> |
| 212 | ··</Profile> | 212 | ··</Profile> |
| 213 | ··<Group·id="remediation_functions"> | 213 | ··<Group·id="remediation_functions"> |
| 214 | ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title> | 214 | ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title> |
| 215 | ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description> | 215 | ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description> |
| 216 | ····<Value·hidden="true"·id="function_fix_audit_watch_rule"·operator="equals"·prohibitChanges="true"·type="string"> | ||
| 217 | ······<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·function·fix_audit_watch_rule</title> | ||
| 218 | ······<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Shared·bash·remediation·function.·Not·intended·to·be·changed·by·tailoring.</description> | ||
| 219 | ······<value>#·Function·to·fix·audit·file·system·object·watch·rule·for·given·path: | ||
| 220 | #·*·if·rule·exists,·also·verifies·the·-w·bits·match·the·requirements | ||
| 221 | #·*·if·rule·doesn't·exist·yet,·appends·expected·rule·form·to·$files_to_inspect | ||
| 222 | #···audit·rules·file,·depending·on·the·tool·which·was·used·to·load·audit·rules | ||
| 223 | # | ||
| 224 | #·Expects·four·arguments·(each·of·them·is·required)·in·the·form·of: | ||
| 225 | #·*·audit·tool» » » » tool·used·to·load·audit·rules, | ||
| 226 | #·» » » » » either·'auditctl',·or·'augenrules' | ||
| 227 | #·*·path························» value·of·-w·audit·rule's·argument | ||
| 228 | #·*·required·access·bits········» value·of·-p·audit·rule's·argument | ||
| 229 | #·*·key·························» value·of·-k·audit·rule's·argument | ||
| 230 | # | ||
| 231 | #·Example·call: | ||
| 232 | # | ||
| 233 | #·······fix_audit_watch_rule·"auditctl"·"/etc/localtime"·"wa"·"audit_time_rules" | ||
| 234 | # | ||
| 235 | function·fix_audit_watch_rule·{ | ||
| 236 | #·Load·function·arguments·into·local·variables | ||
| 237 | local·tool="$1" | ||
| 238 | local·path="$2" | ||
| 239 | local·required_access_bits="$3" | ||
| 240 | local·key="$4" | ||
| 241 | #·Check·sanity·of·the·input | ||
| 242 | if·[·$#·-ne·"4"·] | ||
| 243 | then | ||
| 244 | » echo·"Usage:·fix_audit_watch_rule·'tool'·'path'·'bits'·'key'" | ||
| 245 | » echo·"Aborting." | ||
| 246 | » exit·1 | ||
| 247 | fi | ||
| 248 | #·Create·a·list·of·audit·*.rules·files·that·should·be·inspected·for·presence·and·correctness | ||
| 249 | #·of·a·particular·audit·rule.·The·scheme·is·as·follows: | ||
| 250 | # | ||
| 251 | #·----------------------------------------------------------------------------------------- | ||
| 252 | #·Tool·used·to·load·audit·rules» |·Rule·already·defined» |··Audit·rules·file·to·inspect» ··| | ||
| 253 | #·----------------------------------------------------------------------------------------- | ||
| 254 | #» auditctl» » |·····Doesn't·matter»|··/etc/audit/audit.rules» ··| | ||
| 255 | #·----------------------------------------------------------------------------------------- | ||
| 256 | #·» augenrules» » |··········Yes»»|··/etc/audit/rules.d/*.rules» ··| | ||
| 257 | #·» augenrules» » |··········No» » |··/etc/audit/rules.d/$key.rules··| | ||
| 258 | #·----------------------------------------------------------------------------------------- | ||
| 259 | declare·-a·files_to_inspect | ||
| 260 | #·Check·sanity·of·the·specified·audit·tool | ||
| 261 | if·[·"$tool"·!=·'auditctl'·]·&&·[·"$tool"·!=·'augenrules'·] | ||
| 262 | then | ||
| 263 | » echo·"Unknown·audit·rules·loading·tool:·$1.·Aborting." | ||
| 264 | » echo·"Use·either·'auditctl'·or·'augenrules'!" | ||
| 265 | » exit·1 | ||
| 266 | #·If·the·audit·tool·is·'auditctl',·then·add·'/etc/audit/audit.rules' | ||
| 267 | #·into·the·list·of·files·to·be·inspected | ||
| 268 | elif·[·"$tool"·==·'auditctl'·] | ||
| 269 | then | ||
| 270 | » files_to_inspect=("${files_to_inspect[@]}"·'/etc/audit/audit.rules') | ||
| 271 | #·If·the·audit·is·'augenrules',·then·check·if·rule·is·already·defined | ||
| 272 | #·If·rule·is·defined,·add·'/etc/audit/rules.d/*.rules'·to·list·of·files·for·inspection. | ||
| 273 | #·If·rule·isn't·defined,·add·'/etc/audit/rules.d/$key.rules'·to·list·of·files·for·inspection. | ||
| 274 | elif·[·"$tool"·==·'augenrules'·] | ||
| 275 | then | ||
| 276 | » #·Case·when·particular·audit·rule·is·already·defined·in·some·of·/etc/audit/rules.d/*.rules·file | ||
| 277 | » #·Get·pair·--·filepath·:·matching_row·into·@matches·array | ||
| 278 | » IFS=$'\n'·matches=($(grep·-P·"[\s]*-w[\s]+$path"·/etc/audit/rules.d/*.rules)) | ||
| 279 | » #·Reset·IFS·back·to·default | ||
| 280 | » unset·IFS | ||
| 281 | » #·For·each·of·the·matched·entries | ||
| 282 | » for·match·in·"${matches[@]}" | ||
| 283 | » do | ||
| 284 | » » #·Extract·filepath·from·the·match | ||
| 285 | » » rulesd_audit_file=$(echo·$match·|·cut·-f1·-d·':') | ||
| 286 | » » #·Append·that·path·into·list·of·files·for·inspection | ||
| 287 | » » files_to_inspect=("${files_to_inspect[@]}"·"$rulesd_audit_file") | ||
| 288 | » done | ||
| 289 | » #·Case·when·particular·audit·rule·isn't·defined·yet | ||
| 290 | » if·[·${#files_to_inspect[@]}·-eq·"0"·] | ||
| 291 | » then | ||
| 292 | » » #·Append·'/etc/audit/rules.d/$key.rules'·into·list·of·files·for·inspection | ||
| 293 | » » files_to_inspect="/etc/audit/rules.d/$key.rules" | ||
| 294 | » » #·If·the·$key.rules·file·doesn't·exist·yet,·create·it·with·correct·permissions | ||
| 295 | » » if·[·!·-e·"$files_to_inspect"·] | ||
| 296 | » » then | ||
| 297 | » » » touch·"$files_to_inspect" | ||
| 298 | » » » chmod·0640·"$files_to_inspect" | ||
| 299 | » » fi | ||
| 300 | » fi | ||
| 301 | fi | ||
| 302 | #·Finally·perform·the·inspection·and·possible·subsequent·audit·rule | ||
| 303 | #·correction·for·each·of·the·files·previously·identified·for·inspection | ||
| 304 | for·audit_rules_file·in·"${files_to_inspect[@]}" | ||
| 305 | do | ||
| 306 | » #·Check·if·audit·watch·file·system·object·rule·for·given·path·already·present | ||
| 307 | » if·grep·-q·-P·--·"[\s]*-w[\s]+$path"·"$audit_rules_file" | ||
| 308 | » then | ||
| 309 | » » #·Rule·is·found·=>·verify·yet·if·existing·rule·definition·contains | ||
| 310 | » » #·all·of·the·required·access·type·bits | ||
| 311 | » » #·Escape·slashes·in·path·for·use·in·sed·pattern·below | ||
| 312 | » » local·esc_path=${path//$'/'/$'\/'} | ||
| 313 | » » #·Define·BRE·whitespace·class·shortcut | ||
| 314 | » » local·sp="[[:space:]]" | ||
| 315 | » » #·Extract·current·permission·access·types·(e.g.·-p·[r|w|x|a]·values)·from·audit·rule | ||
| 316 | » » current_access_bits=$(sed·-ne·"s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p"·"$audit_rules_file") | ||
| 317 | » » #·Split·required·access·bits·string·into·characters·array | ||
| 318 | » » #·(to·check·bit's·presence·for·one·bit·at·a·time) | ||
| 319 | » » for·access_bit·in·$(echo·"$required_access_bits"·|·grep·-o·.) | ||
| 320 | » » do | ||
| 321 | » » » #·For·each·from·the·required·access·bits·(e.g.·'w',·'a')·check | ||
| 322 | » » » #·if·they·are·already·present·in·current·access·bits·for·rule. | ||
| 323 | » » » #·If·not,·append·that·bit·at·the·end | ||
| 324 | » » » if·!·grep·-q·"$access_bit"·<<<·"$current_access_bits" | ||
| 325 | » » » then | ||
| 326 | » » » » #·Concatenate·the·existing·mask·with·the·missing·bit | ||
| 327 | » » » » current_access_bits="$current_access_bits$access_bit" | ||
| 328 | » » » fi | ||
| Max diff block lines reached; 88120/98786 bytes (89.20%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>2020-07-12T0 | 7 | ····<ns2:timestamp>2020-07-12T04:23:21</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_app_is_java:def:1"·version="1"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_app_is_java:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Java·Runtime·Environment</ns0:title> | 12 | ········<ns0:title>Java·Runtime·Environment</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:product>Java·Runtime·Environment·(JRE)</ns0:product> | 14 | ··········<ns0:product>Java·Runtime·Environment·(JRE)</ns0:product> |
| Offset 18, 21 lines modified | Offset 18, 21 lines modified | ||
| 18 | ····</ds:checklists> | 18 | ····</ds:checklists> |
| 19 | ····<ds:checks> | 19 | ····<ds:checks> |
| 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-jre-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-jre-oval.xml"/> | 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-jre-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-jre-oval.xml"/> |
| 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-jre-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-jre-ocil.xml"/> | 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-jre-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-jre-ocil.xml"/> |
| 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-jre-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-jre-cpe-oval.xml"/> | 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-jre-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-jre-cpe-oval.xml"/> |
| 23 | ····</ds:checks> | 23 | ····</ds:checks> |
| 24 | ··</ds:data-stream> | 24 | ··</ds:data-stream> |
| 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-jre-oval.xml"·timestamp="2020-07-1 | 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-jre-oval.xml"·timestamp="2020-07-12T18:45:47"> |
| 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 27 | ······<ns0:generator> | 27 | ······<ns0:generator> |
| 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 30 | ········<ns2:schema_version>5.11</ns2:schema_version> | 30 | ········<ns2:schema_version>5.11</ns2:schema_version> |
| 31 | ········<ns2:timestamp>2020-07-12T0 | 31 | ········<ns2:timestamp>2020-07-12T04:23:21</ns2:timestamp> |
| 32 | ······</ns0:generator> | 32 | ······</ns0:generator> |
| 33 | ······<ns0:definitions> | 33 | ······<ns0:definitions> |
| 34 | ········<ns0:definition·class="inventory"·id="oval:ssg-installed_app_is_java:def:1"·version="1"> | 34 | ········<ns0:definition·class="inventory"·id="oval:ssg-installed_app_is_java:def:1"·version="1"> |
| 35 | ··········<ns0:metadata> | 35 | ··········<ns0:metadata> |
| 36 | ············<ns0:title>Java·Runtime·Environment</ns0:title> | 36 | ············<ns0:title>Java·Runtime·Environment</ns0:title> |
| 37 | ············<ns0:affected·family="unix"> | 37 | ············<ns0:affected·family="unix"> |
| 38 | ··············<ns0:product>Java·Runtime·Environment·(JRE)</ns0:product> | 38 | ··············<ns0:product>Java·Runtime·Environment·(JRE)</ns0:product> |
| Offset 314, 15 lines modified | Offset 314, 15 lines modified | ||
| 314 | ········</ns3:rpminfo_state> | 314 | ········</ns3:rpminfo_state> |
| 315 | ········<ns3:rpminfo_state·id="oval:ssg-state_ibm_java_rhel:ste:1"·version="1"> | 315 | ········<ns3:rpminfo_state·id="oval:ssg-state_ibm_java_rhel:ste:1"·version="1"> |
| 316 | ··········<ns3:evr·datatype="evr_string"·operation="greater·than·or·equal">.*1.6.0.*</ns3:evr> | 316 | ··········<ns3:evr·datatype="evr_string"·operation="greater·than·or·equal">.*1.6.0.*</ns3:evr> |
| 317 | ········</ns3:rpminfo_state> | 317 | ········</ns3:rpminfo_state> |
| 318 | ······</ns0:states> | 318 | ······</ns0:states> |
| 319 | ····</ns0:oval_definitions> | 319 | ····</ns0:oval_definitions> |
| 320 | ··</ds:component> | 320 | ··</ds:component> |
| 321 | ··<ds:component·id="scap_org.open-scap_comp_ssg-jre-ocil.xml"·timestamp="2020-07-1 | 321 | ··<ds:component·id="scap_org.open-scap_comp_ssg-jre-ocil.xml"·timestamp="2020-07-12T18:45:47"> |
| 322 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> | 322 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> |
| 323 | ······<ns0:generator> | 323 | ······<ns0:generator> |
| 324 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 324 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 325 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 325 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 326 | ········<ns0:schema_version>2.0</ns0:schema_version> | 326 | ········<ns0:schema_version>2.0</ns0:schema_version> |
| 327 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 327 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 328 | ······</ns0:generator> | 328 | ······</ns0:generator> |
| Offset 576, 15 lines modified | Offset 576, 15 lines modified | ||
| 576 | If·properly·configured,·the·output·should·return: | 576 | If·properly·configured,·the·output·should·return: |
| 577 | deployment.security.validation.ocsp=true | 577 | deployment.security.validation.ocsp=true |
| 578 | » » » Is·it·the·case·that·it·does·not·exist·or·is·not·configured·properly?</ns0:question_text> | 578 | » » » Is·it·the·case·that·it·does·not·exist·or·is·not·configured·properly?</ns0:question_text> |
| 579 | ········</ns0:boolean_question> | 579 | ········</ns0:boolean_question> |
| 580 | ······</ns0:questions> | 580 | ······</ns0:questions> |
| 581 | ····</ns0:ocil> | 581 | ····</ns0:ocil> |
| 582 | ··</ds:component> | 582 | ··</ds:component> |
| 583 | ··<ds:component·id="scap_org.open-scap_comp_ssg-jre-xccdf-1.2.xml"·timestamp="2020-07-1 | 583 | ··<ds:component·id="scap_org.open-scap_comp_ssg-jre-xccdf-1.2.xml"·timestamp="2020-07-12T18:47:00"> |
| 584 | ····<Benchmark·id="xccdf_org.ssgproject.content_benchmark_JRE"·resolved="1"·style="SCAP_1.2"·xml:lang="en-US"·xmlns="http://checklists.nist.gov/xccdf/1.2"> | 584 | ····<Benchmark·id="xccdf_org.ssgproject.content_benchmark_JRE"·resolved="1"·style="SCAP_1.2"·xml:lang="en-US"·xmlns="http://checklists.nist.gov/xccdf/1.2"> |
| 585 | ······<status·date="2018-07-26">draft</status> | 585 | ······<status·date="2018-07-26">draft</status> |
| 586 | ······<title·xml:lang="en-US">Guide·to·the·Secure·Configuration·of·Java·Runtime·Environment</title> | 586 | ······<title·xml:lang="en-US">Guide·to·the·Secure·Configuration·of·Java·Runtime·Environment</title> |
| 587 | ······<description·xml:lang="en-US"> | 587 | ······<description·xml:lang="en-US"> |
| 588 | ········This·guide·presents·a·catalog·of·security-relevant | 588 | ········This·guide·presents·a·catalog·of·security-relevant |
| 589 | configuration·settings·for·Java·Runtime·Environment.·It·is·a·rendering·of | 589 | configuration·settings·for·Java·Runtime·Environment.·It·is·a·rendering·of |
| 590 | content·structured·in·the·eXtensible·Configuration·Checklist·Description·Format·(XCCDF) | 590 | content·structured·in·the·eXtensible·Configuration·Checklist·Description·Format·(XCCDF) |
| Offset 772, 219 lines modified | Offset 772, 14 lines modified | ||
| 772 | ········<select·idref="xccdf_org.ssgproject.content_rule_java_jre_validation_ocsp_locked"·selected="true"/> | 772 | ········<select·idref="xccdf_org.ssgproject.content_rule_java_jre_validation_ocsp_locked"·selected="true"/> |
| 773 | ········<select·idref="xccdf_org.ssgproject.content_rule_java_jre_updated"·selected="true"/> | 773 | ········<select·idref="xccdf_org.ssgproject.content_rule_java_jre_updated"·selected="true"/> |
| 774 | ········<select·idref="xccdf_org.ssgproject.content_group_remediation_functions"·selected="false"/> | 774 | ········<select·idref="xccdf_org.ssgproject.content_group_remediation_functions"·selected="false"/> |
| 775 | ······</Profile> | 775 | ······</Profile> |
| 776 | ······<Group·id="xccdf_org.ssgproject.content_group_remediation_functions"> | 776 | ······<Group·id="xccdf_org.ssgproject.content_group_remediation_functions"> |
| 777 | ········<title·xml:lang="en-US">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title> | 777 | ········<title·xml:lang="en-US">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title> |
| 778 | ········<description·xml:lang="en-US">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description> | 778 | ········<description·xml:lang="en-US">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description> |
| 779 | ········<Value·hidden="true"·id="xccdf_org.ssgproject.content_value_function_fix_audit_watch_rule"·operator="equals"·prohibitChanges="true"·type="string"> | ||
| 780 | ··········<title·xml:lang="en-US">Remediation·function·fix_audit_watch_rule</title> | ||
| 781 | ··········<description·xml:lang="en-US">Shared·bash·remediation·function.·Not·intended·to·be·changed·by·tailoring.</description> | ||
| 782 | ··········<value>#·Function·to·fix·audit·file·system·object·watch·rule·for·given·path: | ||
| 783 | #·*·if·rule·exists,·also·verifies·the·-w·bits·match·the·requirements | ||
| 784 | #·*·if·rule·doesn't·exist·yet,·appends·expected·rule·form·to·$files_to_inspect | ||
| 785 | #···audit·rules·file,·depending·on·the·tool·which·was·used·to·load·audit·rules | ||
| 786 | # | ||
| 787 | #·Expects·four·arguments·(each·of·them·is·required)·in·the·form·of: | ||
| 788 | #·*·audit·tool» » » » tool·used·to·load·audit·rules, | ||
| 789 | #·» » » » » either·'auditctl',·or·'augenrules' | ||
| 790 | #·*·path························» value·of·-w·audit·rule's·argument | ||
| 791 | #·*·required·access·bits········» value·of·-p·audit·rule's·argument | ||
| 792 | #·*·key·························» value·of·-k·audit·rule's·argument | ||
| 793 | # | ||
| 794 | #·Example·call: | ||
| 795 | # | ||
| 796 | #·······fix_audit_watch_rule·"auditctl"·"/etc/localtime"·"wa"·"audit_time_rules" | ||
| 797 | # | ||
| 798 | function·fix_audit_watch_rule·{ | ||
| 799 | #·Load·function·arguments·into·local·variables | ||
| 800 | local·tool="$1" | ||
| 801 | local·path="$2" | ||
| 802 | local·required_access_bits="$3" | ||
| 803 | local·key="$4" | ||
| 804 | #·Check·sanity·of·the·input | ||
| 805 | if·[·$#·-ne·"4"·] | ||
| 806 | then | ||
| 807 | » echo·"Usage:·fix_audit_watch_rule·'tool'·'path'·'bits'·'key'" | ||
| 808 | » echo·"Aborting." | ||
| 809 | » exit·1 | ||
| 810 | fi | ||
| 811 | #·Create·a·list·of·audit·*.rules·files·that·should·be·inspected·for·presence·and·correctness | ||
| 812 | #·of·a·particular·audit·rule.·The·scheme·is·as·follows: | ||
| 813 | # | ||
| 814 | #·----------------------------------------------------------------------------------------- | ||
| 815 | #·Tool·used·to·load·audit·rules» |·Rule·already·defined» |··Audit·rules·file·to·inspect» ··| | ||
| 816 | #·----------------------------------------------------------------------------------------- | ||
| 817 | #» auditctl» » |·····Doesn't·matter»|··/etc/audit/audit.rules» ··| | ||
| 818 | #·----------------------------------------------------------------------------------------- | ||
| 819 | #·» augenrules» » |··········Yes»»|··/etc/audit/rules.d/*.rules» ··| | ||
| 820 | #·» augenrules» » |··········No» » |··/etc/audit/rules.d/$key.rules··| | ||
| 821 | #·----------------------------------------------------------------------------------------- | ||
| 822 | declare·-a·files_to_inspect | ||
| 823 | #·Check·sanity·of·the·specified·audit·tool | ||
| 824 | if·[·"$tool"·!=·'auditctl'·]·&&·[·"$tool"·!=·'augenrules'·] | ||
| 825 | then | ||
| 826 | » echo·"Unknown·audit·rules·loading·tool:·$1.·Aborting." | ||
| 827 | » echo·"Use·either·'auditctl'·or·'augenrules'!" | ||
| 828 | » exit·1 | ||
| 829 | #·If·the·audit·tool·is·'auditctl',·then·add·'/etc/audit/audit.rules' | ||
| 830 | #·into·the·list·of·files·to·be·inspected | ||
| 831 | elif·[·"$tool"·==·'auditctl'·] | ||
| 832 | then | ||
| 833 | » files_to_inspect=("${files_to_inspect[@]}"·'/etc/audit/audit.rules') | ||
| 834 | #·If·the·audit·is·'augenrules',·then·check·if·rule·is·already·defined | ||
| 835 | #·If·rule·is·defined,·add·'/etc/audit/rules.d/*.rules'·to·list·of·files·for·inspection. | ||
| 836 | #·If·rule·isn't·defined,·add·'/etc/audit/rules.d/$key.rules'·to·list·of·files·for·inspection. | ||
| 837 | elif·[·"$tool"·==·'augenrules'·] | ||
| 838 | then | ||
| 839 | » #·Case·when·particular·audit·rule·is·already·defined·in·some·of·/etc/audit/rules.d/*.rules·file | ||
| 840 | » #·Get·pair·--·filepath·:·matching_row·into·@matches·array | ||
| Max diff block lines reached; 71126/86087 bytes (82.62%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>2020-07-12T0 | 7 | ····<ns2:timestamp>2020-07-12T04:23:21</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_app_is_java:def:1"·version="1"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_app_is_java:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Java·Runtime·Environment</ns0:title> | 12 | ········<ns0:title>Java·Runtime·Environment</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:product>Java·Runtime·Environment·(JRE)</ns0:product> | 14 | ··········<ns0:product>Java·Runtime·Environment·(JRE)</ns0:product> |
| Offset 190, 219 lines modified | Offset 190, 14 lines modified | ||
| 190 | ····<select·idref="java_jre_validation_ocsp_locked"·selected="true"/> | 190 | ····<select·idref="java_jre_validation_ocsp_locked"·selected="true"/> |
| 191 | ····<select·idref="java_jre_updated"·selected="true"/> | 191 | ····<select·idref="java_jre_updated"·selected="true"/> |
| 192 | ····<select·idref="remediation_functions"·selected="false"/> | 192 | ····<select·idref="remediation_functions"·selected="false"/> |
| 193 | ··</Profile> | 193 | ··</Profile> |
| 194 | ··<Group·id="remediation_functions"> | 194 | ··<Group·id="remediation_functions"> |
| 195 | ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title> | 195 | ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title> |
| 196 | ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description> | 196 | ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description> |
| 197 | ····<Value·hidden="true"·id="function_fix_audit_watch_rule"·operator="equals"·prohibitChanges="true"·type="string"> | ||
| 198 | ······<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·function·fix_audit_watch_rule</title> | ||
| 199 | ······<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Shared·bash·remediation·function.·Not·intended·to·be·changed·by·tailoring.</description> | ||
| 200 | ······<value>#·Function·to·fix·audit·file·system·object·watch·rule·for·given·path: | ||
| 201 | #·*·if·rule·exists,·also·verifies·the·-w·bits·match·the·requirements | ||
| 202 | #·*·if·rule·doesn't·exist·yet,·appends·expected·rule·form·to·$files_to_inspect | ||
| 203 | #···audit·rules·file,·depending·on·the·tool·which·was·used·to·load·audit·rules | ||
| 204 | # | ||
| 205 | #·Expects·four·arguments·(each·of·them·is·required)·in·the·form·of: | ||
| 206 | #·*·audit·tool» » » » tool·used·to·load·audit·rules, | ||
| 207 | #·» » » » » either·'auditctl',·or·'augenrules' | ||
| 208 | #·*·path························» value·of·-w·audit·rule's·argument | ||
| 209 | #·*·required·access·bits········» value·of·-p·audit·rule's·argument | ||
| 210 | #·*·key·························» value·of·-k·audit·rule's·argument | ||
| 211 | # | ||
| 212 | #·Example·call: | ||
| 213 | # | ||
| 214 | #·······fix_audit_watch_rule·"auditctl"·"/etc/localtime"·"wa"·"audit_time_rules" | ||
| 215 | # | ||
| 216 | function·fix_audit_watch_rule·{ | ||
| 217 | #·Load·function·arguments·into·local·variables | ||
| 218 | local·tool="$1" | ||
| 219 | local·path="$2" | ||
| 220 | local·required_access_bits="$3" | ||
| 221 | local·key="$4" | ||
| 222 | #·Check·sanity·of·the·input | ||
| 223 | if·[·$#·-ne·"4"·] | ||
| 224 | then | ||
| 225 | » echo·"Usage:·fix_audit_watch_rule·'tool'·'path'·'bits'·'key'" | ||
| 226 | » echo·"Aborting." | ||
| 227 | » exit·1 | ||
| 228 | fi | ||
| 229 | #·Create·a·list·of·audit·*.rules·files·that·should·be·inspected·for·presence·and·correctness | ||
| 230 | #·of·a·particular·audit·rule.·The·scheme·is·as·follows: | ||
| 231 | # | ||
| 232 | #·----------------------------------------------------------------------------------------- | ||
| 233 | #·Tool·used·to·load·audit·rules» |·Rule·already·defined» |··Audit·rules·file·to·inspect» ··| | ||
| 234 | #·----------------------------------------------------------------------------------------- | ||
| 235 | #» auditctl» » |·····Doesn't·matter»|··/etc/audit/audit.rules» ··| | ||
| 236 | #·----------------------------------------------------------------------------------------- | ||
| 237 | #·» augenrules» » |··········Yes»»|··/etc/audit/rules.d/*.rules» ··| | ||
| 238 | #·» augenrules» » |··········No» » |··/etc/audit/rules.d/$key.rules··| | ||
| 239 | #·----------------------------------------------------------------------------------------- | ||
| 240 | declare·-a·files_to_inspect | ||
| 241 | #·Check·sanity·of·the·specified·audit·tool | ||
| 242 | if·[·"$tool"·!=·'auditctl'·]·&&·[·"$tool"·!=·'augenrules'·] | ||
| 243 | then | ||
| 244 | » echo·"Unknown·audit·rules·loading·tool:·$1.·Aborting." | ||
| 245 | » echo·"Use·either·'auditctl'·or·'augenrules'!" | ||
| 246 | » exit·1 | ||
| 247 | #·If·the·audit·tool·is·'auditctl',·then·add·'/etc/audit/audit.rules' | ||
| 248 | #·into·the·list·of·files·to·be·inspected | ||
| 249 | elif·[·"$tool"·==·'auditctl'·] | ||
| 250 | then | ||
| 251 | » files_to_inspect=("${files_to_inspect[@]}"·'/etc/audit/audit.rules') | ||
| 252 | #·If·the·audit·is·'augenrules',·then·check·if·rule·is·already·defined | ||
| 253 | #·If·rule·is·defined,·add·'/etc/audit/rules.d/*.rules'·to·list·of·files·for·inspection. | ||
| 254 | #·If·rule·isn't·defined,·add·'/etc/audit/rules.d/$key.rules'·to·list·of·files·for·inspection. | ||
| 255 | elif·[·"$tool"·==·'augenrules'·] | ||
| 256 | then | ||
| 257 | » #·Case·when·particular·audit·rule·is·already·defined·in·some·of·/etc/audit/rules.d/*.rules·file | ||
| 258 | » #·Get·pair·--·filepath·:·matching_row·into·@matches·array | ||
| 259 | » IFS=$'\n'·matches=($(grep·-P·"[\s]*-w[\s]+$path"·/etc/audit/rules.d/*.rules)) | ||
| 260 | » #·Reset·IFS·back·to·default | ||
| 261 | » unset·IFS | ||
| 262 | » #·For·each·of·the·matched·entries | ||
| 263 | » for·match·in·"${matches[@]}" | ||
| 264 | » do | ||
| 265 | » » #·Extract·filepath·from·the·match | ||
| 266 | » » rulesd_audit_file=$(echo·$match·|·cut·-f1·-d·':') | ||
| 267 | » » #·Append·that·path·into·list·of·files·for·inspection | ||
| 268 | » » files_to_inspect=("${files_to_inspect[@]}"·"$rulesd_audit_file") | ||
| 269 | » done | ||
| 270 | » #·Case·when·particular·audit·rule·isn't·defined·yet | ||
| 271 | » if·[·${#files_to_inspect[@]}·-eq·"0"·] | ||
| 272 | » then | ||
| 273 | » » #·Append·'/etc/audit/rules.d/$key.rules'·into·list·of·files·for·inspection | ||
| 274 | » » files_to_inspect="/etc/audit/rules.d/$key.rules" | ||
| 275 | » » #·If·the·$key.rules·file·doesn't·exist·yet,·create·it·with·correct·permissions | ||
| 276 | » » if·[·!·-e·"$files_to_inspect"·] | ||
| 277 | » » then | ||
| 278 | » » » touch·"$files_to_inspect" | ||
| 279 | » » » chmod·0640·"$files_to_inspect" | ||
| 280 | » » fi | ||
| 281 | » fi | ||
| 282 | fi | ||
| 283 | #·Finally·perform·the·inspection·and·possible·subsequent·audit·rule | ||
| 284 | #·correction·for·each·of·the·files·previously·identified·for·inspection | ||
| 285 | for·audit_rules_file·in·"${files_to_inspect[@]}" | ||
| 286 | do | ||
| 287 | » #·Check·if·audit·watch·file·system·object·rule·for·given·path·already·present | ||
| 288 | » if·grep·-q·-P·--·"[\s]*-w[\s]+$path"·"$audit_rules_file" | ||
| 289 | » then | ||
| 290 | » » #·Rule·is·found·=>·verify·yet·if·existing·rule·definition·contains | ||
| 291 | » » #·all·of·the·required·access·type·bits | ||
| 292 | » » #·Escape·slashes·in·path·for·use·in·sed·pattern·below | ||
| 293 | » » local·esc_path=${path//$'/'/$'\/'} | ||
| 294 | » » #·Define·BRE·whitespace·class·shortcut | ||
| 295 | » » local·sp="[[:space:]]" | ||
| 296 | » » #·Extract·current·permission·access·types·(e.g.·-p·[r|w|x|a]·values)·from·audit·rule | ||
| 297 | » » current_access_bits=$(sed·-ne·"s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p"·"$audit_rules_file") | ||
| 298 | » » #·Split·required·access·bits·string·into·characters·array | ||
| 299 | » » #·(to·check·bit's·presence·for·one·bit·at·a·time) | ||
| 300 | » » for·access_bit·in·$(echo·"$required_access_bits"·|·grep·-o·.) | ||
| 301 | » » do | ||
| 302 | » » » #·For·each·from·the·required·access·bits·(e.g.·'w',·'a')·check | ||
| 303 | » » » #·if·they·are·already·present·in·current·access·bits·for·rule. | ||
| 304 | » » » #·If·not,·append·that·bit·at·the·end | ||
| 305 | » » » if·!·grep·-q·"$access_bit"·<<<·"$current_access_bits" | ||
| 306 | » » » then | ||
| 307 | » » » » #·Concatenate·the·existing·mask·with·the·missing·bit | ||
| 308 | » » » » current_access_bits="$current_access_bits$access_bit" | ||
| 309 | » » » fi | ||
| Max diff block lines reached; 68628/79275 bytes (86.57%) of diff not shown. | |||
| Offset 1, 3 lines modified | Offset 1, 3 lines modified | ||
| 1 | -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary | 1 | -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary |
| 2 | -rw-r--r--···0········0········0·····2108·2018-07-26·14:58:28.000000·control.tar.xz | 2 | -rw-r--r--···0········0········0·····2108·2018-07-26·14:58:28.000000·control.tar.xz |
| 3 | -rw-r--r--···0········0········0···1651 | 3 | -rw-r--r--···0········0········0···165108·2018-07-26·14:58:28.000000·data.tar.xz |
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·0px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Ubuntu·1404·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Ubuntu·1404·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 89, 44 lines modified | Offset 89, 44 lines modified | ||
| 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis | 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis |
| 90 | class·remove_nis·{ | 90 | class·remove_nis·{ |
| 91 | ··package·{·'nis': | 91 | ··package·{·'nis': |
| 92 | ····ensure·=>·'purged', | 92 | ····ensure·=>·'purged', |
| 93 | ··} | 93 | ··} |
| 94 | } | 94 | } |
| 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4835"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server |
| 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove· | 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd |
| 100 | #» ···from·the·system,·and·may·remove·any·packages | 100 | #» ···from·the·system,·and·may·remove·any·packages |
| 101 | #» ···that·depend·on· | 101 | #» ···that·depend·on·telnetd.·Execute·this |
| 102 | #» ···remediation·AFTER·testing·on·a·non-production | 102 | #» ···remediation·AFTER·testing·on·a·non-production |
| 103 | #» ···system! | 103 | #» ···system! |
| 104 | apt-get·remove·--purge· | 104 | apt-get·remove·--purge·telnetd |
| 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure· | 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed |
| 106 | ··package: | 106 | ··package: |
| 107 | ····name="{{item}}" | 107 | ····name="{{item}}" |
| 108 | ····state=absent | 108 | ····state=absent |
| 109 | ··with_items: | 109 | ··with_items: |
| 110 | ····-· | 110 | ····-·telnetd |
| 111 | ··tags: | 111 | ··tags: |
| 112 | ····-·package_ | 112 | ····-·package_telnetd_removed |
| 113 | ····-·high_severity | 113 | ····-·high_severity |
| 114 | ····-·disable_strategy | 114 | ····-·disable_strategy |
| 115 | ····-·low_complexity | 115 | ····-·low_complexity |
| 116 | ····-·low_disruption | 116 | ····-·low_disruption |
| 117 | ····-·CCE- | 117 | ····-·CCE- |
| 118 | ····-·NIST-800-53-AC-17(8) | 118 | ····-·NIST-800-53-AC-17(8) |
| 119 | ····-·NIST-800-53-CM-7 | 119 | ····-·NIST-800-53-CM-7 |
| 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_ | 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd |
| 121 | class·remove_ | 121 | class·remove_telnetd·{ |
| 122 | ··package·{·' | 122 | ··package·{·'telnetd': |
| 123 | ····ensure·=>·'purged', | 123 | ····ensure·=>·'purged', |
| 124 | ··} | 124 | ··} |
| 125 | } | 125 | } |
| 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4848"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package | 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4848"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package |
| 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 128 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 128 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4853">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4853"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate | 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4853">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4853"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate |
| Offset 185, 44 lines modified | Offset 185, 44 lines modified | ||
| 185 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl | 185 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl |
| 186 | class·remove_telnetd-ssl·{ | 186 | class·remove_telnetd-ssl·{ |
| 187 | ··package·{·'telnetd-ssl': | 187 | ··package·{·'telnetd-ssl': |
| 188 | ····ensure·=>·'purged', | 188 | ····ensure·=>·'purged', |
| 189 | ··} | 189 | ··} |
| 190 | } | 190 | } |
| 191 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server | 191 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server |
| 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 193 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 193 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 195 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd | 195 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 196 | #» ···from·the·system,·and·may·remove·any·packages | 196 | #» ···from·the·system,·and·may·remove·any·packages |
| 197 | #» ···that·depend·on·telnetd.·Execute·this | 197 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 198 | #» ···remediation·AFTER·testing·on·a·non-production | 198 | #» ···remediation·AFTER·testing·on·a·non-production |
| 199 | #» ···system! | 199 | #» ···system! |
| 200 | apt-get·remove·--purge·telnetd | 200 | apt-get·remove·--purge·inetutils-telnetd |
| 201 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed | 201 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed |
| 202 | ··package: | 202 | ··package: |
| 203 | ····name="{{item}}" | 203 | ····name="{{item}}" |
| 204 | ····state=absent | 204 | ····state=absent |
| 205 | ··with_items: | 205 | ··with_items: |
| 206 | ····-·telnetd | 206 | ····-·inetutils-telnetd |
| 207 | ··tags: | 207 | ··tags: |
| 208 | ····-·package_telnetd_removed | 208 | ····-·package_inetutils-telnetd_removed |
| 209 | ····-·high_severity | 209 | ····-·high_severity |
| 210 | ····-·disable_strategy | 210 | ····-·disable_strategy |
| 211 | ····-·low_complexity | 211 | ····-·low_complexity |
| 212 | ····-·low_disruption | 212 | ····-·low_disruption |
| 213 | ····-·CCE- | 213 | ····-·CCE- |
| 214 | ····-·NIST-800-53-AC-17(8) | 214 | ····-·NIST-800-53-AC-17(8) |
| 215 | ····-·NIST-800-53-CM-7 | 215 | ····-·NIST-800-53-CM-7 |
| 216 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd | 216 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd |
| 217 | class·remove_telnetd·{ | 217 | class·remove_inetutils-telnetd·{ |
| 218 | ··package·{·'telnetd': | 218 | ··package·{·'inetutils-telnetd': |
| 219 | ····ensure·=>·'purged', | 219 | ····ensure·=>·'purged', |
| 220 | ··} | 220 | ··} |
| 221 | } | 221 | } |
| 222 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 222 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 223 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 223 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 224 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4896"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service | 224 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4896"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 225 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 225 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| Offset 269, 26 lines modified | Offset 269, 23 lines modified | ||
| 269 | verified·by·ensuring·that·the·following | 269 | verified·by·ensuring·that·the·following |
| 270 | line·appears: | 270 | line·appears: |
| 271 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | 271 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that |
| 272 | result·in·security·vulnerabilities·and | 272 | result·in·security·vulnerabilities·and |
| 273 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 273 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 274 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 274 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 275 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 275 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 276 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 276 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count |
| 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_ | 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, |
| 278 | e | 278 | edit·<code>/etc/ssh/sshd_config</code>·as |
| 279 | 279 | follows: | |
| 280 | <pre> | 280 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> |
| 281 | 281 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 282 | 282 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | |
| 283 | remote·login·via·SSH·will·require·a·password, | ||
| 284 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 285 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 286 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 283 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 287 | ············<a·href="http:// | 284 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5043"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 288 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 285 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 289 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 286 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| Max diff block lines reached; 38991/69435 bytes (56.15%) of diff not shown. | |||
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·0px"><small>contains·37·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Ubuntu·1404·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Ubuntu·1404·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 89, 44 lines modified | Offset 89, 44 lines modified | ||
| 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis | 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis |
| 90 | class·remove_nis·{ | 90 | class·remove_nis·{ |
| 91 | ··package·{·'nis': | 91 | ··package·{·'nis': |
| 92 | ····ensure·=>·'purged', | 92 | ····ensure·=>·'purged', |
| 93 | ··} | 93 | ··} |
| 94 | } | 94 | } |
| 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4835"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server |
| 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove· | 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd |
| 100 | #» ···from·the·system,·and·may·remove·any·packages | 100 | #» ···from·the·system,·and·may·remove·any·packages |
| 101 | #» ···that·depend·on· | 101 | #» ···that·depend·on·telnetd.·Execute·this |
| 102 | #» ···remediation·AFTER·testing·on·a·non-production | 102 | #» ···remediation·AFTER·testing·on·a·non-production |
| 103 | #» ···system! | 103 | #» ···system! |
| 104 | apt-get·remove·--purge· | 104 | apt-get·remove·--purge·telnetd |
| 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure· | 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed |
| 106 | ··package: | 106 | ··package: |
| 107 | ····name="{{item}}" | 107 | ····name="{{item}}" |
| 108 | ····state=absent | 108 | ····state=absent |
| 109 | ··with_items: | 109 | ··with_items: |
| 110 | ····-· | 110 | ····-·telnetd |
| 111 | ··tags: | 111 | ··tags: |
| 112 | ····-·package_ | 112 | ····-·package_telnetd_removed |
| 113 | ····-·high_severity | 113 | ····-·high_severity |
| 114 | ····-·disable_strategy | 114 | ····-·disable_strategy |
| 115 | ····-·low_complexity | 115 | ····-·low_complexity |
| 116 | ····-·low_disruption | 116 | ····-·low_disruption |
| 117 | ····-·CCE- | 117 | ····-·CCE- |
| 118 | ····-·NIST-800-53-AC-17(8) | 118 | ····-·NIST-800-53-AC-17(8) |
| 119 | ····-·NIST-800-53-CM-7 | 119 | ····-·NIST-800-53-CM-7 |
| 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_ | 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd |
| 121 | class·remove_ | 121 | class·remove_telnetd·{ |
| 122 | ··package·{·' | 122 | ··package·{·'telnetd': |
| 123 | ····ensure·=>·'purged', | 123 | ····ensure·=>·'purged', |
| 124 | ··} | 124 | ··} |
| 125 | } | 125 | } |
| 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4848"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package | 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4848"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package |
| 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 128 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 128 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4853">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4853"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate | 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4853">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4853"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate |
| Offset 185, 44 lines modified | Offset 185, 44 lines modified | ||
| 185 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl | 185 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl |
| 186 | class·remove_telnetd-ssl·{ | 186 | class·remove_telnetd-ssl·{ |
| 187 | ··package·{·'telnetd-ssl': | 187 | ··package·{·'telnetd-ssl': |
| 188 | ····ensure·=>·'purged', | 188 | ····ensure·=>·'purged', |
| 189 | ··} | 189 | ··} |
| 190 | } | 190 | } |
| 191 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server | 191 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server |
| 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 193 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 193 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 195 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd | 195 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 196 | #» ···from·the·system,·and·may·remove·any·packages | 196 | #» ···from·the·system,·and·may·remove·any·packages |
| 197 | #» ···that·depend·on·telnetd.·Execute·this | 197 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 198 | #» ···remediation·AFTER·testing·on·a·non-production | 198 | #» ···remediation·AFTER·testing·on·a·non-production |
| 199 | #» ···system! | 199 | #» ···system! |
| 200 | apt-get·remove·--purge·telnetd | 200 | apt-get·remove·--purge·inetutils-telnetd |
| 201 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed | 201 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed |
| 202 | ··package: | 202 | ··package: |
| 203 | ····name="{{item}}" | 203 | ····name="{{item}}" |
| 204 | ····state=absent | 204 | ····state=absent |
| 205 | ··with_items: | 205 | ··with_items: |
| 206 | ····-·telnetd | 206 | ····-·inetutils-telnetd |
| 207 | ··tags: | 207 | ··tags: |
| 208 | ····-·package_telnetd_removed | 208 | ····-·package_inetutils-telnetd_removed |
| 209 | ····-·high_severity | 209 | ····-·high_severity |
| 210 | ····-·disable_strategy | 210 | ····-·disable_strategy |
| 211 | ····-·low_complexity | 211 | ····-·low_complexity |
| 212 | ····-·low_disruption | 212 | ····-·low_disruption |
| 213 | ····-·CCE- | 213 | ····-·CCE- |
| 214 | ····-·NIST-800-53-AC-17(8) | 214 | ····-·NIST-800-53-AC-17(8) |
| 215 | ····-·NIST-800-53-CM-7 | 215 | ····-·NIST-800-53-CM-7 |
| 216 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd | 216 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd |
| 217 | class·remove_telnetd·{ | 217 | class·remove_inetutils-telnetd·{ |
| 218 | ··package·{·'telnetd': | 218 | ··package·{·'inetutils-telnetd': |
| 219 | ····ensure·=>·'purged', | 219 | ····ensure·=>·'purged', |
| 220 | ··} | 220 | ··} |
| 221 | } | 221 | } |
| 222 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 222 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 223 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 223 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 224 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4896"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service | 224 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4896"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 225 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 225 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| Offset 363, 26 lines modified | Offset 363, 23 lines modified | ||
| 363 | verified·by·ensuring·that·the·following | 363 | verified·by·ensuring·that·the·following |
| 364 | line·appears: | 364 | line·appears: |
| 365 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | 365 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that |
| 366 | result·in·security·vulnerabilities·and | 366 | result·in·security·vulnerabilities·and |
| 367 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 367 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 368 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 368 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 369 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 369 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 370 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 370 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count |
| 371 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_ | 371 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, |
| 372 | e | 372 | edit·<code>/etc/ssh/sshd_config</code>·as |
| 373 | 373 | follows: | |
| 374 | <pre> | 374 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> |
| 375 | 375 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 376 | 376 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | |
| 377 | remote·login·via·SSH·will·require·a·password, | ||
| 378 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 379 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 380 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 377 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 381 | ············<a·href="http:// | 378 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5043"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 382 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 379 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 383 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 380 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| Max diff block lines reached; 43389/74020 bytes (58.62%) of diff not shown. | |||
| Offset 89, 44 lines modified | Offset 89, 44 lines modified | ||
| 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis | 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis |
| 90 | class·remove_nis·{ | 90 | class·remove_nis·{ |
| 91 | ··package·{·'nis': | 91 | ··package·{·'nis': |
| 92 | ····ensure·=>·'purged', | 92 | ····ensure·=>·'purged', |
| 93 | ··} | 93 | ··} |
| 94 | } | 94 | } |
| 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4835"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server |
| 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove· | 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd |
| 100 | #» ···from·the·system,·and·may·remove·any·packages | 100 | #» ···from·the·system,·and·may·remove·any·packages |
| 101 | #» ···that·depend·on· | 101 | #» ···that·depend·on·telnetd.·Execute·this |
| 102 | #» ···remediation·AFTER·testing·on·a·non-production | 102 | #» ···remediation·AFTER·testing·on·a·non-production |
| 103 | #» ···system! | 103 | #» ···system! |
| 104 | apt-get·remove·--purge· | 104 | apt-get·remove·--purge·telnetd |
| 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure· | 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed |
| 106 | ··package: | 106 | ··package: |
| 107 | ····name="{{item}}" | 107 | ····name="{{item}}" |
| 108 | ····state=absent | 108 | ····state=absent |
| 109 | ··with_items: | 109 | ··with_items: |
| 110 | ····-· | 110 | ····-·telnetd |
| 111 | ··tags: | 111 | ··tags: |
| 112 | ····-·package_ | 112 | ····-·package_telnetd_removed |
| 113 | ····-·high_severity | 113 | ····-·high_severity |
| 114 | ····-·disable_strategy | 114 | ····-·disable_strategy |
| 115 | ····-·low_complexity | 115 | ····-·low_complexity |
| 116 | ····-·low_disruption | 116 | ····-·low_disruption |
| 117 | ····-·CCE- | 117 | ····-·CCE- |
| 118 | ····-·NIST-800-53-AC-17(8) | 118 | ····-·NIST-800-53-AC-17(8) |
| 119 | ····-·NIST-800-53-CM-7 | 119 | ····-·NIST-800-53-CM-7 |
| 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_ | 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd |
| 121 | class·remove_ | 121 | class·remove_telnetd·{ |
| 122 | ··package·{·' | 122 | ··package·{·'telnetd': |
| 123 | ····ensure·=>·'purged', | 123 | ····ensure·=>·'purged', |
| 124 | ··} | 124 | ··} |
| 125 | } | 125 | } |
| 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·id="guide-tree-leaf-idm4858"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">Uninstall·the·ssl·compliant·telnet·server | 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·id="guide-tree-leaf-idm4858"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">Uninstall·the·ssl·compliant·telnet·server |
| 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon,·even·with·ssl·support,·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet,·even·with·ssl·support,·should·not·be·installed.·When·remote·shell·is·required,·up-to-date·ssh·daemon·can·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon,·even·with·ssl·support,·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet,·even·with·ssl·support,·should·not·be·installed.·When·remote·shell·is·required,·up-to-date·ssh·daemon·can·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 128 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 128 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| Offset 155, 44 lines modified | Offset 155, 44 lines modified | ||
| 155 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl | 155 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl |
| 156 | class·remove_telnetd-ssl·{ | 156 | class·remove_telnetd-ssl·{ |
| 157 | ··package·{·'telnetd-ssl': | 157 | ··package·{·'telnetd-ssl': |
| 158 | ····ensure·=>·'purged', | 158 | ····ensure·=>·'purged', |
| 159 | ··} | 159 | ··} |
| 160 | } | 160 | } |
| 161 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server | 161 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server |
| 162 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 162 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 163 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 163 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 164 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 164 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 165 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd | 165 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 166 | #» ···from·the·system,·and·may·remove·any·packages | 166 | #» ···from·the·system,·and·may·remove·any·packages |
| 167 | #» ···that·depend·on·telnetd.·Execute·this | 167 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 168 | #» ···remediation·AFTER·testing·on·a·non-production | 168 | #» ···remediation·AFTER·testing·on·a·non-production |
| 169 | #» ···system! | 169 | #» ···system! |
| 170 | apt-get·remove·--purge·telnetd | 170 | apt-get·remove·--purge·inetutils-telnetd |
| 171 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed | 171 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed |
| 172 | ··package: | 172 | ··package: |
| 173 | ····name="{{item}}" | 173 | ····name="{{item}}" |
| 174 | ····state=absent | 174 | ····state=absent |
| 175 | ··with_items: | 175 | ··with_items: |
| 176 | ····-·telnetd | 176 | ····-·inetutils-telnetd |
| 177 | ··tags: | 177 | ··tags: |
| 178 | ····-·package_telnetd_removed | 178 | ····-·package_inetutils-telnetd_removed |
| 179 | ····-·high_severity | 179 | ····-·high_severity |
| 180 | ····-·disable_strategy | 180 | ····-·disable_strategy |
| 181 | ····-·low_complexity | 181 | ····-·low_complexity |
| 182 | ····-·low_disruption | 182 | ····-·low_disruption |
| 183 | ····-·CCE- | 183 | ····-·CCE- |
| 184 | ····-·NIST-800-53-AC-17(8) | 184 | ····-·NIST-800-53-AC-17(8) |
| 185 | ····-·NIST-800-53-CM-7 | 185 | ····-·NIST-800-53-CM-7 |
| 186 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd | 186 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd |
| 187 | class·remove_telnetd·{ | 187 | class·remove_inetutils-telnetd·{ |
| 188 | ··package·{·'telnetd': | 188 | ··package·{·'inetutils-telnetd': |
| 189 | ····ensure·=>·'purged', | 189 | ····ensure·=>·'purged', |
| 190 | ··} | 190 | ··} |
| 191 | } | 191 | } |
| 192 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration | 192 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration |
| 193 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·id="guide-tree-leaf-idm5108"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_apt"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">Disable·unauthenticated·repositories·in·APT·configuration | 193 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·id="guide-tree-leaf-idm5108"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_apt"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">Disable·unauthenticated·repositories·in·APT·configuration |
| 194 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Unauthenticated·repositories·should·not·be·used·for·updates.</p><span·class="label·label-primary">Rationale:</span><p>Repositories·hosts·all·packages·that·will·be·intsalled·on·the·system·during·update. | 194 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Unauthenticated·repositories·should·not·be·used·for·updates.</p><span·class="label·label-primary">Rationale:</span><p>Repositories·hosts·all·packages·that·will·be·intsalled·on·the·system·during·update. |
| 195 | ····If·a·repository·is·not·authenticated,·the·associated·packages·can't·be·trusted, | 195 | ····If·a·repository·is·not·authenticated,·the·associated·packages·can't·be·trusted, |
| Offset 202, 25 lines modified | Offset 202, 25 lines modified | ||
| 202 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo | 202 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo |
| 203 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority | 203 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority |
| 204 | to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system· | 204 | to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system· |
| 205 | users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands | 205 | users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands |
| 206 | that·normally·only·<code>root</code>·is·allowed·to·execute. | 206 | that·normally·only·<code>root</code>·is·allowed·to·execute. |
| 207 | <br><br> | 207 | <br><br> |
| 208 | For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see | 208 | For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see |
| 209 | <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·id="guide-tree-leaf-idm540 | 209 | <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·id="guide-tree-leaf-idm5140"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate |
| 210 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>!authenticate</code>·option,·when·specified,·allows·a·user·to·execute·commands·using | 210 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>!authenticate</code>·option,·when·specified,·allows·a·user·to·execute·commands·using |
| 211 | sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the | 211 | sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the |
| 212 | <code>!authenticate</code>·option·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or | 212 | <code>!authenticate</code>·option·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or |
| 213 | any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they | 213 | any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they |
| 214 | do·not·have·authorization. | 214 | do·not·have·authorization. |
| 215 | <br><br> | 215 | <br><br> |
| 216 | When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it | 216 | When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it |
| 217 | is·critical·that·the·user·re-authenticate.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 217 | is·critical·that·the·user·re-authenticate.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 218 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 218 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 219 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002038</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00156</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00157</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00158</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·id="guide-tree-leaf-idm5 | 219 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002038</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00156</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00157</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00158</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·id="guide-tree-leaf-idm5160"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD |
| 220 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>NOPASSWD</code>·tag,·when·specified,·allows·a·user·to·execute·commands·using | 220 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>NOPASSWD</code>·tag,·when·specified,·allows·a·user·to·execute·commands·using |
| 221 | sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the | 221 | sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the |
| 222 | <code>NOPASSWD</code>·tag·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or· | 222 | <code>NOPASSWD</code>·tag·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or· |
| 223 | any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they | 223 | any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they |
| 224 | do·not·have·authorization. | 224 | do·not·have·authorization. |
| 225 | <br><br> | 225 | <br><br> |
| 226 | When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it | 226 | When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it |
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Restrictive·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Restrictive·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·0px"><small>contains·36·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Ubuntu·1404·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Ubuntu·1404·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 89, 44 lines modified | Offset 89, 44 lines modified | ||
| 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis | 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis |
| 90 | class·remove_nis·{ | 90 | class·remove_nis·{ |
| 91 | ··package·{·'nis': | 91 | ··package·{·'nis': |
| 92 | ····ensure·=>·'purged', | 92 | ····ensure·=>·'purged', |
| 93 | ··} | 93 | ··} |
| 94 | } | 94 | } |
| 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4835"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server |
| 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove· | 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd |
| 100 | #» ···from·the·system,·and·may·remove·any·packages | 100 | #» ···from·the·system,·and·may·remove·any·packages |
| 101 | #» ···that·depend·on· | 101 | #» ···that·depend·on·telnetd.·Execute·this |
| 102 | #» ···remediation·AFTER·testing·on·a·non-production | 102 | #» ···remediation·AFTER·testing·on·a·non-production |
| 103 | #» ···system! | 103 | #» ···system! |
| 104 | apt-get·remove·--purge· | 104 | apt-get·remove·--purge·telnetd |
| 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure· | 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed |
| 106 | ··package: | 106 | ··package: |
| 107 | ····name="{{item}}" | 107 | ····name="{{item}}" |
| 108 | ····state=absent | 108 | ····state=absent |
| 109 | ··with_items: | 109 | ··with_items: |
| 110 | ····-· | 110 | ····-·telnetd |
| 111 | ··tags: | 111 | ··tags: |
| 112 | ····-·package_ | 112 | ····-·package_telnetd_removed |
| 113 | ····-·high_severity | 113 | ····-·high_severity |
| 114 | ····-·disable_strategy | 114 | ····-·disable_strategy |
| 115 | ····-·low_complexity | 115 | ····-·low_complexity |
| 116 | ····-·low_disruption | 116 | ····-·low_disruption |
| 117 | ····-·CCE- | 117 | ····-·CCE- |
| 118 | ····-·NIST-800-53-AC-17(8) | 118 | ····-·NIST-800-53-AC-17(8) |
| 119 | ····-·NIST-800-53-CM-7 | 119 | ····-·NIST-800-53-CM-7 |
| 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_ | 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd |
| 121 | class·remove_ | 121 | class·remove_telnetd·{ |
| 122 | ··package·{·' | 122 | ··package·{·'telnetd': |
| 123 | ····ensure·=>·'purged', | 123 | ····ensure·=>·'purged', |
| 124 | ··} | 124 | ··} |
| 125 | } | 125 | } |
| 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4848"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package | 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4848"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package |
| 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 128 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 128 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4853">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4853"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate | 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4853">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4853"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate |
| Offset 185, 44 lines modified | Offset 185, 44 lines modified | ||
| 185 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl | 185 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl |
| 186 | class·remove_telnetd-ssl·{ | 186 | class·remove_telnetd-ssl·{ |
| 187 | ··package·{·'telnetd-ssl': | 187 | ··package·{·'telnetd-ssl': |
| 188 | ····ensure·=>·'purged', | 188 | ····ensure·=>·'purged', |
| 189 | ··} | 189 | ··} |
| 190 | } | 190 | } |
| 191 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server | 191 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server |
| 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 193 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 193 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 195 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd | 195 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 196 | #» ···from·the·system,·and·may·remove·any·packages | 196 | #» ···from·the·system,·and·may·remove·any·packages |
| 197 | #» ···that·depend·on·telnetd.·Execute·this | 197 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 198 | #» ···remediation·AFTER·testing·on·a·non-production | 198 | #» ···remediation·AFTER·testing·on·a·non-production |
| 199 | #» ···system! | 199 | #» ···system! |
| 200 | apt-get·remove·--purge·telnetd | 200 | apt-get·remove·--purge·inetutils-telnetd |
| 201 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed | 201 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed |
| 202 | ··package: | 202 | ··package: |
| 203 | ····name="{{item}}" | 203 | ····name="{{item}}" |
| 204 | ····state=absent | 204 | ····state=absent |
| 205 | ··with_items: | 205 | ··with_items: |
| 206 | ····-·telnetd | 206 | ····-·inetutils-telnetd |
| 207 | ··tags: | 207 | ··tags: |
| 208 | ····-·package_telnetd_removed | 208 | ····-·package_inetutils-telnetd_removed |
| 209 | ····-·high_severity | 209 | ····-·high_severity |
| 210 | ····-·disable_strategy | 210 | ····-·disable_strategy |
| 211 | ····-·low_complexity | 211 | ····-·low_complexity |
| 212 | ····-·low_disruption | 212 | ····-·low_disruption |
| 213 | ····-·CCE- | 213 | ····-·CCE- |
| 214 | ····-·NIST-800-53-AC-17(8) | 214 | ····-·NIST-800-53-AC-17(8) |
| 215 | ····-·NIST-800-53-CM-7 | 215 | ····-·NIST-800-53-CM-7 |
| 216 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd | 216 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd |
| 217 | class·remove_telnetd·{ | 217 | class·remove_inetutils-telnetd·{ |
| 218 | ··package·{·'telnetd': | 218 | ··package·{·'inetutils-telnetd': |
| 219 | ····ensure·=>·'purged', | 219 | ····ensure·=>·'purged', |
| 220 | ··} | 220 | ··} |
| 221 | } | 221 | } |
| 222 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 222 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 223 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 223 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 224 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4896"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service | 224 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4896"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 225 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 225 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| Offset 363, 26 lines modified | Offset 363, 23 lines modified | ||
| 363 | verified·by·ensuring·that·the·following | 363 | verified·by·ensuring·that·the·following |
| 364 | line·appears: | 364 | line·appears: |
| 365 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | 365 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that |
| 366 | result·in·security·vulnerabilities·and | 366 | result·in·security·vulnerabilities·and |
| 367 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 367 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 368 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 368 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 369 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 369 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 370 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 370 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count |
| 371 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_ | 371 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, |
| 372 | e | 372 | edit·<code>/etc/ssh/sshd_config</code>·as |
| 373 | 373 | follows: | |
| 374 | <pre> | 374 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> |
| 375 | 375 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 376 | 376 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | |
| 377 | remote·login·via·SSH·will·require·a·password, | ||
| 378 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 379 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 380 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 377 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 381 | ············<a·href="http:// | 378 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5043"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 382 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 379 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 383 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 380 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| Max diff block lines reached; 38991/69429 bytes (56.16%) of diff not shown. | |||
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 58 | the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 58 | the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 59 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which | 59 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which |
| 60 | ones·can·be·safely·disabled. | 60 | ones·can·be·safely·disabled. |
| 61 | <br><br> | 61 | <br><br> |
| 62 | Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 62 | Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| Offset 75, 15 lines modified | Offset 75, 23 lines modified | ||
| 75 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed | 75 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed |
| 76 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 76 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 77 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 77 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 78 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 78 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 79 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 79 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 80 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration | 80 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration |
| 81 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_system"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_system">System·Settings | 81 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_system"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_system">System·Settings |
| 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_hw-install"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage |
| 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_hw-install">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardware·dependent,·but·efficient·against·various·risks.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo | ||
| 84 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority | ||
| 85 | to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system· | ||
| 86 | users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands | ||
| 87 | that·normally·only·<code>root</code>·is·allowed·to·execute. | ||
| 88 | <br><br> | ||
| 89 | For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see | ||
| 90 | <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_logging"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_logging">Configure·Syslog | ||
| 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_logging">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·syslog·service·has·been·the·default·Unix·logging·mechanism·for | 91 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_logging">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·syslog·service·has·been·the·default·Unix·logging·mechanism·for |
| 84 | many·years.·It·has·a·number·of·downsides,·including·inconsistent·log·format, | 92 | many·years.·It·has·a·number·of·downsides,·including·inconsistent·log·format, |
| 85 | lack·of·authentication·for·received·messages,·and·lack·of·authentication, | 93 | lack·of·authentication·for·received·messages,·and·lack·of·authentication, |
| 86 | encryption,·or·reliable·transport·for·messages·sent·over·a·network.·However, | 94 | encryption,·or·reliable·transport·for·messages·sent·over·a·network.·However, |
| 87 | due·to·its·long·history,·syslog·is·a·de·facto·standard·which·is·supported·by | 95 | due·to·its·long·history,·syslog·is·a·de·facto·standard·which·is·supported·by |
| 88 | almost·all·Unix·applications. | 96 | almost·all·Unix·applications. |
| 89 | <br> | 97 | <br> |
| Offset 165, 23 lines modified | Offset 173, 15 lines modified | ||
| 165 | stores·four·archival·copies·of·each·log.·These·settings·can·be | 173 | stores·four·archival·copies·of·each·log.·These·settings·can·be |
| 166 | modified·by·editing·<code>/etc/logrotate.conf</code>,·but·the·defaults·are | 174 | modified·by·editing·<code>/etc/logrotate.conf</code>,·but·the·defaults·are |
| 167 | sufficient·for·purposes·of·this·guide. | 175 | sufficient·for·purposes·of·this·guide. |
| 168 | <br><br> | 176 | <br><br> |
| 169 | Note·that·<code>logrotate</code>·is·run·nightly·by·the·cron·job | 177 | Note·that·<code>logrotate</code>·is·run·nightly·by·the·cron·job |
| 170 | <code>/etc/cron.daily/logrotate</code>.·If·particularly·active·logs·need·to·be | 178 | <code>/etc/cron.daily/logrotate</code>.·If·particularly·active·logs·need·to·be |
| 171 | rotated·more·often·than·once·a·day,·some·other·mechanism·must·be | 179 | rotated·more·often·than·once·a·day,·some·other·mechanism·must·be |
| 172 | used.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 180 | used.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_fs-part"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem |
| 173 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_hw-install">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardware·dependent,·but·efficient·against·various·risks.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo | ||
| 174 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority | ||
| 175 | to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system· | ||
| 176 | users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands | ||
| 177 | that·normally·only·<code>root</code>·is·allowed·to·execute. | ||
| 178 | <br><br> | ||
| 179 | For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see | ||
| 180 | <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_fs-part"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem | ||
| 181 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_fs-part">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardening·the·filesystem·and·its·usage·is·an·efficient·way·to·ensure·an·efficient·separation·of·services, | 181 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_fs-part">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardening·the·filesystem·and·its·usage·is·an·efficient·way·to·ensure·an·efficient·separation·of·services, |
| 182 | data·and·configurations·while·ensuring·a·more·precise·management·of·filesystem·level·access·rights,·enabling·deactivation | 182 | data·and·configurations·while·ensuring·a·more·precise·management·of·filesystem·level·access·rights,·enabling·deactivation |
| 183 | of·some·specific·rights·at·the·filesystem·level.·Moreover,·the·Linux·Virtual·file·system·support·various·hardening·mechanisms | 183 | of·some·specific·rights·at·the·filesystem·level.·Moreover,·the·Linux·Virtual·file·system·support·various·hardening·mechanisms |
| 184 | that·can·be·set·using·sysctl.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_installation-storage-partitioning"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_installation-storage-partitioning"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fs-part"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_installation-storage-partitioning">Partitioning | 184 | that·can·be·set·using·sysctl.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_installation-storage-partitioning"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_installation-storage-partitioning"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fs-part"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_installation-storage-partitioning">Partitioning |
| 185 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_installation-storage-partitioning">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Separating·various·locations·of·the·file·systems·in·different·partitions·allows·a·more·restrictive | 185 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_installation-storage-partitioning">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Separating·various·locations·of·the·file·systems·in·different·partitions·allows·a·more·restrictive |
| 186 | ··segregation,·distinctly·from·one·location·to·another.·Moreover,·some·native·restrictions·can·be·made·by | 186 | ··segregation,·distinctly·from·one·location·to·another.·Moreover,·some·native·restrictions·can·be·made·by |
| 187 | partitioning,·such·as·no·hard·link·between·different·filesystems,·and·reduce·the·corruption·impact·to·the | 187 | partitioning,·such·as·no·hard·link·between·different·filesystems,·and·reduce·the·corruption·impact·to·the |
| Offset 91, 44 lines modified | Offset 91, 44 lines modified | ||
| 91 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis | 91 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis |
| 92 | class·remove_nis·{ | 92 | class·remove_nis·{ |
| 93 | ··package·{·'nis': | 93 | ··package·{·'nis': |
| 94 | ····ensure·=>·'purged', | 94 | ····ensure·=>·'purged', |
| 95 | ··} | 95 | ··} |
| 96 | } | 96 | } |
| 97 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 97 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4835"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server |
| 98 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 98 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 99 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 99 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 100 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 100 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 101 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove· | 101 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd |
| 102 | #» ···from·the·system,·and·may·remove·any·packages | 102 | #» ···from·the·system,·and·may·remove·any·packages |
| 103 | #» ···that·depend·on· | 103 | #» ···that·depend·on·telnetd.·Execute·this |
| 104 | #» ···remediation·AFTER·testing·on·a·non-production | 104 | #» ···remediation·AFTER·testing·on·a·non-production |
| 105 | #» ···system! | 105 | #» ···system! |
| 106 | apt-get·remove·--purge· | 106 | apt-get·remove·--purge·telnetd |
| 107 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure· | 107 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed |
| 108 | ··package: | 108 | ··package: |
| 109 | ····name="{{item}}" | 109 | ····name="{{item}}" |
| 110 | ····state=absent | 110 | ····state=absent |
| 111 | ··with_items: | 111 | ··with_items: |
| 112 | ····-· | 112 | ····-·telnetd |
| 113 | ··tags: | 113 | ··tags: |
| 114 | ····-·package_ | 114 | ····-·package_telnetd_removed |
| 115 | ····-·high_severity | 115 | ····-·high_severity |
| 116 | ····-·disable_strategy | 116 | ····-·disable_strategy |
| 117 | ····-·low_complexity | 117 | ····-·low_complexity |
| 118 | ····-·low_disruption | 118 | ····-·low_disruption |
| 119 | ····-·CCE- | 119 | ····-·CCE- |
| 120 | ····-·NIST-800-53-AC-17(8) | 120 | ····-·NIST-800-53-AC-17(8) |
| 121 | ····-·NIST-800-53-CM-7 | 121 | ····-·NIST-800-53-CM-7 |
| 122 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_ | 122 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd |
| 123 | class·remove_ | 123 | class·remove_telnetd·{ |
| 124 | ··package·{·' | 124 | ··package·{·'telnetd': |
| 125 | ····ensure·=>·'purged', | 125 | ····ensure·=>·'purged', |
| 126 | ··} | 126 | ··} |
| 127 | } | 127 | } |
| 128 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4848"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package | 128 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4848"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package |
| 129 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 129 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 130 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 130 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 131 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4853">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4853"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate | 131 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4853">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4853"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate |
| Offset 187, 44 lines modified | Offset 187, 44 lines modified | ||
| 187 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl | 187 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl |
| 188 | class·remove_telnetd-ssl·{ | 188 | class·remove_telnetd-ssl·{ |
| 189 | ··package·{·'telnetd-ssl': | 189 | ··package·{·'telnetd-ssl': |
| 190 | ····ensure·=>·'purged', | 190 | ····ensure·=>·'purged', |
| 191 | ··} | 191 | ··} |
| 192 | } | 192 | } |
| 193 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server | 193 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server |
| 194 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 194 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 195 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 195 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 196 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 196 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 197 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd | 197 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 198 | #» ···from·the·system,·and·may·remove·any·packages | 198 | #» ···from·the·system,·and·may·remove·any·packages |
| 199 | #» ···that·depend·on·telnetd.·Execute·this | 199 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 200 | #» ···remediation·AFTER·testing·on·a·non-production | 200 | #» ···remediation·AFTER·testing·on·a·non-production |
| 201 | #» ···system! | 201 | #» ···system! |
| 202 | apt-get·remove·--purge·telnetd | 202 | apt-get·remove·--purge·inetutils-telnetd |
| 203 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed | 203 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed |
| 204 | ··package: | 204 | ··package: |
| 205 | ····name="{{item}}" | 205 | ····name="{{item}}" |
| 206 | ····state=absent | 206 | ····state=absent |
| 207 | ··with_items: | 207 | ··with_items: |
| 208 | ····-·telnetd | 208 | ····-·inetutils-telnetd |
| 209 | ··tags: | 209 | ··tags: |
| 210 | ····-·package_telnetd_removed | 210 | ····-·package_inetutils-telnetd_removed |
| 211 | ····-·high_severity | 211 | ····-·high_severity |
| 212 | ····-·disable_strategy | 212 | ····-·disable_strategy |
| 213 | ····-·low_complexity | 213 | ····-·low_complexity |
| 214 | ····-·low_disruption | 214 | ····-·low_disruption |
| 215 | ····-·CCE- | 215 | ····-·CCE- |
| 216 | ····-·NIST-800-53-AC-17(8) | 216 | ····-·NIST-800-53-AC-17(8) |
| 217 | ····-·NIST-800-53-CM-7 | 217 | ····-·NIST-800-53-CM-7 |
| 218 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd | 218 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd |
| 219 | class·remove_telnetd·{ | 219 | class·remove_inetutils-telnetd·{ |
| 220 | ··package·{·'telnetd': | 220 | ··package·{·'inetutils-telnetd': |
| 221 | ····ensure·=>·'purged', | 221 | ····ensure·=>·'purged', |
| 222 | ··} | 222 | ··} |
| 223 | } | 223 | } |
| 224 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 224 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 225 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 225 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 226 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_cron_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_cron_enabled"·id="guide-tree-leaf-idm4887"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_cron_enabled">Enable·the·cron·service | 226 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_cron_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_cron_enabled"·id="guide-tree-leaf-idm4887"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_cron_enabled">Enable·the·cron·service |
| 227 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_cron_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 227 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_cron_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| Offset 384, 26 lines modified | Offset 384, 23 lines modified | ||
| 384 | verified·by·ensuring·that·the·following | 384 | verified·by·ensuring·that·the·following |
| 385 | line·appears: | 385 | line·appears: |
| 386 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | 386 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that |
| 387 | result·in·security·vulnerabilities·and | 387 | result·in·security·vulnerabilities·and |
| 388 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 388 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 389 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 389 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 390 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 390 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 391 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 391 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count |
| 392 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_ | 392 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, |
| 393 | e | 393 | edit·<code>/etc/ssh/sshd_config</code>·as |
| 394 | 394 | follows: | |
| 395 | <pre> | 395 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> |
| 396 | 396 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 397 | 397 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | |
| 398 | remote·login·via·SSH·will·require·a·password, | ||
| 399 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 400 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 401 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 398 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 402 | ············<a·href="http:// | 399 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5043"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 403 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 400 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 404 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 401 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| 405 | <br><br> | 402 | <br><br> |
| 406 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 403 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 407 | follows: | 404 | follows: |
| 408 | <pre>ClientAliveInterval·<b>interval</b></pre> | 405 | <pre>ClientAliveInterval·<b>interval</b></pre> |
| 409 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout | 406 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout |
| Offset 413, 23 lines modified | Offset 410, 26 lines modified | ||
| 413 | shell,·that·value·will·preempt·any·SSH | 410 | shell,·that·value·will·preempt·any·SSH |
| 414 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 411 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 415 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out | 412 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out |
| 416 | guards·against·compromises·one·system·leading·trivially | 413 | guards·against·compromises·one·system·leading·trivially |
| 417 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 414 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 418 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 415 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 419 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 416 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 420 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_ | 417 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5066"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords |
| 421 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_ | 418 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with |
| 422 | e | 419 | empty·passwords,·add·or·correct·the·following·line·in |
| Max diff block lines reached; 24230/55095 bytes (43.98%) of diff not shown. | |||
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·0px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Ubuntu·1604·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Ubuntu·1604·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 89, 44 lines modified | Offset 89, 44 lines modified | ||
| 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis | 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis |
| 90 | class·remove_nis·{ | 90 | class·remove_nis·{ |
| 91 | ··package·{·'nis': | 91 | ··package·{·'nis': |
| 92 | ····ensure·=>·'purged', | 92 | ····ensure·=>·'purged', |
| 93 | ··} | 93 | ··} |
| 94 | } | 94 | } |
| 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4838"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server |
| 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove· | 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd |
| 100 | #» ···from·the·system,·and·may·remove·any·packages | 100 | #» ···from·the·system,·and·may·remove·any·packages |
| 101 | #» ···that·depend·on· | 101 | #» ···that·depend·on·telnetd.·Execute·this |
| 102 | #» ···remediation·AFTER·testing·on·a·non-production | 102 | #» ···remediation·AFTER·testing·on·a·non-production |
| 103 | #» ···system! | 103 | #» ···system! |
| 104 | apt-get·remove·--purge· | 104 | apt-get·remove·--purge·telnetd |
| 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure· | 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed |
| 106 | ··package: | 106 | ··package: |
| 107 | ····name="{{item}}" | 107 | ····name="{{item}}" |
| 108 | ····state=absent | 108 | ····state=absent |
| 109 | ··with_items: | 109 | ··with_items: |
| 110 | ····-· | 110 | ····-·telnetd |
| 111 | ··tags: | 111 | ··tags: |
| 112 | ····-·package_ | 112 | ····-·package_telnetd_removed |
| 113 | ····-·high_severity | 113 | ····-·high_severity |
| 114 | ····-·disable_strategy | 114 | ····-·disable_strategy |
| 115 | ····-·low_complexity | 115 | ····-·low_complexity |
| 116 | ····-·low_disruption | 116 | ····-·low_disruption |
| 117 | ····-·CCE- | 117 | ····-·CCE- |
| 118 | ····-·NIST-800-53-AC-17(8) | 118 | ····-·NIST-800-53-AC-17(8) |
| 119 | ····-·NIST-800-53-CM-7 | 119 | ····-·NIST-800-53-CM-7 |
| 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_ | 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd |
| 121 | class·remove_ | 121 | class·remove_telnetd·{ |
| 122 | ··package·{·' | 122 | ··package·{·'telnetd': |
| 123 | ····ensure·=>·'purged', | 123 | ····ensure·=>·'purged', |
| 124 | ··} | 124 | ··} |
| 125 | } | 125 | } |
| 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4851"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package | 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4851"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package |
| 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 128 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 128 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate | 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate |
| Offset 185, 44 lines modified | Offset 185, 44 lines modified | ||
| 185 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl | 185 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl |
| 186 | class·remove_telnetd-ssl·{ | 186 | class·remove_telnetd-ssl·{ |
| 187 | ··package·{·'telnetd-ssl': | 187 | ··package·{·'telnetd-ssl': |
| 188 | ····ensure·=>·'purged', | 188 | ····ensure·=>·'purged', |
| 189 | ··} | 189 | ··} |
| 190 | } | 190 | } |
| 191 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server | 191 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server |
| 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 193 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 193 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 195 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd | 195 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 196 | #» ···from·the·system,·and·may·remove·any·packages | 196 | #» ···from·the·system,·and·may·remove·any·packages |
| 197 | #» ···that·depend·on·telnetd.·Execute·this | 197 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 198 | #» ···remediation·AFTER·testing·on·a·non-production | 198 | #» ···remediation·AFTER·testing·on·a·non-production |
| 199 | #» ···system! | 199 | #» ···system! |
| 200 | apt-get·remove·--purge·telnetd | 200 | apt-get·remove·--purge·inetutils-telnetd |
| 201 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed | 201 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed |
| 202 | ··package: | 202 | ··package: |
| 203 | ····name="{{item}}" | 203 | ····name="{{item}}" |
| 204 | ····state=absent | 204 | ····state=absent |
| 205 | ··with_items: | 205 | ··with_items: |
| 206 | ····-·telnetd | 206 | ····-·inetutils-telnetd |
| 207 | ··tags: | 207 | ··tags: |
| 208 | ····-·package_telnetd_removed | 208 | ····-·package_inetutils-telnetd_removed |
| 209 | ····-·high_severity | 209 | ····-·high_severity |
| 210 | ····-·disable_strategy | 210 | ····-·disable_strategy |
| 211 | ····-·low_complexity | 211 | ····-·low_complexity |
| 212 | ····-·low_disruption | 212 | ····-·low_disruption |
| 213 | ····-·CCE- | 213 | ····-·CCE- |
| 214 | ····-·NIST-800-53-AC-17(8) | 214 | ····-·NIST-800-53-AC-17(8) |
| 215 | ····-·NIST-800-53-CM-7 | 215 | ····-·NIST-800-53-CM-7 |
| 216 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd | 216 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd |
| 217 | class·remove_telnetd·{ | 217 | class·remove_inetutils-telnetd·{ |
| 218 | ··package·{·'telnetd': | 218 | ··package·{·'inetutils-telnetd': |
| 219 | ····ensure·=>·'purged', | 219 | ····ensure·=>·'purged', |
| 220 | ··} | 220 | ··} |
| 221 | } | 221 | } |
| 222 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 222 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 223 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 223 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 224 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4899"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service | 224 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4899"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 225 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 225 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| Offset 269, 26 lines modified | Offset 269, 23 lines modified | ||
| 269 | verified·by·ensuring·that·the·following | 269 | verified·by·ensuring·that·the·following |
| 270 | line·appears: | 270 | line·appears: |
| 271 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | 271 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that |
| 272 | result·in·security·vulnerabilities·and | 272 | result·in·security·vulnerabilities·and |
| 273 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 273 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 274 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 274 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 275 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 275 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 276 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 276 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count |
| 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_ | 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, |
| 278 | e | 278 | edit·<code>/etc/ssh/sshd_config</code>·as |
| 279 | 279 | follows: | |
| 280 | <pre> | 280 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> |
| 281 | 281 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 282 | 282 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | |
| 283 | remote·login·via·SSH·will·require·a·password, | ||
| 284 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 285 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 286 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 283 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 287 | ············<a·href="http:// | 284 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5046"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 288 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 285 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 289 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 286 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| Max diff block lines reached; 38991/69435 bytes (56.15%) of diff not shown. | |||
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·0px"><small>contains·37·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Ubuntu·1604·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Ubuntu·1604·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 89, 44 lines modified | Offset 89, 44 lines modified | ||
| 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis | 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis |
| 90 | class·remove_nis·{ | 90 | class·remove_nis·{ |
| 91 | ··package·{·'nis': | 91 | ··package·{·'nis': |
| 92 | ····ensure·=>·'purged', | 92 | ····ensure·=>·'purged', |
| 93 | ··} | 93 | ··} |
| 94 | } | 94 | } |
| 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4838"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server |
| 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove· | 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd |
| 100 | #» ···from·the·system,·and·may·remove·any·packages | 100 | #» ···from·the·system,·and·may·remove·any·packages |
| 101 | #» ···that·depend·on· | 101 | #» ···that·depend·on·telnetd.·Execute·this |
| 102 | #» ···remediation·AFTER·testing·on·a·non-production | 102 | #» ···remediation·AFTER·testing·on·a·non-production |
| 103 | #» ···system! | 103 | #» ···system! |
| 104 | apt-get·remove·--purge· | 104 | apt-get·remove·--purge·telnetd |
| 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure· | 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed |
| 106 | ··package: | 106 | ··package: |
| 107 | ····name="{{item}}" | 107 | ····name="{{item}}" |
| 108 | ····state=absent | 108 | ····state=absent |
| 109 | ··with_items: | 109 | ··with_items: |
| 110 | ····-· | 110 | ····-·telnetd |
| 111 | ··tags: | 111 | ··tags: |
| 112 | ····-·package_ | 112 | ····-·package_telnetd_removed |
| 113 | ····-·high_severity | 113 | ····-·high_severity |
| 114 | ····-·disable_strategy | 114 | ····-·disable_strategy |
| 115 | ····-·low_complexity | 115 | ····-·low_complexity |
| 116 | ····-·low_disruption | 116 | ····-·low_disruption |
| 117 | ····-·CCE- | 117 | ····-·CCE- |
| 118 | ····-·NIST-800-53-AC-17(8) | 118 | ····-·NIST-800-53-AC-17(8) |
| 119 | ····-·NIST-800-53-CM-7 | 119 | ····-·NIST-800-53-CM-7 |
| 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_ | 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd |
| 121 | class·remove_ | 121 | class·remove_telnetd·{ |
| 122 | ··package·{·' | 122 | ··package·{·'telnetd': |
| 123 | ····ensure·=>·'purged', | 123 | ····ensure·=>·'purged', |
| 124 | ··} | 124 | ··} |
| 125 | } | 125 | } |
| 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4851"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package | 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4851"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package |
| 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 128 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 128 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate | 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate |
| Offset 185, 44 lines modified | Offset 185, 44 lines modified | ||
| 185 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl | 185 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl |
| 186 | class·remove_telnetd-ssl·{ | 186 | class·remove_telnetd-ssl·{ |
| 187 | ··package·{·'telnetd-ssl': | 187 | ··package·{·'telnetd-ssl': |
| 188 | ····ensure·=>·'purged', | 188 | ····ensure·=>·'purged', |
| 189 | ··} | 189 | ··} |
| 190 | } | 190 | } |
| 191 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server | 191 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server |
| 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 193 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 193 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 195 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd | 195 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 196 | #» ···from·the·system,·and·may·remove·any·packages | 196 | #» ···from·the·system,·and·may·remove·any·packages |
| 197 | #» ···that·depend·on·telnetd.·Execute·this | 197 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 198 | #» ···remediation·AFTER·testing·on·a·non-production | 198 | #» ···remediation·AFTER·testing·on·a·non-production |
| 199 | #» ···system! | 199 | #» ···system! |
| 200 | apt-get·remove·--purge·telnetd | 200 | apt-get·remove·--purge·inetutils-telnetd |
| 201 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed | 201 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed |
| 202 | ··package: | 202 | ··package: |
| 203 | ····name="{{item}}" | 203 | ····name="{{item}}" |
| 204 | ····state=absent | 204 | ····state=absent |
| 205 | ··with_items: | 205 | ··with_items: |
| 206 | ····-·telnetd | 206 | ····-·inetutils-telnetd |
| 207 | ··tags: | 207 | ··tags: |
| 208 | ····-·package_telnetd_removed | 208 | ····-·package_inetutils-telnetd_removed |
| 209 | ····-·high_severity | 209 | ····-·high_severity |
| 210 | ····-·disable_strategy | 210 | ····-·disable_strategy |
| 211 | ····-·low_complexity | 211 | ····-·low_complexity |
| 212 | ····-·low_disruption | 212 | ····-·low_disruption |
| 213 | ····-·CCE- | 213 | ····-·CCE- |
| 214 | ····-·NIST-800-53-AC-17(8) | 214 | ····-·NIST-800-53-AC-17(8) |
| 215 | ····-·NIST-800-53-CM-7 | 215 | ····-·NIST-800-53-CM-7 |
| 216 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd | 216 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd |
| 217 | class·remove_telnetd·{ | 217 | class·remove_inetutils-telnetd·{ |
| 218 | ··package·{·'telnetd': | 218 | ··package·{·'inetutils-telnetd': |
| 219 | ····ensure·=>·'purged', | 219 | ····ensure·=>·'purged', |
| 220 | ··} | 220 | ··} |
| 221 | } | 221 | } |
| 222 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 222 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 223 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 223 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 224 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4899"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service | 224 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4899"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 225 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 225 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| Offset 363, 26 lines modified | Offset 363, 23 lines modified | ||
| 363 | verified·by·ensuring·that·the·following | 363 | verified·by·ensuring·that·the·following |
| 364 | line·appears: | 364 | line·appears: |
| 365 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | 365 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that |
| 366 | result·in·security·vulnerabilities·and | 366 | result·in·security·vulnerabilities·and |
| 367 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 367 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 368 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 368 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 369 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 369 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 370 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 370 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count |
| 371 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_ | 371 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, |
| 372 | e | 372 | edit·<code>/etc/ssh/sshd_config</code>·as |
| 373 | 373 | follows: | |
| 374 | <pre> | 374 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> |
| 375 | 375 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 376 | 376 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | |
| 377 | remote·login·via·SSH·will·require·a·password, | ||
| 378 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 379 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 380 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 377 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 381 | ············<a·href="http:// | 378 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5046"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 382 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 379 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 383 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 380 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| Max diff block lines reached; 43389/74020 bytes (58.62%) of diff not shown. | |||
| Offset 89, 44 lines modified | Offset 89, 44 lines modified | ||
| 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis | 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis |
| 90 | class·remove_nis·{ | 90 | class·remove_nis·{ |
| 91 | ··package·{·'nis': | 91 | ··package·{·'nis': |
| 92 | ····ensure·=>·'purged', | 92 | ····ensure·=>·'purged', |
| 93 | ··} | 93 | ··} |
| 94 | } | 94 | } |
| 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4838"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server |
| 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove· | 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd |
| 100 | #» ···from·the·system,·and·may·remove·any·packages | 100 | #» ···from·the·system,·and·may·remove·any·packages |
| 101 | #» ···that·depend·on· | 101 | #» ···that·depend·on·telnetd.·Execute·this |
| 102 | #» ···remediation·AFTER·testing·on·a·non-production | 102 | #» ···remediation·AFTER·testing·on·a·non-production |
| 103 | #» ···system! | 103 | #» ···system! |
| 104 | apt-get·remove·--purge· | 104 | apt-get·remove·--purge·telnetd |
| 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure· | 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed |
| 106 | ··package: | 106 | ··package: |
| 107 | ····name="{{item}}" | 107 | ····name="{{item}}" |
| 108 | ····state=absent | 108 | ····state=absent |
| 109 | ··with_items: | 109 | ··with_items: |
| 110 | ····-· | 110 | ····-·telnetd |
| 111 | ··tags: | 111 | ··tags: |
| 112 | ····-·package_ | 112 | ····-·package_telnetd_removed |
| 113 | ····-·high_severity | 113 | ····-·high_severity |
| 114 | ····-·disable_strategy | 114 | ····-·disable_strategy |
| 115 | ····-·low_complexity | 115 | ····-·low_complexity |
| 116 | ····-·low_disruption | 116 | ····-·low_disruption |
| 117 | ····-·CCE- | 117 | ····-·CCE- |
| 118 | ····-·NIST-800-53-AC-17(8) | 118 | ····-·NIST-800-53-AC-17(8) |
| 119 | ····-·NIST-800-53-CM-7 | 119 | ····-·NIST-800-53-CM-7 |
| 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_ | 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd |
| 121 | class·remove_ | 121 | class·remove_telnetd·{ |
| 122 | ··package·{·' | 122 | ··package·{·'telnetd': |
| 123 | ····ensure·=>·'purged', | 123 | ····ensure·=>·'purged', |
| 124 | ··} | 124 | ··} |
| 125 | } | 125 | } |
| 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·id="guide-tree-leaf-idm4861"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">Uninstall·the·ssl·compliant·telnet·server | 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·id="guide-tree-leaf-idm4861"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">Uninstall·the·ssl·compliant·telnet·server |
| 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon,·even·with·ssl·support,·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet,·even·with·ssl·support,·should·not·be·installed.·When·remote·shell·is·required,·up-to-date·ssh·daemon·can·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon,·even·with·ssl·support,·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet,·even·with·ssl·support,·should·not·be·installed.·When·remote·shell·is·required,·up-to-date·ssh·daemon·can·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 128 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 128 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| Offset 155, 44 lines modified | Offset 155, 44 lines modified | ||
| 155 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl | 155 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl |
| 156 | class·remove_telnetd-ssl·{ | 156 | class·remove_telnetd-ssl·{ |
| 157 | ··package·{·'telnetd-ssl': | 157 | ··package·{·'telnetd-ssl': |
| 158 | ····ensure·=>·'purged', | 158 | ····ensure·=>·'purged', |
| 159 | ··} | 159 | ··} |
| 160 | } | 160 | } |
| 161 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server | 161 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server |
| 162 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 162 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 163 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 163 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 164 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 164 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 165 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd | 165 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 166 | #» ···from·the·system,·and·may·remove·any·packages | 166 | #» ···from·the·system,·and·may·remove·any·packages |
| 167 | #» ···that·depend·on·telnetd.·Execute·this | 167 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 168 | #» ···remediation·AFTER·testing·on·a·non-production | 168 | #» ···remediation·AFTER·testing·on·a·non-production |
| 169 | #» ···system! | 169 | #» ···system! |
| 170 | apt-get·remove·--purge·telnetd | 170 | apt-get·remove·--purge·inetutils-telnetd |
| 171 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed | 171 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed |
| 172 | ··package: | 172 | ··package: |
| 173 | ····name="{{item}}" | 173 | ····name="{{item}}" |
| 174 | ····state=absent | 174 | ····state=absent |
| 175 | ··with_items: | 175 | ··with_items: |
| 176 | ····-·telnetd | 176 | ····-·inetutils-telnetd |
| 177 | ··tags: | 177 | ··tags: |
| 178 | ····-·package_telnetd_removed | 178 | ····-·package_inetutils-telnetd_removed |
| 179 | ····-·high_severity | 179 | ····-·high_severity |
| 180 | ····-·disable_strategy | 180 | ····-·disable_strategy |
| 181 | ····-·low_complexity | 181 | ····-·low_complexity |
| 182 | ····-·low_disruption | 182 | ····-·low_disruption |
| 183 | ····-·CCE- | 183 | ····-·CCE- |
| 184 | ····-·NIST-800-53-AC-17(8) | 184 | ····-·NIST-800-53-AC-17(8) |
| 185 | ····-·NIST-800-53-CM-7 | 185 | ····-·NIST-800-53-CM-7 |
| 186 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd | 186 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd |
| 187 | class·remove_telnetd·{ | 187 | class·remove_inetutils-telnetd·{ |
| 188 | ··package·{·'telnetd': | 188 | ··package·{·'inetutils-telnetd': |
| 189 | ····ensure·=>·'purged', | 189 | ····ensure·=>·'purged', |
| 190 | ··} | 190 | ··} |
| 191 | } | 191 | } |
| 192 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration | 192 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration |
| 193 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·id="guide-tree-leaf-idm5111"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_apt"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">Disable·unauthenticated·repositories·in·APT·configuration | 193 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·id="guide-tree-leaf-idm5111"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_apt"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">Disable·unauthenticated·repositories·in·APT·configuration |
| 194 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Unauthenticated·repositories·should·not·be·used·for·updates.</p><span·class="label·label-primary">Rationale:</span><p>Repositories·hosts·all·packages·that·will·be·intsalled·on·the·system·during·update. | 194 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Unauthenticated·repositories·should·not·be·used·for·updates.</p><span·class="label·label-primary">Rationale:</span><p>Repositories·hosts·all·packages·that·will·be·intsalled·on·the·system·during·update. |
| 195 | ····If·a·repository·is·not·authenticated,·the·associated·packages·can't·be·trusted, | 195 | ····If·a·repository·is·not·authenticated,·the·associated·packages·can't·be·trusted, |
| Offset 202, 25 lines modified | Offset 202, 25 lines modified | ||
| 202 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo | 202 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo |
| 203 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority | 203 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority |
| 204 | to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system· | 204 | to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system· |
| 205 | users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands | 205 | users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands |
| 206 | that·normally·only·<code>root</code>·is·allowed·to·execute. | 206 | that·normally·only·<code>root</code>·is·allowed·to·execute. |
| 207 | <br><br> | 207 | <br><br> |
| 208 | For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see | 208 | For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see |
| 209 | <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·id="guide-tree-leaf-idm5 | 209 | <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·id="guide-tree-leaf-idm5143"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate |
| 210 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>!authenticate</code>·option,·when·specified,·allows·a·user·to·execute·commands·using | 210 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>!authenticate</code>·option,·when·specified,·allows·a·user·to·execute·commands·using |
| 211 | sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the | 211 | sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the |
| 212 | <code>!authenticate</code>·option·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or | 212 | <code>!authenticate</code>·option·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or |
| 213 | any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they | 213 | any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they |
| 214 | do·not·have·authorization. | 214 | do·not·have·authorization. |
| 215 | <br><br> | 215 | <br><br> |
| 216 | When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it | 216 | When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it |
| 217 | is·critical·that·the·user·re-authenticate.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 217 | is·critical·that·the·user·re-authenticate.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 218 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 218 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 219 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002038</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00156</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00157</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00158</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·id="guide-tree-leaf-idm5 | 219 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002038</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00156</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00157</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00158</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·id="guide-tree-leaf-idm5163"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD |
| 220 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>NOPASSWD</code>·tag,·when·specified,·allows·a·user·to·execute·commands·using | 220 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>NOPASSWD</code>·tag,·when·specified,·allows·a·user·to·execute·commands·using |
| 221 | sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the | 221 | sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the |
| 222 | <code>NOPASSWD</code>·tag·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or· | 222 | <code>NOPASSWD</code>·tag·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or· |
| 223 | any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they | 223 | any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they |
| 224 | do·not·have·authorization. | 224 | do·not·have·authorization. |
| 225 | <br><br> | 225 | <br><br> |
| 226 | When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it | 226 | When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it |
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Restrictive·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Restrictive·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·0px"><small>contains·36·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Ubuntu·1604·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Ubuntu·1604·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 89, 44 lines modified | Offset 89, 44 lines modified | ||
| 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis | 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis |
| 90 | class·remove_nis·{ | 90 | class·remove_nis·{ |
| 91 | ··package·{·'nis': | 91 | ··package·{·'nis': |
| 92 | ····ensure·=>·'purged', | 92 | ····ensure·=>·'purged', |
| 93 | ··} | 93 | ··} |
| 94 | } | 94 | } |
| 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4838"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server |
| 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove· | 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd |
| 100 | #» ···from·the·system,·and·may·remove·any·packages | 100 | #» ···from·the·system,·and·may·remove·any·packages |
| 101 | #» ···that·depend·on· | 101 | #» ···that·depend·on·telnetd.·Execute·this |
| 102 | #» ···remediation·AFTER·testing·on·a·non-production | 102 | #» ···remediation·AFTER·testing·on·a·non-production |
| 103 | #» ···system! | 103 | #» ···system! |
| 104 | apt-get·remove·--purge· | 104 | apt-get·remove·--purge·telnetd |
| 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure· | 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed |
| 106 | ··package: | 106 | ··package: |
| 107 | ····name="{{item}}" | 107 | ····name="{{item}}" |
| 108 | ····state=absent | 108 | ····state=absent |
| 109 | ··with_items: | 109 | ··with_items: |
| 110 | ····-· | 110 | ····-·telnetd |
| 111 | ··tags: | 111 | ··tags: |
| 112 | ····-·package_ | 112 | ····-·package_telnetd_removed |
| 113 | ····-·high_severity | 113 | ····-·high_severity |
| 114 | ····-·disable_strategy | 114 | ····-·disable_strategy |
| 115 | ····-·low_complexity | 115 | ····-·low_complexity |
| 116 | ····-·low_disruption | 116 | ····-·low_disruption |
| 117 | ····-·CCE- | 117 | ····-·CCE- |
| 118 | ····-·NIST-800-53-AC-17(8) | 118 | ····-·NIST-800-53-AC-17(8) |
| 119 | ····-·NIST-800-53-CM-7 | 119 | ····-·NIST-800-53-CM-7 |
| 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_ | 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd |
| 121 | class·remove_ | 121 | class·remove_telnetd·{ |
| 122 | ··package·{·' | 122 | ··package·{·'telnetd': |
| 123 | ····ensure·=>·'purged', | 123 | ····ensure·=>·'purged', |
| 124 | ··} | 124 | ··} |
| 125 | } | 125 | } |
| 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4851"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package | 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4851"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package |
| 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 128 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 128 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate | 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate |
| Offset 185, 44 lines modified | Offset 185, 44 lines modified | ||
| 185 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl | 185 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl |
| 186 | class·remove_telnetd-ssl·{ | 186 | class·remove_telnetd-ssl·{ |
| 187 | ··package·{·'telnetd-ssl': | 187 | ··package·{·'telnetd-ssl': |
| 188 | ····ensure·=>·'purged', | 188 | ····ensure·=>·'purged', |
| 189 | ··} | 189 | ··} |
| 190 | } | 190 | } |
| 191 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server | 191 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server |
| 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 193 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 193 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 195 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd | 195 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 196 | #» ···from·the·system,·and·may·remove·any·packages | 196 | #» ···from·the·system,·and·may·remove·any·packages |
| 197 | #» ···that·depend·on·telnetd.·Execute·this | 197 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 198 | #» ···remediation·AFTER·testing·on·a·non-production | 198 | #» ···remediation·AFTER·testing·on·a·non-production |
| 199 | #» ···system! | 199 | #» ···system! |
| 200 | apt-get·remove·--purge·telnetd | 200 | apt-get·remove·--purge·inetutils-telnetd |
| 201 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed | 201 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed |
| 202 | ··package: | 202 | ··package: |
| 203 | ····name="{{item}}" | 203 | ····name="{{item}}" |
| 204 | ····state=absent | 204 | ····state=absent |
| 205 | ··with_items: | 205 | ··with_items: |
| 206 | ····-·telnetd | 206 | ····-·inetutils-telnetd |
| 207 | ··tags: | 207 | ··tags: |
| 208 | ····-·package_telnetd_removed | 208 | ····-·package_inetutils-telnetd_removed |
| 209 | ····-·high_severity | 209 | ····-·high_severity |
| 210 | ····-·disable_strategy | 210 | ····-·disable_strategy |
| 211 | ····-·low_complexity | 211 | ····-·low_complexity |
| 212 | ····-·low_disruption | 212 | ····-·low_disruption |
| 213 | ····-·CCE- | 213 | ····-·CCE- |
| 214 | ····-·NIST-800-53-AC-17(8) | 214 | ····-·NIST-800-53-AC-17(8) |
| 215 | ····-·NIST-800-53-CM-7 | 215 | ····-·NIST-800-53-CM-7 |
| 216 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd | 216 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd |
| 217 | class·remove_telnetd·{ | 217 | class·remove_inetutils-telnetd·{ |
| 218 | ··package·{·'telnetd': | 218 | ··package·{·'inetutils-telnetd': |
| 219 | ····ensure·=>·'purged', | 219 | ····ensure·=>·'purged', |
| 220 | ··} | 220 | ··} |
| 221 | } | 221 | } |
| 222 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 222 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 223 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 223 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 224 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4899"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service | 224 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4899"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 225 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 225 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| Offset 363, 26 lines modified | Offset 363, 23 lines modified | ||
| 363 | verified·by·ensuring·that·the·following | 363 | verified·by·ensuring·that·the·following |
| 364 | line·appears: | 364 | line·appears: |
| 365 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | 365 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that |
| 366 | result·in·security·vulnerabilities·and | 366 | result·in·security·vulnerabilities·and |
| 367 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 367 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 368 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 368 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 369 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 369 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 370 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 370 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count |
| 371 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_ | 371 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, |
| 372 | e | 372 | edit·<code>/etc/ssh/sshd_config</code>·as |
| 373 | 373 | follows: | |
| 374 | <pre> | 374 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> |
| 375 | 375 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 376 | 376 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | |
| 377 | remote·login·via·SSH·will·require·a·password, | ||
| 378 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 379 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 380 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 377 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 381 | ············<a·href="http:// | 378 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5046"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 382 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 379 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 383 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 380 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| Max diff block lines reached; 38991/69429 bytes (56.16%) of diff not shown. | |||
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 58 | the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 58 | the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 59 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which | 59 | then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which |
| 60 | ones·can·be·safely·disabled. | 60 | ones·can·be·safely·disabled. |
| 61 | <br><br> | 61 | <br><br> |
| 62 | Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 62 | Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| Offset 75, 15 lines modified | Offset 75, 23 lines modified | ||
| 75 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed | 75 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed |
| 76 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 76 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 77 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 77 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 78 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 78 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 79 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 79 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 80 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration | 80 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration |
| 81 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_system"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_system">System·Settings | 81 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_system"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_system">System·Settings |
| 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_hw-install"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage |
| 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_hw-install">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardware·dependent,·but·efficient·against·various·risks.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo | ||
| 84 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority | ||
| 85 | to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system· | ||
| 86 | users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands | ||
| 87 | that·normally·only·<code>root</code>·is·allowed·to·execute. | ||
| 88 | <br><br> | ||
| 89 | For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see | ||
| 90 | <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_logging"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_logging">Configure·Syslog | ||
| 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_logging">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·syslog·service·has·been·the·default·Unix·logging·mechanism·for | 91 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_logging">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·syslog·service·has·been·the·default·Unix·logging·mechanism·for |
| 84 | many·years.·It·has·a·number·of·downsides,·including·inconsistent·log·format, | 92 | many·years.·It·has·a·number·of·downsides,·including·inconsistent·log·format, |
| 85 | lack·of·authentication·for·received·messages,·and·lack·of·authentication, | 93 | lack·of·authentication·for·received·messages,·and·lack·of·authentication, |
| 86 | encryption,·or·reliable·transport·for·messages·sent·over·a·network.·However, | 94 | encryption,·or·reliable·transport·for·messages·sent·over·a·network.·However, |
| 87 | due·to·its·long·history,·syslog·is·a·de·facto·standard·which·is·supported·by | 95 | due·to·its·long·history,·syslog·is·a·de·facto·standard·which·is·supported·by |
| 88 | almost·all·Unix·applications. | 96 | almost·all·Unix·applications. |
| 89 | <br> | 97 | <br> |
| Offset 165, 23 lines modified | Offset 173, 15 lines modified | ||
| 165 | stores·four·archival·copies·of·each·log.·These·settings·can·be | 173 | stores·four·archival·copies·of·each·log.·These·settings·can·be |
| 166 | modified·by·editing·<code>/etc/logrotate.conf</code>,·but·the·defaults·are | 174 | modified·by·editing·<code>/etc/logrotate.conf</code>,·but·the·defaults·are |
| 167 | sufficient·for·purposes·of·this·guide. | 175 | sufficient·for·purposes·of·this·guide. |
| 168 | <br><br> | 176 | <br><br> |
| 169 | Note·that·<code>logrotate</code>·is·run·nightly·by·the·cron·job | 177 | Note·that·<code>logrotate</code>·is·run·nightly·by·the·cron·job |
| 170 | <code>/etc/cron.daily/logrotate</code>.·If·particularly·active·logs·need·to·be | 178 | <code>/etc/cron.daily/logrotate</code>.·If·particularly·active·logs·need·to·be |
| 171 | rotated·more·often·than·once·a·day,·some·other·mechanism·must·be | 179 | rotated·more·often·than·once·a·day,·some·other·mechanism·must·be |
| 172 | used.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 180 | used.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_fs-part"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem |
| 173 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_hw-install">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardware·dependent,·but·efficient·against·various·risks.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo | ||
| 174 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority | ||
| 175 | to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system· | ||
| 176 | users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands | ||
| 177 | that·normally·only·<code>root</code>·is·allowed·to·execute. | ||
| 178 | <br><br> | ||
| 179 | For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see | ||
| 180 | <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_fs-part"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem | ||
| 181 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_fs-part">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardening·the·filesystem·and·its·usage·is·an·efficient·way·to·ensure·an·efficient·separation·of·services, | 181 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_fs-part">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardening·the·filesystem·and·its·usage·is·an·efficient·way·to·ensure·an·efficient·separation·of·services, |
| 182 | data·and·configurations·while·ensuring·a·more·precise·management·of·filesystem·level·access·rights,·enabling·deactivation | 182 | data·and·configurations·while·ensuring·a·more·precise·management·of·filesystem·level·access·rights,·enabling·deactivation |
| 183 | of·some·specific·rights·at·the·filesystem·level.·Moreover,·the·Linux·Virtual·file·system·support·various·hardening·mechanisms | 183 | of·some·specific·rights·at·the·filesystem·level.·Moreover,·the·Linux·Virtual·file·system·support·various·hardening·mechanisms |
| 184 | that·can·be·set·using·sysctl.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_installation-storage-partitioning"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_installation-storage-partitioning"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fs-part"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_installation-storage-partitioning">Partitioning | 184 | that·can·be·set·using·sysctl.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_installation-storage-partitioning"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_installation-storage-partitioning"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fs-part"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_installation-storage-partitioning">Partitioning |
| 185 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_installation-storage-partitioning">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Separating·various·locations·of·the·file·systems·in·different·partitions·allows·a·more·restrictive | 185 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_installation-storage-partitioning">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Separating·various·locations·of·the·file·systems·in·different·partitions·allows·a·more·restrictive |
| 186 | ··segregation,·distinctly·from·one·location·to·another.·Moreover,·some·native·restrictions·can·be·made·by | 186 | ··segregation,·distinctly·from·one·location·to·another.·Moreover,·some·native·restrictions·can·be·made·by |
| 187 | partitioning,·such·as·no·hard·link·between·different·filesystems,·and·reduce·the·corruption·impact·to·the | 187 | partitioning,·such·as·no·hard·link·between·different·filesystems,·and·reduce·the·corruption·impact·to·the |
| Offset 91, 44 lines modified | Offset 91, 44 lines modified | ||
| 91 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis | 91 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis |
| 92 | class·remove_nis·{ | 92 | class·remove_nis·{ |
| 93 | ··package·{·'nis': | 93 | ··package·{·'nis': |
| 94 | ····ensure·=>·'purged', | 94 | ····ensure·=>·'purged', |
| 95 | ··} | 95 | ··} |
| 96 | } | 96 | } |
| 97 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 97 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4838"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server |
| 98 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 98 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 99 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 99 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 100 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 100 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 101 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove· | 101 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd |
| 102 | #» ···from·the·system,·and·may·remove·any·packages | 102 | #» ···from·the·system,·and·may·remove·any·packages |
| 103 | #» ···that·depend·on· | 103 | #» ···that·depend·on·telnetd.·Execute·this |
| 104 | #» ···remediation·AFTER·testing·on·a·non-production | 104 | #» ···remediation·AFTER·testing·on·a·non-production |
| 105 | #» ···system! | 105 | #» ···system! |
| 106 | apt-get·remove·--purge· | 106 | apt-get·remove·--purge·telnetd |
| 107 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure· | 107 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed |
| 108 | ··package: | 108 | ··package: |
| 109 | ····name="{{item}}" | 109 | ····name="{{item}}" |
| 110 | ····state=absent | 110 | ····state=absent |
| 111 | ··with_items: | 111 | ··with_items: |
| 112 | ····-· | 112 | ····-·telnetd |
| 113 | ··tags: | 113 | ··tags: |
| 114 | ····-·package_ | 114 | ····-·package_telnetd_removed |
| 115 | ····-·high_severity | 115 | ····-·high_severity |
| 116 | ····-·disable_strategy | 116 | ····-·disable_strategy |
| 117 | ····-·low_complexity | 117 | ····-·low_complexity |
| 118 | ····-·low_disruption | 118 | ····-·low_disruption |
| 119 | ····-·CCE- | 119 | ····-·CCE- |
| 120 | ····-·NIST-800-53-AC-17(8) | 120 | ····-·NIST-800-53-AC-17(8) |
| 121 | ····-·NIST-800-53-CM-7 | 121 | ····-·NIST-800-53-CM-7 |
| 122 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_ | 122 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd |
| 123 | class·remove_ | 123 | class·remove_telnetd·{ |
| 124 | ··package·{·' | 124 | ··package·{·'telnetd': |
| 125 | ····ensure·=>·'purged', | 125 | ····ensure·=>·'purged', |
| 126 | ··} | 126 | ··} |
| 127 | } | 127 | } |
| 128 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4851"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package | 128 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4851"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package |
| 129 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 129 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 130 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 130 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 131 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate | 131 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate |
| Offset 187, 44 lines modified | Offset 187, 44 lines modified | ||
| 187 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl | 187 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl |
| 188 | class·remove_telnetd-ssl·{ | 188 | class·remove_telnetd-ssl·{ |
| 189 | ··package·{·'telnetd-ssl': | 189 | ··package·{·'telnetd-ssl': |
| 190 | ····ensure·=>·'purged', | 190 | ····ensure·=>·'purged', |
| 191 | ··} | 191 | ··} |
| 192 | } | 192 | } |
| 193 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server | 193 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server |
| 194 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 194 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 195 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 195 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 196 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 196 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 197 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd | 197 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 198 | #» ···from·the·system,·and·may·remove·any·packages | 198 | #» ···from·the·system,·and·may·remove·any·packages |
| 199 | #» ···that·depend·on·telnetd.·Execute·this | 199 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 200 | #» ···remediation·AFTER·testing·on·a·non-production | 200 | #» ···remediation·AFTER·testing·on·a·non-production |
| 201 | #» ···system! | 201 | #» ···system! |
| 202 | apt-get·remove·--purge·telnetd | 202 | apt-get·remove·--purge·inetutils-telnetd |
| 203 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed | 203 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed |
| 204 | ··package: | 204 | ··package: |
| 205 | ····name="{{item}}" | 205 | ····name="{{item}}" |
| 206 | ····state=absent | 206 | ····state=absent |
| 207 | ··with_items: | 207 | ··with_items: |
| 208 | ····-·telnetd | 208 | ····-·inetutils-telnetd |
| 209 | ··tags: | 209 | ··tags: |
| 210 | ····-·package_telnetd_removed | 210 | ····-·package_inetutils-telnetd_removed |
| 211 | ····-·high_severity | 211 | ····-·high_severity |
| 212 | ····-·disable_strategy | 212 | ····-·disable_strategy |
| 213 | ····-·low_complexity | 213 | ····-·low_complexity |
| 214 | ····-·low_disruption | 214 | ····-·low_disruption |
| 215 | ····-·CCE- | 215 | ····-·CCE- |
| 216 | ····-·NIST-800-53-AC-17(8) | 216 | ····-·NIST-800-53-AC-17(8) |
| 217 | ····-·NIST-800-53-CM-7 | 217 | ····-·NIST-800-53-CM-7 |
| 218 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd | 218 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd |
| 219 | class·remove_telnetd·{ | 219 | class·remove_inetutils-telnetd·{ |
| 220 | ··package·{·'telnetd': | 220 | ··package·{·'inetutils-telnetd': |
| 221 | ····ensure·=>·'purged', | 221 | ····ensure·=>·'purged', |
| 222 | ··} | 222 | ··} |
| 223 | } | 223 | } |
| 224 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 224 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 225 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 225 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 226 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_cron_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_cron_enabled"·id="guide-tree-leaf-idm4890"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_cron_enabled">Enable·the·cron·service | 226 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_cron_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_cron_enabled"·id="guide-tree-leaf-idm4890"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_cron_enabled">Enable·the·cron·service |
| 227 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_cron_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 227 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_cron_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| Offset 384, 26 lines modified | Offset 384, 23 lines modified | ||
| 384 | verified·by·ensuring·that·the·following | 384 | verified·by·ensuring·that·the·following |
| 385 | line·appears: | 385 | line·appears: |
| 386 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | 386 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that |
| 387 | result·in·security·vulnerabilities·and | 387 | result·in·security·vulnerabilities·and |
| 388 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 388 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 389 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 389 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 390 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 390 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 391 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 391 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count |
| 392 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_ | 392 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, |
| 393 | e | 393 | edit·<code>/etc/ssh/sshd_config</code>·as |
| 394 | 394 | follows: | |
| 395 | <pre> | 395 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> |
| 396 | 396 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 397 | 397 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | |
| 398 | remote·login·via·SSH·will·require·a·password, | ||
| 399 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 400 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 401 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 398 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 402 | ············<a·href="http:// | 399 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5046"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 403 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 400 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 404 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 401 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| 405 | <br><br> | 402 | <br><br> |
| 406 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 403 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 407 | follows: | 404 | follows: |
| 408 | <pre>ClientAliveInterval·<b>interval</b></pre> | 405 | <pre>ClientAliveInterval·<b>interval</b></pre> |
| 409 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout | 406 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout |
| Offset 413, 23 lines modified | Offset 410, 26 lines modified | ||
| 413 | shell,·that·value·will·preempt·any·SSH | 410 | shell,·that·value·will·preempt·any·SSH |
| 414 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 411 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 415 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out | 412 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out |
| 416 | guards·against·compromises·one·system·leading·trivially | 413 | guards·against·compromises·one·system·leading·trivially |
| 417 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 414 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 418 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 415 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 419 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 416 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 420 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_ | 417 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5069"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords |
| 421 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_ | 418 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with |
| 422 | e | 419 | empty·passwords,·add·or·correct·the·following·line·in |
| Max diff block lines reached; 24230/55095 bytes (43.98%) of diff not shown. | |||
| Offset 44, 22 lines modified | Offset 44, 22 lines modified | ||
| 44 | ········-·package_nis_removed | 44 | ········-·package_nis_removed |
| 45 | ········-·low_severity | 45 | ········-·low_severity |
| 46 | ········-·disable_strategy | 46 | ········-·disable_strategy |
| 47 | ········-·low_complexity | 47 | ········-·low_complexity |
| 48 | ········-·low_disruption | 48 | ········-·low_disruption |
| 49 | ········-·CCE- | 49 | ········-·CCE- |
| 50 | ···· | 50 | ···· |
| 51 | ····-·name:·Ensure· | 51 | ····-·name:·Ensure·telnetd·is·removed |
| 52 | ······package: | 52 | ······package: |
| 53 | ········name="{{item}}" | 53 | ········name="{{item}}" |
| 54 | ········state=absent | 54 | ········state=absent |
| 55 | ······with_items: | 55 | ······with_items: |
| 56 | ········-· | 56 | ········-·telnetd |
| 57 | ······tags: | 57 | ······tags: |
| 58 | ········-·package_ | 58 | ········-·package_telnetd_removed |
| 59 | ········-·high_severity | 59 | ········-·high_severity |
| 60 | ········-·disable_strategy | 60 | ········-·disable_strategy |
| 61 | ········-·low_complexity | 61 | ········-·low_complexity |
| 62 | ········-·low_disruption | 62 | ········-·low_disruption |
| 63 | ········-·CCE- | 63 | ········-·CCE- |
| 64 | ········-·NIST-800-53-AC-17(8) | 64 | ········-·NIST-800-53-AC-17(8) |
| 65 | ········-·NIST-800-53-CM-7 | 65 | ········-·NIST-800-53-CM-7 |
| Offset 90, 22 lines modified | Offset 90, 22 lines modified | ||
| 90 | ········-·disable_strategy | 90 | ········-·disable_strategy |
| 91 | ········-·low_complexity | 91 | ········-·low_complexity |
| 92 | ········-·low_disruption | 92 | ········-·low_disruption |
| 93 | ········-·CCE- | 93 | ········-·CCE- |
| 94 | ········-·NIST-800-53-AC-17(8) | 94 | ········-·NIST-800-53-AC-17(8) |
| 95 | ········-·NIST-800-53-CM-7 | 95 | ········-·NIST-800-53-CM-7 |
| 96 | ···· | 96 | ···· |
| 97 | ····-·name:·Ensure·telnetd·is·removed | 97 | ····-·name:·Ensure·inetutils-telnetd·is·removed |
| 98 | ······package: | 98 | ······package: |
| 99 | ········name="{{item}}" | 99 | ········name="{{item}}" |
| 100 | ········state=absent | 100 | ········state=absent |
| 101 | ······with_items: | 101 | ······with_items: |
| 102 | ········-·telnetd | 102 | ········-·inetutils-telnetd |
| 103 | ······tags: | 103 | ······tags: |
| 104 | ········-·package_telnetd_removed | 104 | ········-·package_inetutils-telnetd_removed |
| 105 | ········-·high_severity | 105 | ········-·high_severity |
| 106 | ········-·disable_strategy | 106 | ········-·disable_strategy |
| 107 | ········-·low_complexity | 107 | ········-·low_complexity |
| 108 | ········-·low_disruption | 108 | ········-·low_disruption |
| 109 | ········-·CCE- | 109 | ········-·CCE- |
| 110 | ········-·NIST-800-53-AC-17(8) | 110 | ········-·NIST-800-53-AC-17(8) |
| 111 | ········-·NIST-800-53-CM-7 | 111 | ········-·NIST-800-53-CM-7 |
| Offset 44, 22 lines modified | Offset 44, 22 lines modified | ||
| 44 | ········-·package_nis_removed | 44 | ········-·package_nis_removed |
| 45 | ········-·low_severity | 45 | ········-·low_severity |
| 46 | ········-·disable_strategy | 46 | ········-·disable_strategy |
| 47 | ········-·low_complexity | 47 | ········-·low_complexity |
| 48 | ········-·low_disruption | 48 | ········-·low_disruption |
| 49 | ········-·CCE- | 49 | ········-·CCE- |
| 50 | ···· | 50 | ···· |
| 51 | ····-·name:·Ensure· | 51 | ····-·name:·Ensure·telnetd·is·removed |
| 52 | ······package: | 52 | ······package: |
| 53 | ········name="{{item}}" | 53 | ········name="{{item}}" |
| 54 | ········state=absent | 54 | ········state=absent |
| 55 | ······with_items: | 55 | ······with_items: |
| 56 | ········-· | 56 | ········-·telnetd |
| 57 | ······tags: | 57 | ······tags: |
| 58 | ········-·package_ | 58 | ········-·package_telnetd_removed |
| 59 | ········-·high_severity | 59 | ········-·high_severity |
| 60 | ········-·disable_strategy | 60 | ········-·disable_strategy |
| 61 | ········-·low_complexity | 61 | ········-·low_complexity |
| 62 | ········-·low_disruption | 62 | ········-·low_disruption |
| 63 | ········-·CCE- | 63 | ········-·CCE- |
| 64 | ········-·NIST-800-53-AC-17(8) | 64 | ········-·NIST-800-53-AC-17(8) |
| 65 | ········-·NIST-800-53-CM-7 | 65 | ········-·NIST-800-53-CM-7 |
| Offset 90, 22 lines modified | Offset 90, 22 lines modified | ||
| 90 | ········-·disable_strategy | 90 | ········-·disable_strategy |
| 91 | ········-·low_complexity | 91 | ········-·low_complexity |
| 92 | ········-·low_disruption | 92 | ········-·low_disruption |
| 93 | ········-·CCE- | 93 | ········-·CCE- |
| 94 | ········-·NIST-800-53-AC-17(8) | 94 | ········-·NIST-800-53-AC-17(8) |
| 95 | ········-·NIST-800-53-CM-7 | 95 | ········-·NIST-800-53-CM-7 |
| 96 | ···· | 96 | ···· |
| 97 | ····-·name:·Ensure·telnetd·is·removed | 97 | ····-·name:·Ensure·inetutils-telnetd·is·removed |
| 98 | ······package: | 98 | ······package: |
| 99 | ········name="{{item}}" | 99 | ········name="{{item}}" |
| 100 | ········state=absent | 100 | ········state=absent |
| 101 | ······with_items: | 101 | ······with_items: |
| 102 | ········-·telnetd | 102 | ········-·inetutils-telnetd |
| 103 | ······tags: | 103 | ······tags: |
| 104 | ········-·package_telnetd_removed | 104 | ········-·package_inetutils-telnetd_removed |
| 105 | ········-·high_severity | 105 | ········-·high_severity |
| 106 | ········-·disable_strategy | 106 | ········-·disable_strategy |
| 107 | ········-·low_complexity | 107 | ········-·low_complexity |
| 108 | ········-·low_disruption | 108 | ········-·low_disruption |
| 109 | ········-·CCE- | 109 | ········-·CCE- |
| 110 | ········-·NIST-800-53-AC-17(8) | 110 | ········-·NIST-800-53-AC-17(8) |
| 111 | ········-·NIST-800-53-CM-7 | 111 | ········-·NIST-800-53-CM-7 |
| Offset 44, 22 lines modified | Offset 44, 22 lines modified | ||
| 44 | ········-·package_nis_removed | 44 | ········-·package_nis_removed |
| 45 | ········-·low_severity | 45 | ········-·low_severity |
| 46 | ········-·disable_strategy | 46 | ········-·disable_strategy |
| 47 | ········-·low_complexity | 47 | ········-·low_complexity |
| 48 | ········-·low_disruption | 48 | ········-·low_disruption |
| 49 | ········-·CCE- | 49 | ········-·CCE- |
| 50 | ···· | 50 | ···· |
| 51 | ····-·name:·Ensure· | 51 | ····-·name:·Ensure·telnetd·is·removed |
| 52 | ······package: | 52 | ······package: |
| 53 | ········name="{{item}}" | 53 | ········name="{{item}}" |
| 54 | ········state=absent | 54 | ········state=absent |
| 55 | ······with_items: | 55 | ······with_items: |
| 56 | ········-· | 56 | ········-·telnetd |
| 57 | ······tags: | 57 | ······tags: |
| 58 | ········-·package_ | 58 | ········-·package_telnetd_removed |
| 59 | ········-·high_severity | 59 | ········-·high_severity |
| 60 | ········-·disable_strategy | 60 | ········-·disable_strategy |
| 61 | ········-·low_complexity | 61 | ········-·low_complexity |
| 62 | ········-·low_disruption | 62 | ········-·low_disruption |
| 63 | ········-·CCE- | 63 | ········-·CCE- |
| 64 | ········-·NIST-800-53-AC-17(8) | 64 | ········-·NIST-800-53-AC-17(8) |
| 65 | ········-·NIST-800-53-CM-7 | 65 | ········-·NIST-800-53-CM-7 |
| Offset 76, 22 lines modified | Offset 76, 22 lines modified | ||
| 76 | ········-·disable_strategy | 76 | ········-·disable_strategy |
| 77 | ········-·low_complexity | 77 | ········-·low_complexity |
| 78 | ········-·low_disruption | 78 | ········-·low_disruption |
| 79 | ········-·CCE- | 79 | ········-·CCE- |
| 80 | ········-·NIST-800-53-AC-17(8) | 80 | ········-·NIST-800-53-AC-17(8) |
| 81 | ········-·NIST-800-53-CM-7 | 81 | ········-·NIST-800-53-CM-7 |
| 82 | ···· | 82 | ···· |
| 83 | ····-·name:·Ensure·telnetd·is·removed | 83 | ····-·name:·Ensure·inetutils-telnetd·is·removed |
| 84 | ······package: | 84 | ······package: |
| 85 | ········name="{{item}}" | 85 | ········name="{{item}}" |
| 86 | ········state=absent | 86 | ········state=absent |
| 87 | ······with_items: | 87 | ······with_items: |
| 88 | ········-·telnetd | 88 | ········-·inetutils-telnetd |
| 89 | ······tags: | 89 | ······tags: |
| 90 | ········-·package_telnetd_removed | 90 | ········-·package_inetutils-telnetd_removed |
| 91 | ········-·high_severity | 91 | ········-·high_severity |
| 92 | ········-·disable_strategy | 92 | ········-·disable_strategy |
| 93 | ········-·low_complexity | 93 | ········-·low_complexity |
| 94 | ········-·low_disruption | 94 | ········-·low_disruption |
| 95 | ········-·CCE- | 95 | ········-·CCE- |
| 96 | ········-·NIST-800-53-AC-17(8) | 96 | ········-·NIST-800-53-AC-17(8) |
| 97 | ········-·NIST-800-53-CM-7 | 97 | ········-·NIST-800-53-CM-7 |
| Offset 44, 22 lines modified | Offset 44, 22 lines modified | ||
| 44 | ········-·package_nis_removed | 44 | ········-·package_nis_removed |
| 45 | ········-·low_severity | 45 | ········-·low_severity |
| 46 | ········-·disable_strategy | 46 | ········-·disable_strategy |
| 47 | ········-·low_complexity | 47 | ········-·low_complexity |
| 48 | ········-·low_disruption | 48 | ········-·low_disruption |
| 49 | ········-·CCE- | 49 | ········-·CCE- |
| 50 | ···· | 50 | ···· |
| 51 | ····-·name:·Ensure· | 51 | ····-·name:·Ensure·telnetd·is·removed |
| 52 | ······package: | 52 | ······package: |
| 53 | ········name="{{item}}" | 53 | ········name="{{item}}" |
| 54 | ········state=absent | 54 | ········state=absent |
| 55 | ······with_items: | 55 | ······with_items: |
| 56 | ········-· | 56 | ········-·telnetd |
| 57 | ······tags: | 57 | ······tags: |
| 58 | ········-·package_ | 58 | ········-·package_telnetd_removed |
| 59 | ········-·high_severity | 59 | ········-·high_severity |
| 60 | ········-·disable_strategy | 60 | ········-·disable_strategy |
| 61 | ········-·low_complexity | 61 | ········-·low_complexity |
| 62 | ········-·low_disruption | 62 | ········-·low_disruption |
| 63 | ········-·CCE- | 63 | ········-·CCE- |
| 64 | ········-·NIST-800-53-AC-17(8) | 64 | ········-·NIST-800-53-AC-17(8) |
| 65 | ········-·NIST-800-53-CM-7 | 65 | ········-·NIST-800-53-CM-7 |
| Offset 90, 22 lines modified | Offset 90, 22 lines modified | ||
| 90 | ········-·disable_strategy | 90 | ········-·disable_strategy |
| 91 | ········-·low_complexity | 91 | ········-·low_complexity |
| 92 | ········-·low_disruption | 92 | ········-·low_disruption |
| 93 | ········-·CCE- | 93 | ········-·CCE- |
| 94 | ········-·NIST-800-53-AC-17(8) | 94 | ········-·NIST-800-53-AC-17(8) |
| 95 | ········-·NIST-800-53-CM-7 | 95 | ········-·NIST-800-53-CM-7 |
| 96 | ···· | 96 | ···· |
| 97 | ····-·name:·Ensure·telnetd·is·removed | 97 | ····-·name:·Ensure·inetutils-telnetd·is·removed |
| 98 | ······package: | 98 | ······package: |
| 99 | ········name="{{item}}" | 99 | ········name="{{item}}" |
| 100 | ········state=absent | 100 | ········state=absent |
| 101 | ······with_items: | 101 | ······with_items: |
| 102 | ········-·telnetd | 102 | ········-·inetutils-telnetd |
| 103 | ······tags: | 103 | ······tags: |
| 104 | ········-·package_telnetd_removed | 104 | ········-·package_inetutils-telnetd_removed |
| 105 | ········-·high_severity | 105 | ········-·high_severity |
| 106 | ········-·disable_strategy | 106 | ········-·disable_strategy |
| 107 | ········-·low_complexity | 107 | ········-·low_complexity |
| 108 | ········-·low_disruption | 108 | ········-·low_disruption |
| 109 | ········-·CCE- | 109 | ········-·CCE- |
| 110 | ········-·NIST-800-53-AC-17(8) | 110 | ········-·NIST-800-53-AC-17(8) |
| 111 | ········-·NIST-800-53-CM-7 | 111 | ········-·NIST-800-53-CM-7 |
| Offset 46, 22 lines modified | Offset 46, 22 lines modified | ||
| 46 | ········-·package_nis_removed | 46 | ········-·package_nis_removed |
| 47 | ········-·low_severity | 47 | ········-·low_severity |
| 48 | ········-·disable_strategy | 48 | ········-·disable_strategy |
| 49 | ········-·low_complexity | 49 | ········-·low_complexity |
| 50 | ········-·low_disruption | 50 | ········-·low_disruption |
| 51 | ········-·CCE- | 51 | ········-·CCE- |
| 52 | ···· | 52 | ···· |
| 53 | ····-·name:·Ensure· | 53 | ····-·name:·Ensure·telnetd·is·removed |
| 54 | ······package: | 54 | ······package: |
| 55 | ········name="{{item}}" | 55 | ········name="{{item}}" |
| 56 | ········state=absent | 56 | ········state=absent |
| 57 | ······with_items: | 57 | ······with_items: |
| 58 | ········-· | 58 | ········-·telnetd |
| 59 | ······tags: | 59 | ······tags: |
| 60 | ········-·package_ | 60 | ········-·package_telnetd_removed |
| 61 | ········-·high_severity | 61 | ········-·high_severity |
| 62 | ········-·disable_strategy | 62 | ········-·disable_strategy |
| 63 | ········-·low_complexity | 63 | ········-·low_complexity |
| 64 | ········-·low_disruption | 64 | ········-·low_disruption |
| 65 | ········-·CCE- | 65 | ········-·CCE- |
| 66 | ········-·NIST-800-53-AC-17(8) | 66 | ········-·NIST-800-53-AC-17(8) |
| 67 | ········-·NIST-800-53-CM-7 | 67 | ········-·NIST-800-53-CM-7 |
| Offset 92, 22 lines modified | Offset 92, 22 lines modified | ||
| 92 | ········-·disable_strategy | 92 | ········-·disable_strategy |
| 93 | ········-·low_complexity | 93 | ········-·low_complexity |
| 94 | ········-·low_disruption | 94 | ········-·low_disruption |
| 95 | ········-·CCE- | 95 | ········-·CCE- |
| 96 | ········-·NIST-800-53-AC-17(8) | 96 | ········-·NIST-800-53-AC-17(8) |
| 97 | ········-·NIST-800-53-CM-7 | 97 | ········-·NIST-800-53-CM-7 |
| 98 | ···· | 98 | ···· |
| 99 | ····-·name:·Ensure·telnetd·is·removed | 99 | ····-·name:·Ensure·inetutils-telnetd·is·removed |
| 100 | ······package: | 100 | ······package: |
| 101 | ········name="{{item}}" | 101 | ········name="{{item}}" |
| 102 | ········state=absent | 102 | ········state=absent |
| 103 | ······with_items: | 103 | ······with_items: |
| 104 | ········-·telnetd | 104 | ········-·inetutils-telnetd |
| 105 | ······tags: | 105 | ······tags: |
| 106 | ········-·package_telnetd_removed | 106 | ········-·package_inetutils-telnetd_removed |
| 107 | ········-·high_severity | 107 | ········-·high_severity |
| 108 | ········-·disable_strategy | 108 | ········-·disable_strategy |
| 109 | ········-·low_complexity | 109 | ········-·low_complexity |
| 110 | ········-·low_disruption | 110 | ········-·low_disruption |
| 111 | ········-·CCE- | 111 | ········-·CCE- |
| 112 | ········-·NIST-800-53-AC-17(8) | 112 | ········-·NIST-800-53-AC-17(8) |
| 113 | ········-·NIST-800-53-CM-7 | 113 | ········-·NIST-800-53-CM-7 |
| Offset 44, 22 lines modified | Offset 44, 22 lines modified | ||
| 44 | ········-·package_nis_removed | 44 | ········-·package_nis_removed |
| 45 | ········-·low_severity | 45 | ········-·low_severity |
| 46 | ········-·disable_strategy | 46 | ········-·disable_strategy |
| 47 | ········-·low_complexity | 47 | ········-·low_complexity |
| 48 | ········-·low_disruption | 48 | ········-·low_disruption |
| 49 | ········-·CCE- | 49 | ········-·CCE- |
| 50 | ···· | 50 | ···· |
| 51 | ····-·name:·Ensure· | 51 | ····-·name:·Ensure·telnetd·is·removed |
| 52 | ······package: | 52 | ······package: |
| 53 | ········name="{{item}}" | 53 | ········name="{{item}}" |
| 54 | ········state=absent | 54 | ········state=absent |
| 55 | ······with_items: | 55 | ······with_items: |
| 56 | ········-· | 56 | ········-·telnetd |
| 57 | ······tags: | 57 | ······tags: |
| 58 | ········-·package_ | 58 | ········-·package_telnetd_removed |
| 59 | ········-·high_severity | 59 | ········-·high_severity |
| 60 | ········-·disable_strategy | 60 | ········-·disable_strategy |
| 61 | ········-·low_complexity | 61 | ········-·low_complexity |
| 62 | ········-·low_disruption | 62 | ········-·low_disruption |
| 63 | ········-·CCE- | 63 | ········-·CCE- |
| 64 | ········-·NIST-800-53-AC-17(8) | 64 | ········-·NIST-800-53-AC-17(8) |
| 65 | ········-·NIST-800-53-CM-7 | 65 | ········-·NIST-800-53-CM-7 |
| Offset 90, 22 lines modified | Offset 90, 22 lines modified | ||
| 90 | ········-·disable_strategy | 90 | ········-·disable_strategy |
| 91 | ········-·low_complexity | 91 | ········-·low_complexity |
| 92 | ········-·low_disruption | 92 | ········-·low_disruption |
| 93 | ········-·CCE- | 93 | ········-·CCE- |
| 94 | ········-·NIST-800-53-AC-17(8) | 94 | ········-·NIST-800-53-AC-17(8) |
| 95 | ········-·NIST-800-53-CM-7 | 95 | ········-·NIST-800-53-CM-7 |
| 96 | ···· | 96 | ···· |
| 97 | ····-·name:·Ensure·telnetd·is·removed | 97 | ····-·name:·Ensure·inetutils-telnetd·is·removed |
| 98 | ······package: | 98 | ······package: |
| 99 | ········name="{{item}}" | 99 | ········name="{{item}}" |
| 100 | ········state=absent | 100 | ········state=absent |
| 101 | ······with_items: | 101 | ······with_items: |
| 102 | ········-·telnetd | 102 | ········-·inetutils-telnetd |
| 103 | ······tags: | 103 | ······tags: |
| 104 | ········-·package_telnetd_removed | 104 | ········-·package_inetutils-telnetd_removed |
| 105 | ········-·high_severity | 105 | ········-·high_severity |
| 106 | ········-·disable_strategy | 106 | ········-·disable_strategy |
| 107 | ········-·low_complexity | 107 | ········-·low_complexity |
| 108 | ········-·low_disruption | 108 | ········-·low_disruption |
| 109 | ········-·CCE- | 109 | ········-·CCE- |
| 110 | ········-·NIST-800-53-AC-17(8) | 110 | ········-·NIST-800-53-AC-17(8) |
| 111 | ········-·NIST-800-53-CM-7 | 111 | ········-·NIST-800-53-CM-7 |
| Offset 44, 22 lines modified | Offset 44, 22 lines modified | ||
| 44 | ········-·package_nis_removed | 44 | ········-·package_nis_removed |
| 45 | ········-·low_severity | 45 | ········-·low_severity |
| 46 | ········-·disable_strategy | 46 | ········-·disable_strategy |
| 47 | ········-·low_complexity | 47 | ········-·low_complexity |
| 48 | ········-·low_disruption | 48 | ········-·low_disruption |
| 49 | ········-·CCE- | 49 | ········-·CCE- |
| 50 | ···· | 50 | ···· |
| 51 | ····-·name:·Ensure· | 51 | ····-·name:·Ensure·telnetd·is·removed |
| 52 | ······package: | 52 | ······package: |
| 53 | ········name="{{item}}" | 53 | ········name="{{item}}" |
| 54 | ········state=absent | 54 | ········state=absent |
| 55 | ······with_items: | 55 | ······with_items: |
| 56 | ········-· | 56 | ········-·telnetd |
| 57 | ······tags: | 57 | ······tags: |
| 58 | ········-·package_ | 58 | ········-·package_telnetd_removed |
| 59 | ········-·high_severity | 59 | ········-·high_severity |
| 60 | ········-·disable_strategy | 60 | ········-·disable_strategy |
| 61 | ········-·low_complexity | 61 | ········-·low_complexity |
| 62 | ········-·low_disruption | 62 | ········-·low_disruption |
| 63 | ········-·CCE- | 63 | ········-·CCE- |
| 64 | ········-·NIST-800-53-AC-17(8) | 64 | ········-·NIST-800-53-AC-17(8) |
| 65 | ········-·NIST-800-53-CM-7 | 65 | ········-·NIST-800-53-CM-7 |
| Offset 90, 22 lines modified | Offset 90, 22 lines modified | ||
| 90 | ········-·disable_strategy | 90 | ········-·disable_strategy |
| 91 | ········-·low_complexity | 91 | ········-·low_complexity |
| 92 | ········-·low_disruption | 92 | ········-·low_disruption |
| 93 | ········-·CCE- | 93 | ········-·CCE- |
| 94 | ········-·NIST-800-53-AC-17(8) | 94 | ········-·NIST-800-53-AC-17(8) |
| 95 | ········-·NIST-800-53-CM-7 | 95 | ········-·NIST-800-53-CM-7 |
| 96 | ···· | 96 | ···· |
| 97 | ····-·name:·Ensure·telnetd·is·removed | 97 | ····-·name:·Ensure·inetutils-telnetd·is·removed |
| 98 | ······package: | 98 | ······package: |
| 99 | ········name="{{item}}" | 99 | ········name="{{item}}" |
| 100 | ········state=absent | 100 | ········state=absent |
| 101 | ······with_items: | 101 | ······with_items: |
| 102 | ········-·telnetd | 102 | ········-·inetutils-telnetd |
| 103 | ······tags: | 103 | ······tags: |
| 104 | ········-·package_telnetd_removed | 104 | ········-·package_inetutils-telnetd_removed |
| 105 | ········-·high_severity | 105 | ········-·high_severity |
| 106 | ········-·disable_strategy | 106 | ········-·disable_strategy |
| 107 | ········-·low_complexity | 107 | ········-·low_complexity |
| 108 | ········-·low_disruption | 108 | ········-·low_disruption |
| 109 | ········-·CCE- | 109 | ········-·CCE- |
| 110 | ········-·NIST-800-53-AC-17(8) | 110 | ········-·NIST-800-53-AC-17(8) |
| 111 | ········-·NIST-800-53-CM-7 | 111 | ········-·NIST-800-53-CM-7 |
| Offset 44, 22 lines modified | Offset 44, 22 lines modified | ||
| 44 | ········-·package_nis_removed | 44 | ········-·package_nis_removed |
| 45 | ········-·low_severity | 45 | ········-·low_severity |
| 46 | ········-·disable_strategy | 46 | ········-·disable_strategy |
| 47 | ········-·low_complexity | 47 | ········-·low_complexity |
| 48 | ········-·low_disruption | 48 | ········-·low_disruption |
| 49 | ········-·CCE- | 49 | ········-·CCE- |
| 50 | ···· | 50 | ···· |
| 51 | ····-·name:·Ensure· | 51 | ····-·name:·Ensure·telnetd·is·removed |
| 52 | ······package: | 52 | ······package: |
| 53 | ········name="{{item}}" | 53 | ········name="{{item}}" |
| 54 | ········state=absent | 54 | ········state=absent |
| 55 | ······with_items: | 55 | ······with_items: |
| 56 | ········-· | 56 | ········-·telnetd |
| 57 | ······tags: | 57 | ······tags: |
| 58 | ········-·package_ | 58 | ········-·package_telnetd_removed |
| 59 | ········-·high_severity | 59 | ········-·high_severity |
| 60 | ········-·disable_strategy | 60 | ········-·disable_strategy |
| 61 | ········-·low_complexity | 61 | ········-·low_complexity |
| 62 | ········-·low_disruption | 62 | ········-·low_disruption |
| 63 | ········-·CCE- | 63 | ········-·CCE- |
| 64 | ········-·NIST-800-53-AC-17(8) | 64 | ········-·NIST-800-53-AC-17(8) |
| 65 | ········-·NIST-800-53-CM-7 | 65 | ········-·NIST-800-53-CM-7 |
| Offset 76, 22 lines modified | Offset 76, 22 lines modified | ||
| 76 | ········-·disable_strategy | 76 | ········-·disable_strategy |
| 77 | ········-·low_complexity | 77 | ········-·low_complexity |
| 78 | ········-·low_disruption | 78 | ········-·low_disruption |
| 79 | ········-·CCE- | 79 | ········-·CCE- |
| 80 | ········-·NIST-800-53-AC-17(8) | 80 | ········-·NIST-800-53-AC-17(8) |
| 81 | ········-·NIST-800-53-CM-7 | 81 | ········-·NIST-800-53-CM-7 |
| 82 | ···· | 82 | ···· |
| 83 | ····-·name:·Ensure·telnetd·is·removed | 83 | ····-·name:·Ensure·inetutils-telnetd·is·removed |
| 84 | ······package: | 84 | ······package: |
| 85 | ········name="{{item}}" | 85 | ········name="{{item}}" |
| 86 | ········state=absent | 86 | ········state=absent |
| 87 | ······with_items: | 87 | ······with_items: |
| 88 | ········-·telnetd | 88 | ········-·inetutils-telnetd |
| 89 | ······tags: | 89 | ······tags: |
| 90 | ········-·package_telnetd_removed | 90 | ········-·package_inetutils-telnetd_removed |
| 91 | ········-·high_severity | 91 | ········-·high_severity |
| 92 | ········-·disable_strategy | 92 | ········-·disable_strategy |
| 93 | ········-·low_complexity | 93 | ········-·low_complexity |
| 94 | ········-·low_disruption | 94 | ········-·low_disruption |
| 95 | ········-·CCE- | 95 | ········-·CCE- |
| 96 | ········-·NIST-800-53-AC-17(8) | 96 | ········-·NIST-800-53-AC-17(8) |
| 97 | ········-·NIST-800-53-CM-7 | 97 | ········-·NIST-800-53-CM-7 |
| Offset 44, 22 lines modified | Offset 44, 22 lines modified | ||
| 44 | ········-·package_nis_removed | 44 | ········-·package_nis_removed |
| 45 | ········-·low_severity | 45 | ········-·low_severity |
| 46 | ········-·disable_strategy | 46 | ········-·disable_strategy |
| 47 | ········-·low_complexity | 47 | ········-·low_complexity |
| 48 | ········-·low_disruption | 48 | ········-·low_disruption |
| 49 | ········-·CCE- | 49 | ········-·CCE- |
| 50 | ···· | 50 | ···· |
| 51 | ····-·name:·Ensure· | 51 | ····-·name:·Ensure·telnetd·is·removed |
| 52 | ······package: | 52 | ······package: |
| 53 | ········name="{{item}}" | 53 | ········name="{{item}}" |
| 54 | ········state=absent | 54 | ········state=absent |
| 55 | ······with_items: | 55 | ······with_items: |
| 56 | ········-· | 56 | ········-·telnetd |
| 57 | ······tags: | 57 | ······tags: |
| 58 | ········-·package_ | 58 | ········-·package_telnetd_removed |
| 59 | ········-·high_severity | 59 | ········-·high_severity |
| 60 | ········-·disable_strategy | 60 | ········-·disable_strategy |
| 61 | ········-·low_complexity | 61 | ········-·low_complexity |
| 62 | ········-·low_disruption | 62 | ········-·low_disruption |
| 63 | ········-·CCE- | 63 | ········-·CCE- |
| 64 | ········-·NIST-800-53-AC-17(8) | 64 | ········-·NIST-800-53-AC-17(8) |
| 65 | ········-·NIST-800-53-CM-7 | 65 | ········-·NIST-800-53-CM-7 |
| Offset 90, 22 lines modified | Offset 90, 22 lines modified | ||
| 90 | ········-·disable_strategy | 90 | ········-·disable_strategy |
| 91 | ········-·low_complexity | 91 | ········-·low_complexity |
| 92 | ········-·low_disruption | 92 | ········-·low_disruption |
| 93 | ········-·CCE- | 93 | ········-·CCE- |
| 94 | ········-·NIST-800-53-AC-17(8) | 94 | ········-·NIST-800-53-AC-17(8) |
| 95 | ········-·NIST-800-53-CM-7 | 95 | ········-·NIST-800-53-CM-7 |
| 96 | ···· | 96 | ···· |
| 97 | ····-·name:·Ensure·telnetd·is·removed | 97 | ····-·name:·Ensure·inetutils-telnetd·is·removed |
| 98 | ······package: | 98 | ······package: |
| 99 | ········name="{{item}}" | 99 | ········name="{{item}}" |
| 100 | ········state=absent | 100 | ········state=absent |
| 101 | ······with_items: | 101 | ······with_items: |
| 102 | ········-·telnetd | 102 | ········-·inetutils-telnetd |
| 103 | ······tags: | 103 | ······tags: |
| 104 | ········-·package_telnetd_removed | 104 | ········-·package_inetutils-telnetd_removed |
| 105 | ········-·high_severity | 105 | ········-·high_severity |
| 106 | ········-·disable_strategy | 106 | ········-·disable_strategy |
| 107 | ········-·low_complexity | 107 | ········-·low_complexity |
| 108 | ········-·low_disruption | 108 | ········-·low_disruption |
| 109 | ········-·CCE- | 109 | ········-·CCE- |
| 110 | ········-·NIST-800-53-AC-17(8) | 110 | ········-·NIST-800-53-AC-17(8) |
| 111 | ········-·NIST-800-53-CM-7 | 111 | ········-·NIST-800-53-CM-7 |
| Offset 46, 22 lines modified | Offset 46, 22 lines modified | ||
| 46 | ········-·package_nis_removed | 46 | ········-·package_nis_removed |
| 47 | ········-·low_severity | 47 | ········-·low_severity |
| 48 | ········-·disable_strategy | 48 | ········-·disable_strategy |
| 49 | ········-·low_complexity | 49 | ········-·low_complexity |
| 50 | ········-·low_disruption | 50 | ········-·low_disruption |
| 51 | ········-·CCE- | 51 | ········-·CCE- |
| 52 | ···· | 52 | ···· |
| 53 | ····-·name:·Ensure· | 53 | ····-·name:·Ensure·telnetd·is·removed |
| 54 | ······package: | 54 | ······package: |
| 55 | ········name="{{item}}" | 55 | ········name="{{item}}" |
| 56 | ········state=absent | 56 | ········state=absent |
| 57 | ······with_items: | 57 | ······with_items: |
| 58 | ········-· | 58 | ········-·telnetd |
| 59 | ······tags: | 59 | ······tags: |
| 60 | ········-·package_ | 60 | ········-·package_telnetd_removed |
| 61 | ········-·high_severity | 61 | ········-·high_severity |
| 62 | ········-·disable_strategy | 62 | ········-·disable_strategy |
| 63 | ········-·low_complexity | 63 | ········-·low_complexity |
| 64 | ········-·low_disruption | 64 | ········-·low_disruption |
| 65 | ········-·CCE- | 65 | ········-·CCE- |
| 66 | ········-·NIST-800-53-AC-17(8) | 66 | ········-·NIST-800-53-AC-17(8) |
| 67 | ········-·NIST-800-53-CM-7 | 67 | ········-·NIST-800-53-CM-7 |
| Offset 92, 22 lines modified | Offset 92, 22 lines modified | ||
| 92 | ········-·disable_strategy | 92 | ········-·disable_strategy |
| 93 | ········-·low_complexity | 93 | ········-·low_complexity |
| 94 | ········-·low_disruption | 94 | ········-·low_disruption |
| 95 | ········-·CCE- | 95 | ········-·CCE- |
| 96 | ········-·NIST-800-53-AC-17(8) | 96 | ········-·NIST-800-53-AC-17(8) |
| 97 | ········-·NIST-800-53-CM-7 | 97 | ········-·NIST-800-53-CM-7 |
| 98 | ···· | 98 | ···· |
| 99 | ····-·name:·Ensure·telnetd·is·removed | 99 | ····-·name:·Ensure·inetutils-telnetd·is·removed |
| 100 | ······package: | 100 | ······package: |
| 101 | ········name="{{item}}" | 101 | ········name="{{item}}" |
| 102 | ········state=absent | 102 | ········state=absent |
| 103 | ······with_items: | 103 | ······with_items: |
| 104 | ········-·telnetd | 104 | ········-·inetutils-telnetd |
| 105 | ······tags: | 105 | ······tags: |
| 106 | ········-·package_telnetd_removed | 106 | ········-·package_inetutils-telnetd_removed |
| 107 | ········-·high_severity | 107 | ········-·high_severity |
| 108 | ········-·disable_strategy | 108 | ········-·disable_strategy |
| 109 | ········-·low_complexity | 109 | ········-·low_complexity |
| 110 | ········-·low_disruption | 110 | ········-·low_disruption |
| 111 | ········-·CCE- | 111 | ········-·CCE- |
| 112 | ········-·NIST-800-53-AC-17(8) | 112 | ········-·NIST-800-53-AC-17(8) |
| 113 | ········-·NIST-800-53-CM-7 | 113 | ········-·NIST-800-53-CM-7 |
| Offset 31, 25 lines modified | Offset 31, 25 lines modified | ||
| 31 | #» ···remediation·AFTER·testing·on·a·non-production | 31 | #» ···remediation·AFTER·testing·on·a·non-production |
| 32 | #» ···system! | 32 | #» ···system! |
| 33 | apt-get·remove·--purge·nis | 33 | apt-get·remove·--purge·nis |
| 34 | #·END·fix·for·'package_nis_removed' | 34 | #·END·fix·for·'package_nis_removed' |
| 35 | ############################################################################### | 35 | ############################################################################### |
| 36 | #·BEGIN·fix·(2·/·32)·for·'package_ | 36 | #·BEGIN·fix·(2·/·32)·for·'package_telnetd_removed' |
| 37 | ############################################################################### | 37 | ############################################################################### |
| 38 | (>&2·echo·"Remediating·rule·2/32:·'package_ | 38 | (>&2·echo·"Remediating·rule·2/32:·'package_telnetd_removed'") |
| 39 | #·CAUTION:·This·remediation·script·will·remove· | 39 | #·CAUTION:·This·remediation·script·will·remove·telnetd |
| 40 | #» ···from·the·system,·and·may·remove·any·packages | 40 | #» ···from·the·system,·and·may·remove·any·packages |
| 41 | #» ···that·depend·on· | 41 | #» ···that·depend·on·telnetd.·Execute·this |
| 42 | #» ···remediation·AFTER·testing·on·a·non-production | 42 | #» ···remediation·AFTER·testing·on·a·non-production |
| 43 | #» ···system! | 43 | #» ···system! |
| 44 | apt-get·remove·--purge· | 44 | apt-get·remove·--purge·telnetd |
| 45 | #·END·fix·for·'package_ | 45 | #·END·fix·for·'package_telnetd_removed' |
| 46 | ############################################################################### | 46 | ############################################################################### |
| 47 | #·BEGIN·fix·(3·/·32)·for·'package_ntpdate_removed' | 47 | #·BEGIN·fix·(3·/·32)·for·'package_ntpdate_removed' |
| 48 | ############################################################################### | 48 | ############################################################################### |
| 49 | (>&2·echo·"Remediating·rule·3/32:·'package_ntpdate_removed'") | 49 | (>&2·echo·"Remediating·rule·3/32:·'package_ntpdate_removed'") |
| 50 | #·CAUTION:·This·remediation·script·will·remove·ntpdate | 50 | #·CAUTION:·This·remediation·script·will·remove·ntpdate |
| 51 | #» ···from·the·system,·and·may·remove·any·packages | 51 | #» ···from·the·system,·and·may·remove·any·packages |
| Offset 70, 25 lines modified | Offset 70, 25 lines modified | ||
| 70 | #» ···remediation·AFTER·testing·on·a·non-production | 70 | #» ···remediation·AFTER·testing·on·a·non-production |
| 71 | #» ···system! | 71 | #» ···system! |
| 72 | apt-get·remove·--purge·telnetd-ssl | 72 | apt-get·remove·--purge·telnetd-ssl |
| 73 | #·END·fix·for·'package_telnetd-ssl_removed' | 73 | #·END·fix·for·'package_telnetd-ssl_removed' |
| 74 | ############################################################################### | 74 | ############################################################################### |
| 75 | #·BEGIN·fix·(5·/·32)·for·'package_telnetd_removed' | 75 | #·BEGIN·fix·(5·/·32)·for·'package_inetutils-telnetd_removed' |
| 76 | ############################################################################### | 76 | ############################################################################### |
| 77 | (>&2·echo·"Remediating·rule·5/32:·'package_telnetd_removed'") | 77 | (>&2·echo·"Remediating·rule·5/32:·'package_inetutils-telnetd_removed'") |
| 78 | #·CAUTION:·This·remediation·script·will·remove·telnetd | 78 | #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 79 | #» ···from·the·system,·and·may·remove·any·packages | 79 | #» ···from·the·system,·and·may·remove·any·packages |
| 80 | #» ···that·depend·on·telnetd.·Execute·this | 80 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 81 | #» ···remediation·AFTER·testing·on·a·non-production | 81 | #» ···remediation·AFTER·testing·on·a·non-production |
| 82 | #» ···system! | 82 | #» ···system! |
| 83 | apt-get·remove·--purge·telnetd | 83 | apt-get·remove·--purge·inetutils-telnetd |
| 84 | #·END·fix·for·'package_telnetd_removed' | 84 | #·END·fix·for·'package_inetutils-telnetd_removed' |
| 85 | ############################################################################### | 85 | ############################################################################### |
| 86 | #·BEGIN·fix·(6·/·32)·for·'package_ntp_installed' | 86 | #·BEGIN·fix·(6·/·32)·for·'package_ntp_installed' |
| 87 | ############################################################################### | 87 | ############################################################################### |
| 88 | (>&2·echo·"Remediating·rule·6/32:·'package_ntp_installed'") | 88 | (>&2·echo·"Remediating·rule·6/32:·'package_ntp_installed'") |
| 89 | #·FIX·FOR·THIS·RULE·IS·MISSING | 89 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 90 | #·END·fix·for·'package_ntp_installed' | 90 | #·END·fix·for·'package_ntp_installed' |
| Offset 97, 33 lines modified | Offset 97, 33 lines modified | ||
| 97 | #·BEGIN·fix·(7·/·32)·for·'sshd_allow_only_protocol2' | 97 | #·BEGIN·fix·(7·/·32)·for·'sshd_allow_only_protocol2' |
| 98 | ############################################################################### | 98 | ############################################################################### |
| 99 | (>&2·echo·"Remediating·rule·7/32:·'sshd_allow_only_protocol2'") | 99 | (>&2·echo·"Remediating·rule·7/32:·'sshd_allow_only_protocol2'") |
| 100 | #·FIX·FOR·THIS·RULE·IS·MISSING | 100 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 101 | #·END·fix·for·'sshd_allow_only_protocol2' | 101 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 102 | ############################################################################### | 102 | ############################################################################### |
| 103 | #·BEGIN·fix·(8·/·32)·for·'sshd_ | 103 | #·BEGIN·fix·(8·/·32)·for·'sshd_set_keepalive' |
| 104 | ############################################################################### | 104 | ############################################################################### |
| 105 | (>&2·echo·"Remediating·rule·8/32:·'sshd_ | 105 | (>&2·echo·"Remediating·rule·8/32:·'sshd_set_keepalive'") |
| 106 | #·FIX·FOR·THIS·RULE·IS·MISSING | 106 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 107 | #·END·fix·for·'sshd_ | 107 | #·END·fix·for·'sshd_set_keepalive' |
| 108 | ############################################################################### | 108 | ############################################################################### |
| 109 | #·BEGIN·fix·(9·/·32)·for·'sshd_set_idle_timeout' | 109 | #·BEGIN·fix·(9·/·32)·for·'sshd_set_idle_timeout' |
| 110 | ############################################################################### | 110 | ############################################################################### |
| 111 | (>&2·echo·"Remediating·rule·9/32:·'sshd_set_idle_timeout'") | 111 | (>&2·echo·"Remediating·rule·9/32:·'sshd_set_idle_timeout'") |
| 112 | #·FIX·FOR·THIS·RULE·IS·MISSING | 112 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 113 | #·END·fix·for·'sshd_set_idle_timeout' | 113 | #·END·fix·for·'sshd_set_idle_timeout' |
| 114 | ############################################################################### | 114 | ############################################################################### |
| 115 | #·BEGIN·fix·(10·/·32)·for·'sshd_set_ | 115 | #·BEGIN·fix·(10·/·32)·for·'sshd_disable_empty_passwords' |
| 116 | ############################################################################### | 116 | ############################################################################### |
| 117 | (>&2·echo·"Remediating·rule·10/32:·'sshd_set_ | 117 | (>&2·echo·"Remediating·rule·10/32:·'sshd_disable_empty_passwords'") |
| 118 | #·FIX·FOR·THIS·RULE·IS·MISSING | 118 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 119 | #·END·fix·for·'sshd_set_ | 119 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 120 | ############################################################################### | 120 | ############################################################################### |
| 121 | #·BEGIN·fix·(11·/·32)·for·'sshd_disable_root_login' | 121 | #·BEGIN·fix·(11·/·32)·for·'sshd_disable_root_login' |
| 122 | ############################################################################### | 122 | ############################################################################### |
| 123 | (>&2·echo·"Remediating·rule·11/32:·'sshd_disable_root_login'") | 123 | (>&2·echo·"Remediating·rule·11/32:·'sshd_disable_root_login'") |
| 124 | #·FIX·FOR·THIS·RULE·IS·MISSING | 124 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 125 | #·END·fix·for·'sshd_disable_root_login' | 125 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 132, 54 lines modified | Offset 132, 54 lines modified | ||
| 132 | #·BEGIN·fix·(12·/·32)·for·'apt_conf_disallow_unauthenticated' | 132 | #·BEGIN·fix·(12·/·32)·for·'apt_conf_disallow_unauthenticated' |
| 133 | ############################################################################### | 133 | ############################################################################### |
| 134 | (>&2·echo·"Remediating·rule·12/32:·'apt_conf_disallow_unauthenticated'") | 134 | (>&2·echo·"Remediating·rule·12/32:·'apt_conf_disallow_unauthenticated'") |
| 135 | #·FIX·FOR·THIS·RULE·IS·MISSING | 135 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 136 | #·END·fix·for·'apt_conf_disallow_unauthenticated' | 136 | #·END·fix·for·'apt_conf_disallow_unauthenticated' |
| 137 | ############################################################################### | 137 | ############################################################################### |
| 138 | #·BEGIN·fix·(13·/·32)·for·' | 138 | #·BEGIN·fix·(13·/·32)·for·'sudo_remove_no_authenticate' |
| 139 | ############################################################################### | 139 | ############################################################################### |
| 140 | (>&2·echo·"Remediating·rule·13/32:·' | 140 | (>&2·echo·"Remediating·rule·13/32:·'sudo_remove_no_authenticate'") |
| 141 | #·FIX·FOR·THIS·RULE·IS·MISSING | 141 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 142 | #·END·fix·for·' | 142 | #·END·fix·for·'sudo_remove_no_authenticate' |
| 143 | ############################################################################### | 143 | ############################################################################### |
| 144 | #·BEGIN·fix·(14·/·32)·for·' | 144 | #·BEGIN·fix·(14·/·32)·for·'sudo_remove_nopasswd' |
| 145 | ############################################################################### | 145 | ############################################################################### |
| 146 | (>&2·echo·"Remediating·rule·14/32:·' | 146 | (>&2·echo·"Remediating·rule·14/32:·'sudo_remove_nopasswd'") |
| 147 | #·FIX·FOR·THIS·RULE·IS·MISSING | 147 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 148 | #·END·fix·for·' | 148 | #·END·fix·for·'sudo_remove_nopasswd' |
| 149 | ############################################################################### | 149 | ############################################################################### |
| 150 | #·BEGIN·fix·(15·/·32)·for·'rsyslog_files_ | 150 | #·BEGIN·fix·(15·/·32)·for·'rsyslog_files_permissions' |
| 151 | ############################################################################### | 151 | ############################################################################### |
| 152 | (>&2·echo·"Remediating·rule·15/32:·'rsyslog_files_ | 152 | (>&2·echo·"Remediating·rule·15/32:·'rsyslog_files_permissions'") |
| 153 | #·FIX·FOR·THIS·RULE·IS·MISSING | 153 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 154 | #·END·fix·for·'rsyslog_files_ | 154 | #·END·fix·for·'rsyslog_files_permissions' |
| 155 | ############################################################################### | 155 | ############################################################################### |
| 156 | #·BEGIN·fix·(16·/·32)·for·' | 156 | #·BEGIN·fix·(16·/·32)·for·'rsyslog_files_ownership' |
| 157 | ############################################################################### | 157 | ############################################################################### |
| 158 | (>&2·echo·"Remediating·rule·16/32:·' | 158 | (>&2·echo·"Remediating·rule·16/32:·'rsyslog_files_ownership'") |
| 159 | #·FIX·FOR·THIS·RULE·IS·MISSING | 159 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 160 | #·END·fix·for·' | 160 | #·END·fix·for·'rsyslog_files_ownership' |
| 161 | ############################################################################### | 161 | ############################################################################### |
| 162 | #·BEGIN·fix·(17·/·32)·for·'s | 162 | #·BEGIN·fix·(17·/·32)·for·'rsyslog_files_groupownership' |
| 163 | ############################################################################### | 163 | ############################################################################### |
| 164 | (>&2·echo·"Remediating·rule·17/32:·'s | 164 | (>&2·echo·"Remediating·rule·17/32:·'rsyslog_files_groupownership'") |
| 165 | #·FIX·FOR·THIS·RULE·IS·MISSING | 165 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 166 | #·END·fix·for·'s | 166 | #·END·fix·for·'rsyslog_files_groupownership' |
| Max diff block lines reached; 768/8703 bytes (8.82%) of diff not shown. | |||
| Offset 31, 25 lines modified | Offset 31, 25 lines modified | ||
| 31 | #» ···remediation·AFTER·testing·on·a·non-production | 31 | #» ···remediation·AFTER·testing·on·a·non-production |
| 32 | #» ···system! | 32 | #» ···system! |
| 33 | apt-get·remove·--purge·nis | 33 | apt-get·remove·--purge·nis |
| 34 | #·END·fix·for·'package_nis_removed' | 34 | #·END·fix·for·'package_nis_removed' |
| 35 | ############################################################################### | 35 | ############################################################################### |
| 36 | #·BEGIN·fix·(2·/·37)·for·'package_ | 36 | #·BEGIN·fix·(2·/·37)·for·'package_telnetd_removed' |
| 37 | ############################################################################### | 37 | ############################################################################### |
| 38 | (>&2·echo·"Remediating·rule·2/37:·'package_ | 38 | (>&2·echo·"Remediating·rule·2/37:·'package_telnetd_removed'") |
| 39 | #·CAUTION:·This·remediation·script·will·remove· | 39 | #·CAUTION:·This·remediation·script·will·remove·telnetd |
| 40 | #» ···from·the·system,·and·may·remove·any·packages | 40 | #» ···from·the·system,·and·may·remove·any·packages |
| 41 | #» ···that·depend·on· | 41 | #» ···that·depend·on·telnetd.·Execute·this |
| 42 | #» ···remediation·AFTER·testing·on·a·non-production | 42 | #» ···remediation·AFTER·testing·on·a·non-production |
| 43 | #» ···system! | 43 | #» ···system! |
| 44 | apt-get·remove·--purge· | 44 | apt-get·remove·--purge·telnetd |
| 45 | #·END·fix·for·'package_ | 45 | #·END·fix·for·'package_telnetd_removed' |
| 46 | ############################################################################### | 46 | ############################################################################### |
| 47 | #·BEGIN·fix·(3·/·37)·for·'package_ntpdate_removed' | 47 | #·BEGIN·fix·(3·/·37)·for·'package_ntpdate_removed' |
| 48 | ############################################################################### | 48 | ############################################################################### |
| 49 | (>&2·echo·"Remediating·rule·3/37:·'package_ntpdate_removed'") | 49 | (>&2·echo·"Remediating·rule·3/37:·'package_ntpdate_removed'") |
| 50 | #·CAUTION:·This·remediation·script·will·remove·ntpdate | 50 | #·CAUTION:·This·remediation·script·will·remove·ntpdate |
| 51 | #» ···from·the·system,·and·may·remove·any·packages | 51 | #» ···from·the·system,·and·may·remove·any·packages |
| Offset 70, 25 lines modified | Offset 70, 25 lines modified | ||
| 70 | #» ···remediation·AFTER·testing·on·a·non-production | 70 | #» ···remediation·AFTER·testing·on·a·non-production |
| 71 | #» ···system! | 71 | #» ···system! |
| 72 | apt-get·remove·--purge·telnetd-ssl | 72 | apt-get·remove·--purge·telnetd-ssl |
| 73 | #·END·fix·for·'package_telnetd-ssl_removed' | 73 | #·END·fix·for·'package_telnetd-ssl_removed' |
| 74 | ############################################################################### | 74 | ############################################################################### |
| 75 | #·BEGIN·fix·(5·/·37)·for·'package_telnetd_removed' | 75 | #·BEGIN·fix·(5·/·37)·for·'package_inetutils-telnetd_removed' |
| 76 | ############################################################################### | 76 | ############################################################################### |
| 77 | (>&2·echo·"Remediating·rule·5/37:·'package_telnetd_removed'") | 77 | (>&2·echo·"Remediating·rule·5/37:·'package_inetutils-telnetd_removed'") |
| 78 | #·CAUTION:·This·remediation·script·will·remove·telnetd | 78 | #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 79 | #» ···from·the·system,·and·may·remove·any·packages | 79 | #» ···from·the·system,·and·may·remove·any·packages |
| 80 | #» ···that·depend·on·telnetd.·Execute·this | 80 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 81 | #» ···remediation·AFTER·testing·on·a·non-production | 81 | #» ···remediation·AFTER·testing·on·a·non-production |
| 82 | #» ···system! | 82 | #» ···system! |
| 83 | apt-get·remove·--purge·telnetd | 83 | apt-get·remove·--purge·inetutils-telnetd |
| 84 | #·END·fix·for·'package_telnetd_removed' | 84 | #·END·fix·for·'package_inetutils-telnetd_removed' |
| 85 | ############################################################################### | 85 | ############################################################################### |
| 86 | #·BEGIN·fix·(6·/·37)·for·'package_ntp_installed' | 86 | #·BEGIN·fix·(6·/·37)·for·'package_ntp_installed' |
| 87 | ############################################################################### | 87 | ############################################################################### |
| 88 | (>&2·echo·"Remediating·rule·6/37:·'package_ntp_installed'") | 88 | (>&2·echo·"Remediating·rule·6/37:·'package_ntp_installed'") |
| 89 | #·FIX·FOR·THIS·RULE·IS·MISSING | 89 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 90 | #·END·fix·for·'package_ntp_installed' | 90 | #·END·fix·for·'package_ntp_installed' |
| Offset 125, 33 lines modified | Offset 125, 33 lines modified | ||
| 125 | #·BEGIN·fix·(11·/·37)·for·'sshd_allow_only_protocol2' | 125 | #·BEGIN·fix·(11·/·37)·for·'sshd_allow_only_protocol2' |
| 126 | ############################################################################### | 126 | ############################################################################### |
| 127 | (>&2·echo·"Remediating·rule·11/37:·'sshd_allow_only_protocol2'") | 127 | (>&2·echo·"Remediating·rule·11/37:·'sshd_allow_only_protocol2'") |
| 128 | #·FIX·FOR·THIS·RULE·IS·MISSING | 128 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 129 | #·END·fix·for·'sshd_allow_only_protocol2' | 129 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 130 | ############################################################################### | 130 | ############################################################################### |
| 131 | #·BEGIN·fix·(12·/·37)·for·'sshd_ | 131 | #·BEGIN·fix·(12·/·37)·for·'sshd_set_keepalive' |
| 132 | ############################################################################### | 132 | ############################################################################### |
| 133 | (>&2·echo·"Remediating·rule·12/37:·'sshd_ | 133 | (>&2·echo·"Remediating·rule·12/37:·'sshd_set_keepalive'") |
| 134 | #·FIX·FOR·THIS·RULE·IS·MISSING | 134 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 135 | #·END·fix·for·'sshd_ | 135 | #·END·fix·for·'sshd_set_keepalive' |
| 136 | ############################################################################### | 136 | ############################################################################### |
| 137 | #·BEGIN·fix·(13·/·37)·for·'sshd_set_idle_timeout' | 137 | #·BEGIN·fix·(13·/·37)·for·'sshd_set_idle_timeout' |
| 138 | ############################################################################### | 138 | ############################################################################### |
| 139 | (>&2·echo·"Remediating·rule·13/37:·'sshd_set_idle_timeout'") | 139 | (>&2·echo·"Remediating·rule·13/37:·'sshd_set_idle_timeout'") |
| 140 | #·FIX·FOR·THIS·RULE·IS·MISSING | 140 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 141 | #·END·fix·for·'sshd_set_idle_timeout' | 141 | #·END·fix·for·'sshd_set_idle_timeout' |
| 142 | ############################################################################### | 142 | ############################################################################### |
| 143 | #·BEGIN·fix·(14·/·37)·for·'sshd_set_ | 143 | #·BEGIN·fix·(14·/·37)·for·'sshd_disable_empty_passwords' |
| 144 | ############################################################################### | 144 | ############################################################################### |
| 145 | (>&2·echo·"Remediating·rule·14/37:·'sshd_set_ | 145 | (>&2·echo·"Remediating·rule·14/37:·'sshd_disable_empty_passwords'") |
| 146 | #·FIX·FOR·THIS·RULE·IS·MISSING | 146 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 147 | #·END·fix·for·'sshd_set_ | 147 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 148 | ############################################################################### | 148 | ############################################################################### |
| 149 | #·BEGIN·fix·(15·/·37)·for·'sshd_disable_root_login' | 149 | #·BEGIN·fix·(15·/·37)·for·'sshd_disable_root_login' |
| 150 | ############################################################################### | 150 | ############################################################################### |
| 151 | (>&2·echo·"Remediating·rule·15/37:·'sshd_disable_root_login'") | 151 | (>&2·echo·"Remediating·rule·15/37:·'sshd_disable_root_login'") |
| 152 | #·FIX·FOR·THIS·RULE·IS·MISSING | 152 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 153 | #·END·fix·for·'sshd_disable_root_login' | 153 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 160, 61 lines modified | Offset 160, 61 lines modified | ||
| 160 | #·BEGIN·fix·(16·/·37)·for·'apt_conf_disallow_unauthenticated' | 160 | #·BEGIN·fix·(16·/·37)·for·'apt_conf_disallow_unauthenticated' |
| 161 | ############################################################################### | 161 | ############################################################################### |
| 162 | (>&2·echo·"Remediating·rule·16/37:·'apt_conf_disallow_unauthenticated'") | 162 | (>&2·echo·"Remediating·rule·16/37:·'apt_conf_disallow_unauthenticated'") |
| 163 | #·FIX·FOR·THIS·RULE·IS·MISSING | 163 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 164 | #·END·fix·for·'apt_conf_disallow_unauthenticated' | 164 | #·END·fix·for·'apt_conf_disallow_unauthenticated' |
| 165 | ############################################################################### | 165 | ############################################################################### |
| 166 | #·BEGIN·fix·(17·/·37)·for·' | 166 | #·BEGIN·fix·(17·/·37)·for·'grub2_enable_iommu_force' |
| 167 | ############################################################################### | 167 | ############################################################################### |
| 168 | (>&2·echo·"Remediating·rule·17/37:·' | 168 | (>&2·echo·"Remediating·rule·17/37:·'grub2_enable_iommu_force'") |
| 169 | #·FIX·FOR·THIS·RULE·IS·MISSING | 169 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 170 | #·END·fix·for·' | 170 | #·END·fix·for·'grub2_enable_iommu_force' |
| 171 | ############################################################################### | 171 | ############################################################################### |
| 172 | #·BEGIN·fix·(18·/·37)·for·' | 172 | #·BEGIN·fix·(18·/·37)·for·'sudo_remove_no_authenticate' |
| 173 | ############################################################################### | 173 | ############################################################################### |
| 174 | (>&2·echo·"Remediating·rule·18/37:·' | 174 | (>&2·echo·"Remediating·rule·18/37:·'sudo_remove_no_authenticate'") |
| 175 | #·FIX·FOR·THIS·RULE·IS·MISSING | 175 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 176 | #·END·fix·for·' | 176 | #·END·fix·for·'sudo_remove_no_authenticate' |
| 177 | ############################################################################### | 177 | ############################################################################### |
| 178 | #·BEGIN·fix·(19·/·37)·for·' | 178 | #·BEGIN·fix·(19·/·37)·for·'sudo_remove_nopasswd' |
| 179 | ############################################################################### | 179 | ############################################################################### |
| 180 | (>&2·echo·"Remediating·rule·19/37:·' | 180 | (>&2·echo·"Remediating·rule·19/37:·'sudo_remove_nopasswd'") |
| 181 | #·FIX·FOR·THIS·RULE·IS·MISSING | 181 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 182 | #·END·fix·for·' | 182 | #·END·fix·for·'sudo_remove_nopasswd' |
| 183 | ############################################################################### | 183 | ############################################################################### |
| 184 | #·BEGIN·fix·(20·/·37)·for·' | 184 | #·BEGIN·fix·(20·/·37)·for·'rsyslog_files_permissions' |
| 185 | ############################################################################### | 185 | ############################################################################### |
| 186 | (>&2·echo·"Remediating·rule·20/37:·' | 186 | (>&2·echo·"Remediating·rule·20/37:·'rsyslog_files_permissions'") |
| 187 | #·FIX·FOR·THIS·RULE·IS·MISSING | 187 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 188 | #·END·fix·for·' | 188 | #·END·fix·for·'rsyslog_files_permissions' |
| 189 | ############################################################################### | 189 | ############################################################################### |
| 190 | #·BEGIN·fix·(21·/·37)·for·' | 190 | #·BEGIN·fix·(21·/·37)·for·'rsyslog_files_ownership' |
| 191 | ############################################################################### | 191 | ############################################################################### |
| 192 | (>&2·echo·"Remediating·rule·21/37:·' | 192 | (>&2·echo·"Remediating·rule·21/37:·'rsyslog_files_ownership'") |
| 193 | #·FIX·FOR·THIS·RULE·IS·MISSING | 193 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 194 | #·END·fix·for·' | 194 | #·END·fix·for·'rsyslog_files_ownership' |
| Max diff block lines reached; 1307/9231 bytes (14.16%) of diff not shown. | |||
| Offset 31, 25 lines modified | Offset 31, 25 lines modified | ||
| 31 | #» ···remediation·AFTER·testing·on·a·non-production | 31 | #» ···remediation·AFTER·testing·on·a·non-production |
| 32 | #» ···system! | 32 | #» ···system! |
| 33 | apt-get·remove·--purge·nis | 33 | apt-get·remove·--purge·nis |
| 34 | #·END·fix·for·'package_nis_removed' | 34 | #·END·fix·for·'package_nis_removed' |
| 35 | ############################################################################### | 35 | ############################################################################### |
| 36 | #·BEGIN·fix·(2·/·11)·for·'package_ | 36 | #·BEGIN·fix·(2·/·11)·for·'package_telnetd_removed' |
| 37 | ############################################################################### | 37 | ############################################################################### |
| 38 | (>&2·echo·"Remediating·rule·2/11:·'package_ | 38 | (>&2·echo·"Remediating·rule·2/11:·'package_telnetd_removed'") |
| 39 | #·CAUTION:·This·remediation·script·will·remove· | 39 | #·CAUTION:·This·remediation·script·will·remove·telnetd |
| 40 | #» ···from·the·system,·and·may·remove·any·packages | 40 | #» ···from·the·system,·and·may·remove·any·packages |
| 41 | #» ···that·depend·on· | 41 | #» ···that·depend·on·telnetd.·Execute·this |
| 42 | #» ···remediation·AFTER·testing·on·a·non-production | 42 | #» ···remediation·AFTER·testing·on·a·non-production |
| 43 | #» ···system! | 43 | #» ···system! |
| 44 | apt-get·remove·--purge· | 44 | apt-get·remove·--purge·telnetd |
| 45 | #·END·fix·for·'package_ | 45 | #·END·fix·for·'package_telnetd_removed' |
| 46 | ############################################################################### | 46 | ############################################################################### |
| 47 | #·BEGIN·fix·(3·/·11)·for·'package_telnetd-ssl_removed' | 47 | #·BEGIN·fix·(3·/·11)·for·'package_telnetd-ssl_removed' |
| 48 | ############################################################################### | 48 | ############################################################################### |
| 49 | (>&2·echo·"Remediating·rule·3/11:·'package_telnetd-ssl_removed'") | 49 | (>&2·echo·"Remediating·rule·3/11:·'package_telnetd-ssl_removed'") |
| 50 | #·CAUTION:·This·remediation·script·will·remove·telnetd-ssl | 50 | #·CAUTION:·This·remediation·script·will·remove·telnetd-ssl |
| 51 | #» ···from·the·system,·and·may·remove·any·packages | 51 | #» ···from·the·system,·and·may·remove·any·packages |
| Offset 57, 25 lines modified | Offset 57, 25 lines modified | ||
| 57 | #» ···remediation·AFTER·testing·on·a·non-production | 57 | #» ···remediation·AFTER·testing·on·a·non-production |
| 58 | #» ···system! | 58 | #» ···system! |
| 59 | apt-get·remove·--purge·telnetd-ssl | 59 | apt-get·remove·--purge·telnetd-ssl |
| 60 | #·END·fix·for·'package_telnetd-ssl_removed' | 60 | #·END·fix·for·'package_telnetd-ssl_removed' |
| 61 | ############################################################################### | 61 | ############################################################################### |
| 62 | #·BEGIN·fix·(4·/·11)·for·'package_telnetd_removed' | 62 | #·BEGIN·fix·(4·/·11)·for·'package_inetutils-telnetd_removed' |
| 63 | ############################################################################### | 63 | ############################################################################### |
| 64 | (>&2·echo·"Remediating·rule·4/11:·'package_telnetd_removed'") | 64 | (>&2·echo·"Remediating·rule·4/11:·'package_inetutils-telnetd_removed'") |
| 65 | #·CAUTION:·This·remediation·script·will·remove·telnetd | 65 | #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 66 | #» ···from·the·system,·and·may·remove·any·packages | 66 | #» ···from·the·system,·and·may·remove·any·packages |
| 67 | #» ···that·depend·on·telnetd.·Execute·this | 67 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 68 | #» ···remediation·AFTER·testing·on·a·non-production | 68 | #» ···remediation·AFTER·testing·on·a·non-production |
| 69 | #» ···system! | 69 | #» ···system! |
| 70 | apt-get·remove·--purge·telnetd | 70 | apt-get·remove·--purge·inetutils-telnetd |
| 71 | #·END·fix·for·'package_telnetd_removed' | 71 | #·END·fix·for·'package_inetutils-telnetd_removed' |
| 72 | ############################################################################### | 72 | ############################################################################### |
| 73 | #·BEGIN·fix·(5·/·11)·for·'apt_conf_disallow_unauthenticated' | 73 | #·BEGIN·fix·(5·/·11)·for·'apt_conf_disallow_unauthenticated' |
| 74 | ############################################################################### | 74 | ############################################################################### |
| 75 | (>&2·echo·"Remediating·rule·5/11:·'apt_conf_disallow_unauthenticated'") | 75 | (>&2·echo·"Remediating·rule·5/11:·'apt_conf_disallow_unauthenticated'") |
| 76 | #·FIX·FOR·THIS·RULE·IS·MISSING | 76 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 77 | #·END·fix·for·'apt_conf_disallow_unauthenticated' | 77 | #·END·fix·for·'apt_conf_disallow_unauthenticated' |
| Offset 31, 25 lines modified | Offset 31, 25 lines modified | ||
| 31 | #» ···remediation·AFTER·testing·on·a·non-production | 31 | #» ···remediation·AFTER·testing·on·a·non-production |
| 32 | #» ···system! | 32 | #» ···system! |
| 33 | apt-get·remove·--purge·nis | 33 | apt-get·remove·--purge·nis |
| 34 | #·END·fix·for·'package_nis_removed' | 34 | #·END·fix·for·'package_nis_removed' |
| 35 | ############################################################################### | 35 | ############################################################################### |
| 36 | #·BEGIN·fix·(2·/·36)·for·'package_ | 36 | #·BEGIN·fix·(2·/·36)·for·'package_telnetd_removed' |
| 37 | ############################################################################### | 37 | ############################################################################### |
| 38 | (>&2·echo·"Remediating·rule·2/36:·'package_ | 38 | (>&2·echo·"Remediating·rule·2/36:·'package_telnetd_removed'") |
| 39 | #·CAUTION:·This·remediation·script·will·remove· | 39 | #·CAUTION:·This·remediation·script·will·remove·telnetd |
| 40 | #» ···from·the·system,·and·may·remove·any·packages | 40 | #» ···from·the·system,·and·may·remove·any·packages |
| 41 | #» ···that·depend·on· | 41 | #» ···that·depend·on·telnetd.·Execute·this |
| 42 | #» ···remediation·AFTER·testing·on·a·non-production | 42 | #» ···remediation·AFTER·testing·on·a·non-production |
| 43 | #» ···system! | 43 | #» ···system! |
| 44 | apt-get·remove·--purge· | 44 | apt-get·remove·--purge·telnetd |
| 45 | #·END·fix·for·'package_ | 45 | #·END·fix·for·'package_telnetd_removed' |
| 46 | ############################################################################### | 46 | ############################################################################### |
| 47 | #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed' | 47 | #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed' |
| 48 | ############################################################################### | 48 | ############################################################################### |
| 49 | (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'") | 49 | (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'") |
| 50 | #·CAUTION:·This·remediation·script·will·remove·ntpdate | 50 | #·CAUTION:·This·remediation·script·will·remove·ntpdate |
| 51 | #» ···from·the·system,·and·may·remove·any·packages | 51 | #» ···from·the·system,·and·may·remove·any·packages |
| Offset 70, 25 lines modified | Offset 70, 25 lines modified | ||
| 70 | #» ···remediation·AFTER·testing·on·a·non-production | 70 | #» ···remediation·AFTER·testing·on·a·non-production |
| 71 | #» ···system! | 71 | #» ···system! |
| 72 | apt-get·remove·--purge·telnetd-ssl | 72 | apt-get·remove·--purge·telnetd-ssl |
| 73 | #·END·fix·for·'package_telnetd-ssl_removed' | 73 | #·END·fix·for·'package_telnetd-ssl_removed' |
| 74 | ############################################################################### | 74 | ############################################################################### |
| 75 | #·BEGIN·fix·(5·/·36)·for·'package_telnetd_removed' | 75 | #·BEGIN·fix·(5·/·36)·for·'package_inetutils-telnetd_removed' |
| 76 | ############################################################################### | 76 | ############################################################################### |
| 77 | (>&2·echo·"Remediating·rule·5/36:·'package_telnetd_removed'") | 77 | (>&2·echo·"Remediating·rule·5/36:·'package_inetutils-telnetd_removed'") |
| 78 | #·CAUTION:·This·remediation·script·will·remove·telnetd | 78 | #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 79 | #» ···from·the·system,·and·may·remove·any·packages | 79 | #» ···from·the·system,·and·may·remove·any·packages |
| 80 | #» ···that·depend·on·telnetd.·Execute·this | 80 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 81 | #» ···remediation·AFTER·testing·on·a·non-production | 81 | #» ···remediation·AFTER·testing·on·a·non-production |
| 82 | #» ···system! | 82 | #» ···system! |
| 83 | apt-get·remove·--purge·telnetd | 83 | apt-get·remove·--purge·inetutils-telnetd |
| 84 | #·END·fix·for·'package_telnetd_removed' | 84 | #·END·fix·for·'package_inetutils-telnetd_removed' |
| 85 | ############################################################################### | 85 | ############################################################################### |
| 86 | #·BEGIN·fix·(6·/·36)·for·'package_ntp_installed' | 86 | #·BEGIN·fix·(6·/·36)·for·'package_ntp_installed' |
| 87 | ############################################################################### | 87 | ############################################################################### |
| 88 | (>&2·echo·"Remediating·rule·6/36:·'package_ntp_installed'") | 88 | (>&2·echo·"Remediating·rule·6/36:·'package_ntp_installed'") |
| 89 | #·FIX·FOR·THIS·RULE·IS·MISSING | 89 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 90 | #·END·fix·for·'package_ntp_installed' | 90 | #·END·fix·for·'package_ntp_installed' |
| Offset 125, 33 lines modified | Offset 125, 33 lines modified | ||
| 125 | #·BEGIN·fix·(11·/·36)·for·'sshd_allow_only_protocol2' | 125 | #·BEGIN·fix·(11·/·36)·for·'sshd_allow_only_protocol2' |
| 126 | ############################################################################### | 126 | ############################################################################### |
| 127 | (>&2·echo·"Remediating·rule·11/36:·'sshd_allow_only_protocol2'") | 127 | (>&2·echo·"Remediating·rule·11/36:·'sshd_allow_only_protocol2'") |
| 128 | #·FIX·FOR·THIS·RULE·IS·MISSING | 128 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 129 | #·END·fix·for·'sshd_allow_only_protocol2' | 129 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 130 | ############################################################################### | 130 | ############################################################################### |
| 131 | #·BEGIN·fix·(12·/·36)·for·'sshd_ | 131 | #·BEGIN·fix·(12·/·36)·for·'sshd_set_keepalive' |
| 132 | ############################################################################### | 132 | ############################################################################### |
| 133 | (>&2·echo·"Remediating·rule·12/36:·'sshd_ | 133 | (>&2·echo·"Remediating·rule·12/36:·'sshd_set_keepalive'") |
| 134 | #·FIX·FOR·THIS·RULE·IS·MISSING | 134 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 135 | #·END·fix·for·'sshd_ | 135 | #·END·fix·for·'sshd_set_keepalive' |
| 136 | ############################################################################### | 136 | ############################################################################### |
| 137 | #·BEGIN·fix·(13·/·36)·for·'sshd_set_idle_timeout' | 137 | #·BEGIN·fix·(13·/·36)·for·'sshd_set_idle_timeout' |
| 138 | ############################################################################### | 138 | ############################################################################### |
| 139 | (>&2·echo·"Remediating·rule·13/36:·'sshd_set_idle_timeout'") | 139 | (>&2·echo·"Remediating·rule·13/36:·'sshd_set_idle_timeout'") |
| 140 | #·FIX·FOR·THIS·RULE·IS·MISSING | 140 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 141 | #·END·fix·for·'sshd_set_idle_timeout' | 141 | #·END·fix·for·'sshd_set_idle_timeout' |
| 142 | ############################################################################### | 142 | ############################################################################### |
| 143 | #·BEGIN·fix·(14·/·36)·for·'sshd_set_ | 143 | #·BEGIN·fix·(14·/·36)·for·'sshd_disable_empty_passwords' |
| 144 | ############################################################################### | 144 | ############################################################################### |
| 145 | (>&2·echo·"Remediating·rule·14/36:·'sshd_set_ | 145 | (>&2·echo·"Remediating·rule·14/36:·'sshd_disable_empty_passwords'") |
| 146 | #·FIX·FOR·THIS·RULE·IS·MISSING | 146 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 147 | #·END·fix·for·'sshd_set_ | 147 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 148 | ############################################################################### | 148 | ############################################################################### |
| 149 | #·BEGIN·fix·(15·/·36)·for·'sshd_disable_root_login' | 149 | #·BEGIN·fix·(15·/·36)·for·'sshd_disable_root_login' |
| 150 | ############################################################################### | 150 | ############################################################################### |
| 151 | (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_root_login'") | 151 | (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_root_login'") |
| 152 | #·FIX·FOR·THIS·RULE·IS·MISSING | 152 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 153 | #·END·fix·for·'sshd_disable_root_login' | 153 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 160, 54 lines modified | Offset 160, 54 lines modified | ||
| 160 | #·BEGIN·fix·(16·/·36)·for·'apt_conf_disallow_unauthenticated' | 160 | #·BEGIN·fix·(16·/·36)·for·'apt_conf_disallow_unauthenticated' |
| 161 | ############################################################################### | 161 | ############################################################################### |
| 162 | (>&2·echo·"Remediating·rule·16/36:·'apt_conf_disallow_unauthenticated'") | 162 | (>&2·echo·"Remediating·rule·16/36:·'apt_conf_disallow_unauthenticated'") |
| 163 | #·FIX·FOR·THIS·RULE·IS·MISSING | 163 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 164 | #·END·fix·for·'apt_conf_disallow_unauthenticated' | 164 | #·END·fix·for·'apt_conf_disallow_unauthenticated' |
| 165 | ############################################################################### | 165 | ############################################################################### |
| 166 | #·BEGIN·fix·(17·/·36)·for·' | 166 | #·BEGIN·fix·(17·/·36)·for·'sudo_remove_no_authenticate' |
| 167 | ############################################################################### | 167 | ############################################################################### |
| 168 | (>&2·echo·"Remediating·rule·17/36:·' | 168 | (>&2·echo·"Remediating·rule·17/36:·'sudo_remove_no_authenticate'") |
| 169 | #·FIX·FOR·THIS·RULE·IS·MISSING | 169 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 170 | #·END·fix·for·' | 170 | #·END·fix·for·'sudo_remove_no_authenticate' |
| 171 | ############################################################################### | 171 | ############################################################################### |
| 172 | #·BEGIN·fix·(18·/·36)·for·' | 172 | #·BEGIN·fix·(18·/·36)·for·'sudo_remove_nopasswd' |
| 173 | ############################################################################### | 173 | ############################################################################### |
| 174 | (>&2·echo·"Remediating·rule·18/36:·' | 174 | (>&2·echo·"Remediating·rule·18/36:·'sudo_remove_nopasswd'") |
| 175 | #·FIX·FOR·THIS·RULE·IS·MISSING | 175 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 176 | #·END·fix·for·' | 176 | #·END·fix·for·'sudo_remove_nopasswd' |
| 177 | ############################################################################### | 177 | ############################################################################### |
| 178 | #·BEGIN·fix·(19·/·36)·for·'rsyslog_files_ | 178 | #·BEGIN·fix·(19·/·36)·for·'rsyslog_files_permissions' |
| 179 | ############################################################################### | 179 | ############################################################################### |
| 180 | (>&2·echo·"Remediating·rule·19/36:·'rsyslog_files_ | 180 | (>&2·echo·"Remediating·rule·19/36:·'rsyslog_files_permissions'") |
| 181 | #·FIX·FOR·THIS·RULE·IS·MISSING | 181 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 182 | #·END·fix·for·'rsyslog_files_ | 182 | #·END·fix·for·'rsyslog_files_permissions' |
| 183 | ############################################################################### | 183 | ############################################################################### |
| 184 | #·BEGIN·fix·(20·/·36)·for·' | 184 | #·BEGIN·fix·(20·/·36)·for·'rsyslog_files_ownership' |
| 185 | ############################################################################### | 185 | ############################################################################### |
| 186 | (>&2·echo·"Remediating·rule·20/36:·' | 186 | (>&2·echo·"Remediating·rule·20/36:·'rsyslog_files_ownership'") |
| 187 | #·FIX·FOR·THIS·RULE·IS·MISSING | 187 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 188 | #·END·fix·for·' | 188 | #·END·fix·for·'rsyslog_files_ownership' |
| 189 | ############################################################################### | 189 | ############################################################################### |
| 190 | #·BEGIN·fix·(21·/·36)·for·'s | 190 | #·BEGIN·fix·(21·/·36)·for·'rsyslog_files_groupownership' |
| 191 | ############################################################################### | 191 | ############################################################################### |
| 192 | (>&2·echo·"Remediating·rule·21/36:·'s | 192 | (>&2·echo·"Remediating·rule·21/36:·'rsyslog_files_groupownership'") |
| 193 | #·FIX·FOR·THIS·RULE·IS·MISSING | 193 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 194 | #·END·fix·for·'s | 194 | #·END·fix·for·'rsyslog_files_groupownership' |
| Max diff block lines reached; 768/8713 bytes (8.81%) of diff not shown. | |||
| Offset 33, 25 lines modified | Offset 33, 25 lines modified | ||
| 33 | #» ···remediation·AFTER·testing·on·a·non-production | 33 | #» ···remediation·AFTER·testing·on·a·non-production |
| 34 | #» ···system! | 34 | #» ···system! |
| 35 | apt-get·remove·--purge·nis | 35 | apt-get·remove·--purge·nis |
| 36 | #·END·fix·for·'package_nis_removed' | 36 | #·END·fix·for·'package_nis_removed' |
| 37 | ############################################################################### | 37 | ############################################################################### |
| 38 | #·BEGIN·fix·(2·/·36)·for·'package_ | 38 | #·BEGIN·fix·(2·/·36)·for·'package_telnetd_removed' |
| 39 | ############################################################################### | 39 | ############################################################################### |
| 40 | (>&2·echo·"Remediating·rule·2/36:·'package_ | 40 | (>&2·echo·"Remediating·rule·2/36:·'package_telnetd_removed'") |
| 41 | #·CAUTION:·This·remediation·script·will·remove· | 41 | #·CAUTION:·This·remediation·script·will·remove·telnetd |
| 42 | #» ···from·the·system,·and·may·remove·any·packages | 42 | #» ···from·the·system,·and·may·remove·any·packages |
| 43 | #» ···that·depend·on· | 43 | #» ···that·depend·on·telnetd.·Execute·this |
| 44 | #» ···remediation·AFTER·testing·on·a·non-production | 44 | #» ···remediation·AFTER·testing·on·a·non-production |
| 45 | #» ···system! | 45 | #» ···system! |
| 46 | apt-get·remove·--purge· | 46 | apt-get·remove·--purge·telnetd |
| 47 | #·END·fix·for·'package_ | 47 | #·END·fix·for·'package_telnetd_removed' |
| 48 | ############################################################################### | 48 | ############################################################################### |
| 49 | #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed' | 49 | #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed' |
| 50 | ############################################################################### | 50 | ############################################################################### |
| 51 | (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'") | 51 | (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'") |
| 52 | #·CAUTION:·This·remediation·script·will·remove·ntpdate | 52 | #·CAUTION:·This·remediation·script·will·remove·ntpdate |
| 53 | #» ···from·the·system,·and·may·remove·any·packages | 53 | #» ···from·the·system,·and·may·remove·any·packages |
| Offset 72, 25 lines modified | Offset 72, 25 lines modified | ||
| 72 | #» ···remediation·AFTER·testing·on·a·non-production | 72 | #» ···remediation·AFTER·testing·on·a·non-production |
| 73 | #» ···system! | 73 | #» ···system! |
| 74 | apt-get·remove·--purge·telnetd-ssl | 74 | apt-get·remove·--purge·telnetd-ssl |
| 75 | #·END·fix·for·'package_telnetd-ssl_removed' | 75 | #·END·fix·for·'package_telnetd-ssl_removed' |
| 76 | ############################################################################### | 76 | ############################################################################### |
| 77 | #·BEGIN·fix·(5·/·36)·for·'package_telnetd_removed' | 77 | #·BEGIN·fix·(5·/·36)·for·'package_inetutils-telnetd_removed' |
| 78 | ############################################################################### | 78 | ############################################################################### |
| 79 | (>&2·echo·"Remediating·rule·5/36:·'package_telnetd_removed'") | 79 | (>&2·echo·"Remediating·rule·5/36:·'package_inetutils-telnetd_removed'") |
| 80 | #·CAUTION:·This·remediation·script·will·remove·telnetd | 80 | #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 81 | #» ···from·the·system,·and·may·remove·any·packages | 81 | #» ···from·the·system,·and·may·remove·any·packages |
| 82 | #» ···that·depend·on·telnetd.·Execute·this | 82 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 83 | #» ···remediation·AFTER·testing·on·a·non-production | 83 | #» ···remediation·AFTER·testing·on·a·non-production |
| 84 | #» ···system! | 84 | #» ···system! |
| 85 | apt-get·remove·--purge·telnetd | 85 | apt-get·remove·--purge·inetutils-telnetd |
| 86 | #·END·fix·for·'package_telnetd_removed' | 86 | #·END·fix·for·'package_inetutils-telnetd_removed' |
| 87 | ############################################################################### | 87 | ############################################################################### |
| 88 | #·BEGIN·fix·(6·/·36)·for·'service_cron_enabled' | 88 | #·BEGIN·fix·(6·/·36)·for·'service_cron_enabled' |
| 89 | ############################################################################### | 89 | ############################################################################### |
| 90 | (>&2·echo·"Remediating·rule·6/36:·'service_cron_enabled'") | 90 | (>&2·echo·"Remediating·rule·6/36:·'service_cron_enabled'") |
| 91 | #·FIX·FOR·THIS·RULE·IS·MISSING | 91 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 92 | #·END·fix·for·'service_cron_enabled' | 92 | #·END·fix·for·'service_cron_enabled' |
| Offset 134, 33 lines modified | Offset 134, 33 lines modified | ||
| 134 | #·BEGIN·fix·(12·/·36)·for·'sshd_allow_only_protocol2' | 134 | #·BEGIN·fix·(12·/·36)·for·'sshd_allow_only_protocol2' |
| 135 | ############################################################################### | 135 | ############################################################################### |
| 136 | (>&2·echo·"Remediating·rule·12/36:·'sshd_allow_only_protocol2'") | 136 | (>&2·echo·"Remediating·rule·12/36:·'sshd_allow_only_protocol2'") |
| 137 | #·FIX·FOR·THIS·RULE·IS·MISSING | 137 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 138 | #·END·fix·for·'sshd_allow_only_protocol2' | 138 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 139 | ############################################################################### | 139 | ############################################################################### |
| 140 | #·BEGIN·fix·(13·/·36)·for·'sshd_ | 140 | #·BEGIN·fix·(13·/·36)·for·'sshd_set_keepalive' |
| 141 | ############################################################################### | 141 | ############################################################################### |
| 142 | (>&2·echo·"Remediating·rule·13/36:·'sshd_ | 142 | (>&2·echo·"Remediating·rule·13/36:·'sshd_set_keepalive'") |
| 143 | #·FIX·FOR·THIS·RULE·IS·MISSING | 143 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 144 | #·END·fix·for·'sshd_ | 144 | #·END·fix·for·'sshd_set_keepalive' |
| 145 | ############################################################################### | 145 | ############################################################################### |
| 146 | #·BEGIN·fix·(14·/·36)·for·'sshd_set_idle_timeout' | 146 | #·BEGIN·fix·(14·/·36)·for·'sshd_set_idle_timeout' |
| 147 | ############################################################################### | 147 | ############################################################################### |
| 148 | (>&2·echo·"Remediating·rule·14/36:·'sshd_set_idle_timeout'") | 148 | (>&2·echo·"Remediating·rule·14/36:·'sshd_set_idle_timeout'") |
| 149 | #·FIX·FOR·THIS·RULE·IS·MISSING | 149 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 150 | #·END·fix·for·'sshd_set_idle_timeout' | 150 | #·END·fix·for·'sshd_set_idle_timeout' |
| 151 | ############################################################################### | 151 | ############################################################################### |
| 152 | #·BEGIN·fix·(15·/·36)·for·'sshd_set_ | 152 | #·BEGIN·fix·(15·/·36)·for·'sshd_disable_empty_passwords' |
| 153 | ############################################################################### | 153 | ############################################################################### |
| 154 | (>&2·echo·"Remediating·rule·15/36:·'sshd_set_ | 154 | (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_empty_passwords'") |
| 155 | #·FIX·FOR·THIS·RULE·IS·MISSING | 155 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 156 | #·END·fix·for·'sshd_set_ | 156 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 157 | ############################################################################### | 157 | ############################################################################### |
| 158 | #·BEGIN·fix·(16·/·36)·for·'sshd_disable_root_login' | 158 | #·BEGIN·fix·(16·/·36)·for·'sshd_disable_root_login' |
| 159 | ############################################################################### | 159 | ############################################################################### |
| 160 | (>&2·echo·"Remediating·rule·16/36:·'sshd_disable_root_login'") | 160 | (>&2·echo·"Remediating·rule·16/36:·'sshd_disable_root_login'") |
| 161 | #·FIX·FOR·THIS·RULE·IS·MISSING | 161 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 162 | #·END·fix·for·'sshd_disable_root_login' | 162 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 31, 25 lines modified | Offset 31, 25 lines modified | ||
| 31 | #» ···remediation·AFTER·testing·on·a·non-production | 31 | #» ···remediation·AFTER·testing·on·a·non-production |
| 32 | #» ···system! | 32 | #» ···system! |
| 33 | apt-get·remove·--purge·nis | 33 | apt-get·remove·--purge·nis |
| 34 | #·END·fix·for·'package_nis_removed' | 34 | #·END·fix·for·'package_nis_removed' |
| 35 | ############################################################################### | 35 | ############################################################################### |
| 36 | #·BEGIN·fix·(2·/·32)·for·'package_ | 36 | #·BEGIN·fix·(2·/·32)·for·'package_telnetd_removed' |
| 37 | ############################################################################### | 37 | ############################################################################### |
| 38 | (>&2·echo·"Remediating·rule·2/32:·'package_ | 38 | (>&2·echo·"Remediating·rule·2/32:·'package_telnetd_removed'") |
| 39 | #·CAUTION:·This·remediation·script·will·remove· | 39 | #·CAUTION:·This·remediation·script·will·remove·telnetd |
| 40 | #» ···from·the·system,·and·may·remove·any·packages | 40 | #» ···from·the·system,·and·may·remove·any·packages |
| 41 | #» ···that·depend·on· | 41 | #» ···that·depend·on·telnetd.·Execute·this |
| 42 | #» ···remediation·AFTER·testing·on·a·non-production | 42 | #» ···remediation·AFTER·testing·on·a·non-production |
| 43 | #» ···system! | 43 | #» ···system! |
| 44 | apt-get·remove·--purge· | 44 | apt-get·remove·--purge·telnetd |
| 45 | #·END·fix·for·'package_ | 45 | #·END·fix·for·'package_telnetd_removed' |
| 46 | ############################################################################### | 46 | ############################################################################### |
| 47 | #·BEGIN·fix·(3·/·32)·for·'package_ntpdate_removed' | 47 | #·BEGIN·fix·(3·/·32)·for·'package_ntpdate_removed' |
| 48 | ############################################################################### | 48 | ############################################################################### |
| 49 | (>&2·echo·"Remediating·rule·3/32:·'package_ntpdate_removed'") | 49 | (>&2·echo·"Remediating·rule·3/32:·'package_ntpdate_removed'") |
| 50 | #·CAUTION:·This·remediation·script·will·remove·ntpdate | 50 | #·CAUTION:·This·remediation·script·will·remove·ntpdate |
| 51 | #» ···from·the·system,·and·may·remove·any·packages | 51 | #» ···from·the·system,·and·may·remove·any·packages |
| Offset 70, 25 lines modified | Offset 70, 25 lines modified | ||
| 70 | #» ···remediation·AFTER·testing·on·a·non-production | 70 | #» ···remediation·AFTER·testing·on·a·non-production |
| 71 | #» ···system! | 71 | #» ···system! |
| 72 | apt-get·remove·--purge·telnetd-ssl | 72 | apt-get·remove·--purge·telnetd-ssl |
| 73 | #·END·fix·for·'package_telnetd-ssl_removed' | 73 | #·END·fix·for·'package_telnetd-ssl_removed' |
| 74 | ############################################################################### | 74 | ############################################################################### |
| 75 | #·BEGIN·fix·(5·/·32)·for·'package_telnetd_removed' | 75 | #·BEGIN·fix·(5·/·32)·for·'package_inetutils-telnetd_removed' |
| 76 | ############################################################################### | 76 | ############################################################################### |
| 77 | (>&2·echo·"Remediating·rule·5/32:·'package_telnetd_removed'") | 77 | (>&2·echo·"Remediating·rule·5/32:·'package_inetutils-telnetd_removed'") |
| 78 | #·CAUTION:·This·remediation·script·will·remove·telnetd | 78 | #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 79 | #» ···from·the·system,·and·may·remove·any·packages | 79 | #» ···from·the·system,·and·may·remove·any·packages |
| 80 | #» ···that·depend·on·telnetd.·Execute·this | 80 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 81 | #» ···remediation·AFTER·testing·on·a·non-production | 81 | #» ···remediation·AFTER·testing·on·a·non-production |
| 82 | #» ···system! | 82 | #» ···system! |
| 83 | apt-get·remove·--purge·telnetd | 83 | apt-get·remove·--purge·inetutils-telnetd |
| 84 | #·END·fix·for·'package_telnetd_removed' | 84 | #·END·fix·for·'package_inetutils-telnetd_removed' |
| 85 | ############################################################################### | 85 | ############################################################################### |
| 86 | #·BEGIN·fix·(6·/·32)·for·'package_ntp_installed' | 86 | #·BEGIN·fix·(6·/·32)·for·'package_ntp_installed' |
| 87 | ############################################################################### | 87 | ############################################################################### |
| 88 | (>&2·echo·"Remediating·rule·6/32:·'package_ntp_installed'") | 88 | (>&2·echo·"Remediating·rule·6/32:·'package_ntp_installed'") |
| 89 | #·FIX·FOR·THIS·RULE·IS·MISSING | 89 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 90 | #·END·fix·for·'package_ntp_installed' | 90 | #·END·fix·for·'package_ntp_installed' |
| Offset 97, 33 lines modified | Offset 97, 33 lines modified | ||
| 97 | #·BEGIN·fix·(7·/·32)·for·'sshd_allow_only_protocol2' | 97 | #·BEGIN·fix·(7·/·32)·for·'sshd_allow_only_protocol2' |
| 98 | ############################################################################### | 98 | ############################################################################### |
| 99 | (>&2·echo·"Remediating·rule·7/32:·'sshd_allow_only_protocol2'") | 99 | (>&2·echo·"Remediating·rule·7/32:·'sshd_allow_only_protocol2'") |
| 100 | #·FIX·FOR·THIS·RULE·IS·MISSING | 100 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 101 | #·END·fix·for·'sshd_allow_only_protocol2' | 101 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 102 | ############################################################################### | 102 | ############################################################################### |
| 103 | #·BEGIN·fix·(8·/·32)·for·'sshd_ | 103 | #·BEGIN·fix·(8·/·32)·for·'sshd_set_keepalive' |
| 104 | ############################################################################### | 104 | ############################################################################### |
| 105 | (>&2·echo·"Remediating·rule·8/32:·'sshd_ | 105 | (>&2·echo·"Remediating·rule·8/32:·'sshd_set_keepalive'") |
| 106 | #·FIX·FOR·THIS·RULE·IS·MISSING | 106 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 107 | #·END·fix·for·'sshd_ | 107 | #·END·fix·for·'sshd_set_keepalive' |
| 108 | ############################################################################### | 108 | ############################################################################### |
| 109 | #·BEGIN·fix·(9·/·32)·for·'sshd_set_idle_timeout' | 109 | #·BEGIN·fix·(9·/·32)·for·'sshd_set_idle_timeout' |
| 110 | ############################################################################### | 110 | ############################################################################### |
| 111 | (>&2·echo·"Remediating·rule·9/32:·'sshd_set_idle_timeout'") | 111 | (>&2·echo·"Remediating·rule·9/32:·'sshd_set_idle_timeout'") |
| 112 | #·FIX·FOR·THIS·RULE·IS·MISSING | 112 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 113 | #·END·fix·for·'sshd_set_idle_timeout' | 113 | #·END·fix·for·'sshd_set_idle_timeout' |
| 114 | ############################################################################### | 114 | ############################################################################### |
| 115 | #·BEGIN·fix·(10·/·32)·for·'sshd_set_ | 115 | #·BEGIN·fix·(10·/·32)·for·'sshd_disable_empty_passwords' |
| 116 | ############################################################################### | 116 | ############################################################################### |
| 117 | (>&2·echo·"Remediating·rule·10/32:·'sshd_set_ | 117 | (>&2·echo·"Remediating·rule·10/32:·'sshd_disable_empty_passwords'") |
| 118 | #·FIX·FOR·THIS·RULE·IS·MISSING | 118 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 119 | #·END·fix·for·'sshd_set_ | 119 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 120 | ############################################################################### | 120 | ############################################################################### |
| 121 | #·BEGIN·fix·(11·/·32)·for·'sshd_disable_root_login' | 121 | #·BEGIN·fix·(11·/·32)·for·'sshd_disable_root_login' |
| 122 | ############################################################################### | 122 | ############################################################################### |
| 123 | (>&2·echo·"Remediating·rule·11/32:·'sshd_disable_root_login'") | 123 | (>&2·echo·"Remediating·rule·11/32:·'sshd_disable_root_login'") |
| 124 | #·FIX·FOR·THIS·RULE·IS·MISSING | 124 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 125 | #·END·fix·for·'sshd_disable_root_login' | 125 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 132, 54 lines modified | Offset 132, 54 lines modified | ||
| 132 | #·BEGIN·fix·(12·/·32)·for·'apt_conf_disallow_unauthenticated' | 132 | #·BEGIN·fix·(12·/·32)·for·'apt_conf_disallow_unauthenticated' |
| 133 | ############################################################################### | 133 | ############################################################################### |
| 134 | (>&2·echo·"Remediating·rule·12/32:·'apt_conf_disallow_unauthenticated'") | 134 | (>&2·echo·"Remediating·rule·12/32:·'apt_conf_disallow_unauthenticated'") |
| 135 | #·FIX·FOR·THIS·RULE·IS·MISSING | 135 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 136 | #·END·fix·for·'apt_conf_disallow_unauthenticated' | 136 | #·END·fix·for·'apt_conf_disallow_unauthenticated' |
| 137 | ############################################################################### | 137 | ############################################################################### |
| 138 | #·BEGIN·fix·(13·/·32)·for·' | 138 | #·BEGIN·fix·(13·/·32)·for·'sudo_remove_no_authenticate' |
| 139 | ############################################################################### | 139 | ############################################################################### |
| 140 | (>&2·echo·"Remediating·rule·13/32:·' | 140 | (>&2·echo·"Remediating·rule·13/32:·'sudo_remove_no_authenticate'") |
| 141 | #·FIX·FOR·THIS·RULE·IS·MISSING | 141 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 142 | #·END·fix·for·' | 142 | #·END·fix·for·'sudo_remove_no_authenticate' |
| 143 | ############################################################################### | 143 | ############################################################################### |
| 144 | #·BEGIN·fix·(14·/·32)·for·' | 144 | #·BEGIN·fix·(14·/·32)·for·'sudo_remove_nopasswd' |
| 145 | ############################################################################### | 145 | ############################################################################### |
| 146 | (>&2·echo·"Remediating·rule·14/32:·' | 146 | (>&2·echo·"Remediating·rule·14/32:·'sudo_remove_nopasswd'") |
| 147 | #·FIX·FOR·THIS·RULE·IS·MISSING | 147 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 148 | #·END·fix·for·' | 148 | #·END·fix·for·'sudo_remove_nopasswd' |
| 149 | ############################################################################### | 149 | ############################################################################### |
| 150 | #·BEGIN·fix·(15·/·32)·for·'rsyslog_files_ | 150 | #·BEGIN·fix·(15·/·32)·for·'rsyslog_files_permissions' |
| 151 | ############################################################################### | 151 | ############################################################################### |
| 152 | (>&2·echo·"Remediating·rule·15/32:·'rsyslog_files_ | 152 | (>&2·echo·"Remediating·rule·15/32:·'rsyslog_files_permissions'") |
| 153 | #·FIX·FOR·THIS·RULE·IS·MISSING | 153 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 154 | #·END·fix·for·'rsyslog_files_ | 154 | #·END·fix·for·'rsyslog_files_permissions' |
| 155 | ############################################################################### | 155 | ############################################################################### |
| 156 | #·BEGIN·fix·(16·/·32)·for·' | 156 | #·BEGIN·fix·(16·/·32)·for·'rsyslog_files_ownership' |
| 157 | ############################################################################### | 157 | ############################################################################### |
| 158 | (>&2·echo·"Remediating·rule·16/32:·' | 158 | (>&2·echo·"Remediating·rule·16/32:·'rsyslog_files_ownership'") |
| 159 | #·FIX·FOR·THIS·RULE·IS·MISSING | 159 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 160 | #·END·fix·for·' | 160 | #·END·fix·for·'rsyslog_files_ownership' |
| 161 | ############################################################################### | 161 | ############################################################################### |
| 162 | #·BEGIN·fix·(17·/·32)·for·'s | 162 | #·BEGIN·fix·(17·/·32)·for·'rsyslog_files_groupownership' |
| 163 | ############################################################################### | 163 | ############################################################################### |
| 164 | (>&2·echo·"Remediating·rule·17/32:·'s | 164 | (>&2·echo·"Remediating·rule·17/32:·'rsyslog_files_groupownership'") |
| 165 | #·FIX·FOR·THIS·RULE·IS·MISSING | 165 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 166 | #·END·fix·for·'s | 166 | #·END·fix·for·'rsyslog_files_groupownership' |
| Max diff block lines reached; 768/8703 bytes (8.82%) of diff not shown. | |||
| Offset 31, 25 lines modified | Offset 31, 25 lines modified | ||
| 31 | #» ···remediation·AFTER·testing·on·a·non-production | 31 | #» ···remediation·AFTER·testing·on·a·non-production |
| 32 | #» ···system! | 32 | #» ···system! |
| 33 | apt-get·remove·--purge·nis | 33 | apt-get·remove·--purge·nis |
| 34 | #·END·fix·for·'package_nis_removed' | 34 | #·END·fix·for·'package_nis_removed' |
| 35 | ############################################################################### | 35 | ############################################################################### |
| 36 | #·BEGIN·fix·(2·/·37)·for·'package_ | 36 | #·BEGIN·fix·(2·/·37)·for·'package_telnetd_removed' |
| 37 | ############################################################################### | 37 | ############################################################################### |
| 38 | (>&2·echo·"Remediating·rule·2/37:·'package_ | 38 | (>&2·echo·"Remediating·rule·2/37:·'package_telnetd_removed'") |
| 39 | #·CAUTION:·This·remediation·script·will·remove· | 39 | #·CAUTION:·This·remediation·script·will·remove·telnetd |
| 40 | #» ···from·the·system,·and·may·remove·any·packages | 40 | #» ···from·the·system,·and·may·remove·any·packages |
| 41 | #» ···that·depend·on· | 41 | #» ···that·depend·on·telnetd.·Execute·this |
| 42 | #» ···remediation·AFTER·testing·on·a·non-production | 42 | #» ···remediation·AFTER·testing·on·a·non-production |
| 43 | #» ···system! | 43 | #» ···system! |
| 44 | apt-get·remove·--purge· | 44 | apt-get·remove·--purge·telnetd |
| 45 | #·END·fix·for·'package_ | 45 | #·END·fix·for·'package_telnetd_removed' |
| 46 | ############################################################################### | 46 | ############################################################################### |
| 47 | #·BEGIN·fix·(3·/·37)·for·'package_ntpdate_removed' | 47 | #·BEGIN·fix·(3·/·37)·for·'package_ntpdate_removed' |
| 48 | ############################################################################### | 48 | ############################################################################### |
| 49 | (>&2·echo·"Remediating·rule·3/37:·'package_ntpdate_removed'") | 49 | (>&2·echo·"Remediating·rule·3/37:·'package_ntpdate_removed'") |
| 50 | #·CAUTION:·This·remediation·script·will·remove·ntpdate | 50 | #·CAUTION:·This·remediation·script·will·remove·ntpdate |
| 51 | #» ···from·the·system,·and·may·remove·any·packages | 51 | #» ···from·the·system,·and·may·remove·any·packages |
| Offset 70, 25 lines modified | Offset 70, 25 lines modified | ||
| 70 | #» ···remediation·AFTER·testing·on·a·non-production | 70 | #» ···remediation·AFTER·testing·on·a·non-production |
| 71 | #» ···system! | 71 | #» ···system! |
| 72 | apt-get·remove·--purge·telnetd-ssl | 72 | apt-get·remove·--purge·telnetd-ssl |
| 73 | #·END·fix·for·'package_telnetd-ssl_removed' | 73 | #·END·fix·for·'package_telnetd-ssl_removed' |
| 74 | ############################################################################### | 74 | ############################################################################### |
| 75 | #·BEGIN·fix·(5·/·37)·for·'package_telnetd_removed' | 75 | #·BEGIN·fix·(5·/·37)·for·'package_inetutils-telnetd_removed' |
| 76 | ############################################################################### | 76 | ############################################################################### |
| 77 | (>&2·echo·"Remediating·rule·5/37:·'package_telnetd_removed'") | 77 | (>&2·echo·"Remediating·rule·5/37:·'package_inetutils-telnetd_removed'") |
| 78 | #·CAUTION:·This·remediation·script·will·remove·telnetd | 78 | #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 79 | #» ···from·the·system,·and·may·remove·any·packages | 79 | #» ···from·the·system,·and·may·remove·any·packages |
| 80 | #» ···that·depend·on·telnetd.·Execute·this | 80 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 81 | #» ···remediation·AFTER·testing·on·a·non-production | 81 | #» ···remediation·AFTER·testing·on·a·non-production |
| 82 | #» ···system! | 82 | #» ···system! |
| 83 | apt-get·remove·--purge·telnetd | 83 | apt-get·remove·--purge·inetutils-telnetd |
| 84 | #·END·fix·for·'package_telnetd_removed' | 84 | #·END·fix·for·'package_inetutils-telnetd_removed' |
| 85 | ############################################################################### | 85 | ############################################################################### |
| 86 | #·BEGIN·fix·(6·/·37)·for·'package_ntp_installed' | 86 | #·BEGIN·fix·(6·/·37)·for·'package_ntp_installed' |
| 87 | ############################################################################### | 87 | ############################################################################### |
| 88 | (>&2·echo·"Remediating·rule·6/37:·'package_ntp_installed'") | 88 | (>&2·echo·"Remediating·rule·6/37:·'package_ntp_installed'") |
| 89 | #·FIX·FOR·THIS·RULE·IS·MISSING | 89 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 90 | #·END·fix·for·'package_ntp_installed' | 90 | #·END·fix·for·'package_ntp_installed' |
| Offset 125, 33 lines modified | Offset 125, 33 lines modified | ||
| 125 | #·BEGIN·fix·(11·/·37)·for·'sshd_allow_only_protocol2' | 125 | #·BEGIN·fix·(11·/·37)·for·'sshd_allow_only_protocol2' |
| 126 | ############################################################################### | 126 | ############################################################################### |
| 127 | (>&2·echo·"Remediating·rule·11/37:·'sshd_allow_only_protocol2'") | 127 | (>&2·echo·"Remediating·rule·11/37:·'sshd_allow_only_protocol2'") |
| 128 | #·FIX·FOR·THIS·RULE·IS·MISSING | 128 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 129 | #·END·fix·for·'sshd_allow_only_protocol2' | 129 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 130 | ############################################################################### | 130 | ############################################################################### |
| 131 | #·BEGIN·fix·(12·/·37)·for·'sshd_ | 131 | #·BEGIN·fix·(12·/·37)·for·'sshd_set_keepalive' |
| 132 | ############################################################################### | 132 | ############################################################################### |
| 133 | (>&2·echo·"Remediating·rule·12/37:·'sshd_ | 133 | (>&2·echo·"Remediating·rule·12/37:·'sshd_set_keepalive'") |
| 134 | #·FIX·FOR·THIS·RULE·IS·MISSING | 134 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 135 | #·END·fix·for·'sshd_ | 135 | #·END·fix·for·'sshd_set_keepalive' |
| 136 | ############################################################################### | 136 | ############################################################################### |
| 137 | #·BEGIN·fix·(13·/·37)·for·'sshd_set_idle_timeout' | 137 | #·BEGIN·fix·(13·/·37)·for·'sshd_set_idle_timeout' |
| 138 | ############################################################################### | 138 | ############################################################################### |
| 139 | (>&2·echo·"Remediating·rule·13/37:·'sshd_set_idle_timeout'") | 139 | (>&2·echo·"Remediating·rule·13/37:·'sshd_set_idle_timeout'") |
| 140 | #·FIX·FOR·THIS·RULE·IS·MISSING | 140 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 141 | #·END·fix·for·'sshd_set_idle_timeout' | 141 | #·END·fix·for·'sshd_set_idle_timeout' |
| 142 | ############################################################################### | 142 | ############################################################################### |
| 143 | #·BEGIN·fix·(14·/·37)·for·'sshd_set_ | 143 | #·BEGIN·fix·(14·/·37)·for·'sshd_disable_empty_passwords' |
| 144 | ############################################################################### | 144 | ############################################################################### |
| 145 | (>&2·echo·"Remediating·rule·14/37:·'sshd_set_ | 145 | (>&2·echo·"Remediating·rule·14/37:·'sshd_disable_empty_passwords'") |
| 146 | #·FIX·FOR·THIS·RULE·IS·MISSING | 146 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 147 | #·END·fix·for·'sshd_set_ | 147 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 148 | ############################################################################### | 148 | ############################################################################### |
| 149 | #·BEGIN·fix·(15·/·37)·for·'sshd_disable_root_login' | 149 | #·BEGIN·fix·(15·/·37)·for·'sshd_disable_root_login' |
| 150 | ############################################################################### | 150 | ############################################################################### |
| 151 | (>&2·echo·"Remediating·rule·15/37:·'sshd_disable_root_login'") | 151 | (>&2·echo·"Remediating·rule·15/37:·'sshd_disable_root_login'") |
| 152 | #·FIX·FOR·THIS·RULE·IS·MISSING | 152 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 153 | #·END·fix·for·'sshd_disable_root_login' | 153 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 160, 61 lines modified | Offset 160, 61 lines modified | ||
| 160 | #·BEGIN·fix·(16·/·37)·for·'apt_conf_disallow_unauthenticated' | 160 | #·BEGIN·fix·(16·/·37)·for·'apt_conf_disallow_unauthenticated' |
| 161 | ############################################################################### | 161 | ############################################################################### |
| 162 | (>&2·echo·"Remediating·rule·16/37:·'apt_conf_disallow_unauthenticated'") | 162 | (>&2·echo·"Remediating·rule·16/37:·'apt_conf_disallow_unauthenticated'") |
| 163 | #·FIX·FOR·THIS·RULE·IS·MISSING | 163 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 164 | #·END·fix·for·'apt_conf_disallow_unauthenticated' | 164 | #·END·fix·for·'apt_conf_disallow_unauthenticated' |
| 165 | ############################################################################### | 165 | ############################################################################### |
| 166 | #·BEGIN·fix·(17·/·37)·for·' | 166 | #·BEGIN·fix·(17·/·37)·for·'grub2_enable_iommu_force' |
| 167 | ############################################################################### | 167 | ############################################################################### |
| 168 | (>&2·echo·"Remediating·rule·17/37:·' | 168 | (>&2·echo·"Remediating·rule·17/37:·'grub2_enable_iommu_force'") |
| 169 | #·FIX·FOR·THIS·RULE·IS·MISSING | 169 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 170 | #·END·fix·for·' | 170 | #·END·fix·for·'grub2_enable_iommu_force' |
| 171 | ############################################################################### | 171 | ############################################################################### |
| 172 | #·BEGIN·fix·(18·/·37)·for·' | 172 | #·BEGIN·fix·(18·/·37)·for·'sudo_remove_no_authenticate' |
| 173 | ############################################################################### | 173 | ############################################################################### |
| 174 | (>&2·echo·"Remediating·rule·18/37:·' | 174 | (>&2·echo·"Remediating·rule·18/37:·'sudo_remove_no_authenticate'") |
| 175 | #·FIX·FOR·THIS·RULE·IS·MISSING | 175 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 176 | #·END·fix·for·' | 176 | #·END·fix·for·'sudo_remove_no_authenticate' |
| 177 | ############################################################################### | 177 | ############################################################################### |
| 178 | #·BEGIN·fix·(19·/·37)·for·' | 178 | #·BEGIN·fix·(19·/·37)·for·'sudo_remove_nopasswd' |
| 179 | ############################################################################### | 179 | ############################################################################### |
| 180 | (>&2·echo·"Remediating·rule·19/37:·' | 180 | (>&2·echo·"Remediating·rule·19/37:·'sudo_remove_nopasswd'") |
| 181 | #·FIX·FOR·THIS·RULE·IS·MISSING | 181 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 182 | #·END·fix·for·' | 182 | #·END·fix·for·'sudo_remove_nopasswd' |
| 183 | ############################################################################### | 183 | ############################################################################### |
| 184 | #·BEGIN·fix·(20·/·37)·for·' | 184 | #·BEGIN·fix·(20·/·37)·for·'rsyslog_files_permissions' |
| 185 | ############################################################################### | 185 | ############################################################################### |
| 186 | (>&2·echo·"Remediating·rule·20/37:·' | 186 | (>&2·echo·"Remediating·rule·20/37:·'rsyslog_files_permissions'") |
| 187 | #·FIX·FOR·THIS·RULE·IS·MISSING | 187 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 188 | #·END·fix·for·' | 188 | #·END·fix·for·'rsyslog_files_permissions' |
| 189 | ############################################################################### | 189 | ############################################################################### |
| 190 | #·BEGIN·fix·(21·/·37)·for·' | 190 | #·BEGIN·fix·(21·/·37)·for·'rsyslog_files_ownership' |
| 191 | ############################################################################### | 191 | ############################################################################### |
| 192 | (>&2·echo·"Remediating·rule·21/37:·' | 192 | (>&2·echo·"Remediating·rule·21/37:·'rsyslog_files_ownership'") |
| 193 | #·FIX·FOR·THIS·RULE·IS·MISSING | 193 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 194 | #·END·fix·for·' | 194 | #·END·fix·for·'rsyslog_files_ownership' |
| Max diff block lines reached; 1307/9231 bytes (14.16%) of diff not shown. | |||
| Offset 31, 25 lines modified | Offset 31, 25 lines modified | ||
| 31 | #» ···remediation·AFTER·testing·on·a·non-production | 31 | #» ···remediation·AFTER·testing·on·a·non-production |
| 32 | #» ···system! | 32 | #» ···system! |
| 33 | apt-get·remove·--purge·nis | 33 | apt-get·remove·--purge·nis |
| 34 | #·END·fix·for·'package_nis_removed' | 34 | #·END·fix·for·'package_nis_removed' |
| 35 | ############################################################################### | 35 | ############################################################################### |
| 36 | #·BEGIN·fix·(2·/·11)·for·'package_ | 36 | #·BEGIN·fix·(2·/·11)·for·'package_telnetd_removed' |
| 37 | ############################################################################### | 37 | ############################################################################### |
| 38 | (>&2·echo·"Remediating·rule·2/11:·'package_ | 38 | (>&2·echo·"Remediating·rule·2/11:·'package_telnetd_removed'") |
| 39 | #·CAUTION:·This·remediation·script·will·remove· | 39 | #·CAUTION:·This·remediation·script·will·remove·telnetd |
| 40 | #» ···from·the·system,·and·may·remove·any·packages | 40 | #» ···from·the·system,·and·may·remove·any·packages |
| 41 | #» ···that·depend·on· | 41 | #» ···that·depend·on·telnetd.·Execute·this |
| 42 | #» ···remediation·AFTER·testing·on·a·non-production | 42 | #» ···remediation·AFTER·testing·on·a·non-production |
| 43 | #» ···system! | 43 | #» ···system! |
| 44 | apt-get·remove·--purge· | 44 | apt-get·remove·--purge·telnetd |
| 45 | #·END·fix·for·'package_ | 45 | #·END·fix·for·'package_telnetd_removed' |
| 46 | ############################################################################### | 46 | ############################################################################### |
| 47 | #·BEGIN·fix·(3·/·11)·for·'package_telnetd-ssl_removed' | 47 | #·BEGIN·fix·(3·/·11)·for·'package_telnetd-ssl_removed' |
| 48 | ############################################################################### | 48 | ############################################################################### |
| 49 | (>&2·echo·"Remediating·rule·3/11:·'package_telnetd-ssl_removed'") | 49 | (>&2·echo·"Remediating·rule·3/11:·'package_telnetd-ssl_removed'") |
| 50 | #·CAUTION:·This·remediation·script·will·remove·telnetd-ssl | 50 | #·CAUTION:·This·remediation·script·will·remove·telnetd-ssl |
| 51 | #» ···from·the·system,·and·may·remove·any·packages | 51 | #» ···from·the·system,·and·may·remove·any·packages |
| Offset 57, 25 lines modified | Offset 57, 25 lines modified | ||
| 57 | #» ···remediation·AFTER·testing·on·a·non-production | 57 | #» ···remediation·AFTER·testing·on·a·non-production |
| 58 | #» ···system! | 58 | #» ···system! |
| 59 | apt-get·remove·--purge·telnetd-ssl | 59 | apt-get·remove·--purge·telnetd-ssl |
| 60 | #·END·fix·for·'package_telnetd-ssl_removed' | 60 | #·END·fix·for·'package_telnetd-ssl_removed' |
| 61 | ############################################################################### | 61 | ############################################################################### |
| 62 | #·BEGIN·fix·(4·/·11)·for·'package_telnetd_removed' | 62 | #·BEGIN·fix·(4·/·11)·for·'package_inetutils-telnetd_removed' |
| 63 | ############################################################################### | 63 | ############################################################################### |
| 64 | (>&2·echo·"Remediating·rule·4/11:·'package_telnetd_removed'") | 64 | (>&2·echo·"Remediating·rule·4/11:·'package_inetutils-telnetd_removed'") |
| 65 | #·CAUTION:·This·remediation·script·will·remove·telnetd | 65 | #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 66 | #» ···from·the·system,·and·may·remove·any·packages | 66 | #» ···from·the·system,·and·may·remove·any·packages |
| 67 | #» ···that·depend·on·telnetd.·Execute·this | 67 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 68 | #» ···remediation·AFTER·testing·on·a·non-production | 68 | #» ···remediation·AFTER·testing·on·a·non-production |
| 69 | #» ···system! | 69 | #» ···system! |
| 70 | apt-get·remove·--purge·telnetd | 70 | apt-get·remove·--purge·inetutils-telnetd |
| 71 | #·END·fix·for·'package_telnetd_removed' | 71 | #·END·fix·for·'package_inetutils-telnetd_removed' |
| 72 | ############################################################################### | 72 | ############################################################################### |
| 73 | #·BEGIN·fix·(5·/·11)·for·'apt_conf_disallow_unauthenticated' | 73 | #·BEGIN·fix·(5·/·11)·for·'apt_conf_disallow_unauthenticated' |
| 74 | ############################################################################### | 74 | ############################################################################### |
| 75 | (>&2·echo·"Remediating·rule·5/11:·'apt_conf_disallow_unauthenticated'") | 75 | (>&2·echo·"Remediating·rule·5/11:·'apt_conf_disallow_unauthenticated'") |
| 76 | #·FIX·FOR·THIS·RULE·IS·MISSING | 76 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 77 | #·END·fix·for·'apt_conf_disallow_unauthenticated' | 77 | #·END·fix·for·'apt_conf_disallow_unauthenticated' |
| Offset 31, 25 lines modified | Offset 31, 25 lines modified | ||
| 31 | #» ···remediation·AFTER·testing·on·a·non-production | 31 | #» ···remediation·AFTER·testing·on·a·non-production |
| 32 | #» ···system! | 32 | #» ···system! |
| 33 | apt-get·remove·--purge·nis | 33 | apt-get·remove·--purge·nis |
| 34 | #·END·fix·for·'package_nis_removed' | 34 | #·END·fix·for·'package_nis_removed' |
| 35 | ############################################################################### | 35 | ############################################################################### |
| 36 | #·BEGIN·fix·(2·/·36)·for·'package_ | 36 | #·BEGIN·fix·(2·/·36)·for·'package_telnetd_removed' |
| 37 | ############################################################################### | 37 | ############################################################################### |
| 38 | (>&2·echo·"Remediating·rule·2/36:·'package_ | 38 | (>&2·echo·"Remediating·rule·2/36:·'package_telnetd_removed'") |
| 39 | #·CAUTION:·This·remediation·script·will·remove· | 39 | #·CAUTION:·This·remediation·script·will·remove·telnetd |
| 40 | #» ···from·the·system,·and·may·remove·any·packages | 40 | #» ···from·the·system,·and·may·remove·any·packages |
| 41 | #» ···that·depend·on· | 41 | #» ···that·depend·on·telnetd.·Execute·this |
| 42 | #» ···remediation·AFTER·testing·on·a·non-production | 42 | #» ···remediation·AFTER·testing·on·a·non-production |
| 43 | #» ···system! | 43 | #» ···system! |
| 44 | apt-get·remove·--purge· | 44 | apt-get·remove·--purge·telnetd |
| 45 | #·END·fix·for·'package_ | 45 | #·END·fix·for·'package_telnetd_removed' |
| 46 | ############################################################################### | 46 | ############################################################################### |
| 47 | #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed' | 47 | #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed' |
| 48 | ############################################################################### | 48 | ############################################################################### |
| 49 | (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'") | 49 | (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'") |
| 50 | #·CAUTION:·This·remediation·script·will·remove·ntpdate | 50 | #·CAUTION:·This·remediation·script·will·remove·ntpdate |
| 51 | #» ···from·the·system,·and·may·remove·any·packages | 51 | #» ···from·the·system,·and·may·remove·any·packages |
| Offset 70, 25 lines modified | Offset 70, 25 lines modified | ||
| 70 | #» ···remediation·AFTER·testing·on·a·non-production | 70 | #» ···remediation·AFTER·testing·on·a·non-production |
| 71 | #» ···system! | 71 | #» ···system! |
| 72 | apt-get·remove·--purge·telnetd-ssl | 72 | apt-get·remove·--purge·telnetd-ssl |
| 73 | #·END·fix·for·'package_telnetd-ssl_removed' | 73 | #·END·fix·for·'package_telnetd-ssl_removed' |
| 74 | ############################################################################### | 74 | ############################################################################### |
| 75 | #·BEGIN·fix·(5·/·36)·for·'package_telnetd_removed' | 75 | #·BEGIN·fix·(5·/·36)·for·'package_inetutils-telnetd_removed' |
| 76 | ############################################################################### | 76 | ############################################################################### |
| 77 | (>&2·echo·"Remediating·rule·5/36:·'package_telnetd_removed'") | 77 | (>&2·echo·"Remediating·rule·5/36:·'package_inetutils-telnetd_removed'") |
| 78 | #·CAUTION:·This·remediation·script·will·remove·telnetd | 78 | #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 79 | #» ···from·the·system,·and·may·remove·any·packages | 79 | #» ···from·the·system,·and·may·remove·any·packages |
| 80 | #» ···that·depend·on·telnetd.·Execute·this | 80 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 81 | #» ···remediation·AFTER·testing·on·a·non-production | 81 | #» ···remediation·AFTER·testing·on·a·non-production |
| 82 | #» ···system! | 82 | #» ···system! |
| 83 | apt-get·remove·--purge·telnetd | 83 | apt-get·remove·--purge·inetutils-telnetd |
| 84 | #·END·fix·for·'package_telnetd_removed' | 84 | #·END·fix·for·'package_inetutils-telnetd_removed' |
| 85 | ############################################################################### | 85 | ############################################################################### |
| 86 | #·BEGIN·fix·(6·/·36)·for·'package_ntp_installed' | 86 | #·BEGIN·fix·(6·/·36)·for·'package_ntp_installed' |
| 87 | ############################################################################### | 87 | ############################################################################### |
| 88 | (>&2·echo·"Remediating·rule·6/36:·'package_ntp_installed'") | 88 | (>&2·echo·"Remediating·rule·6/36:·'package_ntp_installed'") |
| 89 | #·FIX·FOR·THIS·RULE·IS·MISSING | 89 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 90 | #·END·fix·for·'package_ntp_installed' | 90 | #·END·fix·for·'package_ntp_installed' |
| Offset 125, 33 lines modified | Offset 125, 33 lines modified | ||
| 125 | #·BEGIN·fix·(11·/·36)·for·'sshd_allow_only_protocol2' | 125 | #·BEGIN·fix·(11·/·36)·for·'sshd_allow_only_protocol2' |
| 126 | ############################################################################### | 126 | ############################################################################### |
| 127 | (>&2·echo·"Remediating·rule·11/36:·'sshd_allow_only_protocol2'") | 127 | (>&2·echo·"Remediating·rule·11/36:·'sshd_allow_only_protocol2'") |
| 128 | #·FIX·FOR·THIS·RULE·IS·MISSING | 128 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 129 | #·END·fix·for·'sshd_allow_only_protocol2' | 129 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 130 | ############################################################################### | 130 | ############################################################################### |
| 131 | #·BEGIN·fix·(12·/·36)·for·'sshd_ | 131 | #·BEGIN·fix·(12·/·36)·for·'sshd_set_keepalive' |
| 132 | ############################################################################### | 132 | ############################################################################### |
| 133 | (>&2·echo·"Remediating·rule·12/36:·'sshd_ | 133 | (>&2·echo·"Remediating·rule·12/36:·'sshd_set_keepalive'") |
| 134 | #·FIX·FOR·THIS·RULE·IS·MISSING | 134 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 135 | #·END·fix·for·'sshd_ | 135 | #·END·fix·for·'sshd_set_keepalive' |
| 136 | ############################################################################### | 136 | ############################################################################### |
| 137 | #·BEGIN·fix·(13·/·36)·for·'sshd_set_idle_timeout' | 137 | #·BEGIN·fix·(13·/·36)·for·'sshd_set_idle_timeout' |
| 138 | ############################################################################### | 138 | ############################################################################### |
| 139 | (>&2·echo·"Remediating·rule·13/36:·'sshd_set_idle_timeout'") | 139 | (>&2·echo·"Remediating·rule·13/36:·'sshd_set_idle_timeout'") |
| 140 | #·FIX·FOR·THIS·RULE·IS·MISSING | 140 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 141 | #·END·fix·for·'sshd_set_idle_timeout' | 141 | #·END·fix·for·'sshd_set_idle_timeout' |
| 142 | ############################################################################### | 142 | ############################################################################### |
| 143 | #·BEGIN·fix·(14·/·36)·for·'sshd_set_ | 143 | #·BEGIN·fix·(14·/·36)·for·'sshd_disable_empty_passwords' |
| 144 | ############################################################################### | 144 | ############################################################################### |
| 145 | (>&2·echo·"Remediating·rule·14/36:·'sshd_set_ | 145 | (>&2·echo·"Remediating·rule·14/36:·'sshd_disable_empty_passwords'") |
| 146 | #·FIX·FOR·THIS·RULE·IS·MISSING | 146 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 147 | #·END·fix·for·'sshd_set_ | 147 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 148 | ############################################################################### | 148 | ############################################################################### |
| 149 | #·BEGIN·fix·(15·/·36)·for·'sshd_disable_root_login' | 149 | #·BEGIN·fix·(15·/·36)·for·'sshd_disable_root_login' |
| 150 | ############################################################################### | 150 | ############################################################################### |
| 151 | (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_root_login'") | 151 | (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_root_login'") |
| 152 | #·FIX·FOR·THIS·RULE·IS·MISSING | 152 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 153 | #·END·fix·for·'sshd_disable_root_login' | 153 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 160, 54 lines modified | Offset 160, 54 lines modified | ||
| 160 | #·BEGIN·fix·(16·/·36)·for·'apt_conf_disallow_unauthenticated' | 160 | #·BEGIN·fix·(16·/·36)·for·'apt_conf_disallow_unauthenticated' |
| 161 | ############################################################################### | 161 | ############################################################################### |
| 162 | (>&2·echo·"Remediating·rule·16/36:·'apt_conf_disallow_unauthenticated'") | 162 | (>&2·echo·"Remediating·rule·16/36:·'apt_conf_disallow_unauthenticated'") |
| 163 | #·FIX·FOR·THIS·RULE·IS·MISSING | 163 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 164 | #·END·fix·for·'apt_conf_disallow_unauthenticated' | 164 | #·END·fix·for·'apt_conf_disallow_unauthenticated' |
| 165 | ############################################################################### | 165 | ############################################################################### |
| 166 | #·BEGIN·fix·(17·/·36)·for·' | 166 | #·BEGIN·fix·(17·/·36)·for·'sudo_remove_no_authenticate' |
| 167 | ############################################################################### | 167 | ############################################################################### |
| 168 | (>&2·echo·"Remediating·rule·17/36:·' | 168 | (>&2·echo·"Remediating·rule·17/36:·'sudo_remove_no_authenticate'") |
| 169 | #·FIX·FOR·THIS·RULE·IS·MISSING | 169 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 170 | #·END·fix·for·' | 170 | #·END·fix·for·'sudo_remove_no_authenticate' |
| 171 | ############################################################################### | 171 | ############################################################################### |
| 172 | #·BEGIN·fix·(18·/·36)·for·' | 172 | #·BEGIN·fix·(18·/·36)·for·'sudo_remove_nopasswd' |
| 173 | ############################################################################### | 173 | ############################################################################### |
| 174 | (>&2·echo·"Remediating·rule·18/36:·' | 174 | (>&2·echo·"Remediating·rule·18/36:·'sudo_remove_nopasswd'") |
| 175 | #·FIX·FOR·THIS·RULE·IS·MISSING | 175 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 176 | #·END·fix·for·' | 176 | #·END·fix·for·'sudo_remove_nopasswd' |
| 177 | ############################################################################### | 177 | ############################################################################### |
| 178 | #·BEGIN·fix·(19·/·36)·for·'rsyslog_files_ | 178 | #·BEGIN·fix·(19·/·36)·for·'rsyslog_files_permissions' |
| 179 | ############################################################################### | 179 | ############################################################################### |
| 180 | (>&2·echo·"Remediating·rule·19/36:·'rsyslog_files_ | 180 | (>&2·echo·"Remediating·rule·19/36:·'rsyslog_files_permissions'") |
| 181 | #·FIX·FOR·THIS·RULE·IS·MISSING | 181 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 182 | #·END·fix·for·'rsyslog_files_ | 182 | #·END·fix·for·'rsyslog_files_permissions' |
| 183 | ############################################################################### | 183 | ############################################################################### |
| 184 | #·BEGIN·fix·(20·/·36)·for·' | 184 | #·BEGIN·fix·(20·/·36)·for·'rsyslog_files_ownership' |
| 185 | ############################################################################### | 185 | ############################################################################### |
| 186 | (>&2·echo·"Remediating·rule·20/36:·' | 186 | (>&2·echo·"Remediating·rule·20/36:·'rsyslog_files_ownership'") |
| 187 | #·FIX·FOR·THIS·RULE·IS·MISSING | 187 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 188 | #·END·fix·for·' | 188 | #·END·fix·for·'rsyslog_files_ownership' |
| 189 | ############################################################################### | 189 | ############################################################################### |
| 190 | #·BEGIN·fix·(21·/·36)·for·'s | 190 | #·BEGIN·fix·(21·/·36)·for·'rsyslog_files_groupownership' |
| 191 | ############################################################################### | 191 | ############################################################################### |
| 192 | (>&2·echo·"Remediating·rule·21/36:·'s | 192 | (>&2·echo·"Remediating·rule·21/36:·'rsyslog_files_groupownership'") |
| 193 | #·FIX·FOR·THIS·RULE·IS·MISSING | 193 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 194 | #·END·fix·for·'s | 194 | #·END·fix·for·'rsyslog_files_groupownership' |
| Max diff block lines reached; 768/8713 bytes (8.81%) of diff not shown. | |||
| Offset 33, 25 lines modified | Offset 33, 25 lines modified | ||
| 33 | #» ···remediation·AFTER·testing·on·a·non-production | 33 | #» ···remediation·AFTER·testing·on·a·non-production |
| 34 | #» ···system! | 34 | #» ···system! |
| 35 | apt-get·remove·--purge·nis | 35 | apt-get·remove·--purge·nis |
| 36 | #·END·fix·for·'package_nis_removed' | 36 | #·END·fix·for·'package_nis_removed' |
| 37 | ############################################################################### | 37 | ############################################################################### |
| 38 | #·BEGIN·fix·(2·/·36)·for·'package_ | 38 | #·BEGIN·fix·(2·/·36)·for·'package_telnetd_removed' |
| 39 | ############################################################################### | 39 | ############################################################################### |
| 40 | (>&2·echo·"Remediating·rule·2/36:·'package_ | 40 | (>&2·echo·"Remediating·rule·2/36:·'package_telnetd_removed'") |
| 41 | #·CAUTION:·This·remediation·script·will·remove· | 41 | #·CAUTION:·This·remediation·script·will·remove·telnetd |
| 42 | #» ···from·the·system,·and·may·remove·any·packages | 42 | #» ···from·the·system,·and·may·remove·any·packages |
| 43 | #» ···that·depend·on· | 43 | #» ···that·depend·on·telnetd.·Execute·this |
| 44 | #» ···remediation·AFTER·testing·on·a·non-production | 44 | #» ···remediation·AFTER·testing·on·a·non-production |
| 45 | #» ···system! | 45 | #» ···system! |
| 46 | apt-get·remove·--purge· | 46 | apt-get·remove·--purge·telnetd |
| 47 | #·END·fix·for·'package_ | 47 | #·END·fix·for·'package_telnetd_removed' |
| 48 | ############################################################################### | 48 | ############################################################################### |
| 49 | #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed' | 49 | #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed' |
| 50 | ############################################################################### | 50 | ############################################################################### |
| 51 | (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'") | 51 | (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'") |
| 52 | #·CAUTION:·This·remediation·script·will·remove·ntpdate | 52 | #·CAUTION:·This·remediation·script·will·remove·ntpdate |
| 53 | #» ···from·the·system,·and·may·remove·any·packages | 53 | #» ···from·the·system,·and·may·remove·any·packages |
| Offset 72, 25 lines modified | Offset 72, 25 lines modified | ||
| 72 | #» ···remediation·AFTER·testing·on·a·non-production | 72 | #» ···remediation·AFTER·testing·on·a·non-production |
| 73 | #» ···system! | 73 | #» ···system! |
| 74 | apt-get·remove·--purge·telnetd-ssl | 74 | apt-get·remove·--purge·telnetd-ssl |
| 75 | #·END·fix·for·'package_telnetd-ssl_removed' | 75 | #·END·fix·for·'package_telnetd-ssl_removed' |
| 76 | ############################################################################### | 76 | ############################################################################### |
| 77 | #·BEGIN·fix·(5·/·36)·for·'package_telnetd_removed' | 77 | #·BEGIN·fix·(5·/·36)·for·'package_inetutils-telnetd_removed' |
| 78 | ############################################################################### | 78 | ############################################################################### |
| 79 | (>&2·echo·"Remediating·rule·5/36:·'package_telnetd_removed'") | 79 | (>&2·echo·"Remediating·rule·5/36:·'package_inetutils-telnetd_removed'") |
| 80 | #·CAUTION:·This·remediation·script·will·remove·telnetd | 80 | #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 81 | #» ···from·the·system,·and·may·remove·any·packages | 81 | #» ···from·the·system,·and·may·remove·any·packages |
| 82 | #» ···that·depend·on·telnetd.·Execute·this | 82 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 83 | #» ···remediation·AFTER·testing·on·a·non-production | 83 | #» ···remediation·AFTER·testing·on·a·non-production |
| 84 | #» ···system! | 84 | #» ···system! |
| 85 | apt-get·remove·--purge·telnetd | 85 | apt-get·remove·--purge·inetutils-telnetd |
| 86 | #·END·fix·for·'package_telnetd_removed' | 86 | #·END·fix·for·'package_inetutils-telnetd_removed' |
| 87 | ############################################################################### | 87 | ############################################################################### |
| 88 | #·BEGIN·fix·(6·/·36)·for·'service_cron_enabled' | 88 | #·BEGIN·fix·(6·/·36)·for·'service_cron_enabled' |
| 89 | ############################################################################### | 89 | ############################################################################### |
| 90 | (>&2·echo·"Remediating·rule·6/36:·'service_cron_enabled'") | 90 | (>&2·echo·"Remediating·rule·6/36:·'service_cron_enabled'") |
| 91 | #·FIX·FOR·THIS·RULE·IS·MISSING | 91 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 92 | #·END·fix·for·'service_cron_enabled' | 92 | #·END·fix·for·'service_cron_enabled' |
| Offset 134, 33 lines modified | Offset 134, 33 lines modified | ||
| 134 | #·BEGIN·fix·(12·/·36)·for·'sshd_allow_only_protocol2' | 134 | #·BEGIN·fix·(12·/·36)·for·'sshd_allow_only_protocol2' |
| 135 | ############################################################################### | 135 | ############################################################################### |
| 136 | (>&2·echo·"Remediating·rule·12/36:·'sshd_allow_only_protocol2'") | 136 | (>&2·echo·"Remediating·rule·12/36:·'sshd_allow_only_protocol2'") |
| 137 | #·FIX·FOR·THIS·RULE·IS·MISSING | 137 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 138 | #·END·fix·for·'sshd_allow_only_protocol2' | 138 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 139 | ############################################################################### | 139 | ############################################################################### |
| 140 | #·BEGIN·fix·(13·/·36)·for·'sshd_ | 140 | #·BEGIN·fix·(13·/·36)·for·'sshd_set_keepalive' |
| 141 | ############################################################################### | 141 | ############################################################################### |
| 142 | (>&2·echo·"Remediating·rule·13/36:·'sshd_ | 142 | (>&2·echo·"Remediating·rule·13/36:·'sshd_set_keepalive'") |
| 143 | #·FIX·FOR·THIS·RULE·IS·MISSING | 143 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 144 | #·END·fix·for·'sshd_ | 144 | #·END·fix·for·'sshd_set_keepalive' |
| 145 | ############################################################################### | 145 | ############################################################################### |
| 146 | #·BEGIN·fix·(14·/·36)·for·'sshd_set_idle_timeout' | 146 | #·BEGIN·fix·(14·/·36)·for·'sshd_set_idle_timeout' |
| 147 | ############################################################################### | 147 | ############################################################################### |
| 148 | (>&2·echo·"Remediating·rule·14/36:·'sshd_set_idle_timeout'") | 148 | (>&2·echo·"Remediating·rule·14/36:·'sshd_set_idle_timeout'") |
| 149 | #·FIX·FOR·THIS·RULE·IS·MISSING | 149 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 150 | #·END·fix·for·'sshd_set_idle_timeout' | 150 | #·END·fix·for·'sshd_set_idle_timeout' |
| 151 | ############################################################################### | 151 | ############################################################################### |
| 152 | #·BEGIN·fix·(15·/·36)·for·'sshd_set_ | 152 | #·BEGIN·fix·(15·/·36)·for·'sshd_disable_empty_passwords' |
| 153 | ############################################################################### | 153 | ############################################################################### |
| 154 | (>&2·echo·"Remediating·rule·15/36:·'sshd_set_ | 154 | (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_empty_passwords'") |
| 155 | #·FIX·FOR·THIS·RULE·IS·MISSING | 155 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 156 | #·END·fix·for·'sshd_set_ | 156 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 157 | ############################################################################### | 157 | ############################################################################### |
| 158 | #·BEGIN·fix·(16·/·36)·for·'sshd_disable_root_login' | 158 | #·BEGIN·fix·(16·/·36)·for·'sshd_disable_root_login' |
| 159 | ############################################################################### | 159 | ############################################################################### |
| 160 | (>&2·echo·"Remediating·rule·16/36:·'sshd_disable_root_login'") | 160 | (>&2·echo·"Remediating·rule·16/36:·'sshd_disable_root_login'") |
| 161 | #·FIX·FOR·THIS·RULE·IS·MISSING | 161 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 162 | #·END·fix·for·'sshd_disable_root_login' | 162 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>2020-07-12T0 | 7 | ····<ns2:timestamp>2020-07-12T04:36:55</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>CentOS·6</ns0:title> | 12 | ········<ns0:title>CentOS·6</ns0:title> |
| 13 | ········<ns0:affected·family="unix"/> | 13 | ········<ns0:affected·family="unix"/> |
| 14 | ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/> | 14 | ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/> |
| Offset 18, 21 lines modified | Offset 18, 21 lines modified | ||
| 18 | ····</ds:checklists> | 18 | ····</ds:checklists> |
| 19 | ····<ds:checks> | 19 | ····<ds:checks> |
| 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1404-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1404-oval.xml"/> | 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1404-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1404-oval.xml"/> |
| 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1404-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1404-ocil.xml"/> | 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1404-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1404-ocil.xml"/> |
| 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1404-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1404-cpe-oval.xml"/> | 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1404-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1404-cpe-oval.xml"/> |
| 23 | ····</ds:checks> | 23 | ····</ds:checks> |
| 24 | ··</ds:data-stream> | 24 | ··</ds:data-stream> |
| 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1404-oval.xml"·timestamp="2020-07-1 | 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1404-oval.xml"·timestamp="2020-07-12T18:46:22"> |
| 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 27 | ······<ns0:generator> | 27 | ······<ns0:generator> |
| 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 30 | ········<ns2:schema_version>5.11</ns2:schema_version> | 30 | ········<ns2:schema_version>5.11</ns2:schema_version> |
| 31 | ········<ns2:timestamp>2020-07-12T0 | 31 | ········<ns2:timestamp>2020-07-12T04:36:55</ns2:timestamp> |
| 32 | ······</ns0:generator> | 32 | ······</ns0:generator> |
| 33 | ······<ns0:definitions> | 33 | ······<ns0:definitions> |
| 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1"> | 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1"> |
| 35 | ··········<ns0:metadata> | 35 | ··········<ns0:metadata> |
| 36 | ············<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title> | 36 | ············<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title> |
| 37 | ············<ns0:affected·family="unix"> | 37 | ············<ns0:affected·family="unix"> |
| 38 | ··············<ns0:platform>Ubuntu·1404</ns0:platform> | 38 | ··············<ns0:platform>Ubuntu·1404</ns0:platform> |
| Offset 5544, 15 lines modified | Offset 5544, 15 lines modified | ||
| 5544 | ········<ns0:external_variable·comment="used·for·remediation·only"·datatype="string"·id="oval:ssg-rsyslog_remote_loghost_address:var:1"·version="1"/> | 5544 | ········<ns0:external_variable·comment="used·for·remediation·only"·datatype="string"·id="oval:ssg-rsyslog_remote_loghost_address:var:1"·version="1"/> |
| 5545 | ········<ns0:external_variable·comment="May·be·defined·by·Profiles·to·explicitly·say·if·sshd·is·required·or·not"·datatype="int"·id="oval:ssg-sshd_required:var:1"·version="1"/> | 5545 | ········<ns0:external_variable·comment="May·be·defined·by·Profiles·to·explicitly·say·if·sshd·is·required·or·not"·datatype="int"·id="oval:ssg-sshd_required:var:1"·version="1"/> |
| 5546 | ········<ns0:external_variable·comment="timeout·value"·datatype="int"·id="oval:ssg-sshd_idle_timeout_value:var:1"·version="1"/> | 5546 | ········<ns0:external_variable·comment="timeout·value"·datatype="int"·id="oval:ssg-sshd_idle_timeout_value:var:1"·version="1"/> |
| 5547 | ········<ns0:external_variable·comment="maxauthtries·value"·datatype="int"·id="oval:ssg-sshd_max_auth_tries_value:var:1"·version="1"/> | 5547 | ········<ns0:external_variable·comment="maxauthtries·value"·datatype="int"·id="oval:ssg-sshd_max_auth_tries_value:var:1"·version="1"/> |
| 5548 | ······</ns0:variables> | 5548 | ······</ns0:variables> |
| 5549 | ····</ns0:oval_definitions> | 5549 | ····</ns0:oval_definitions> |
| 5550 | ··</ds:component> | 5550 | ··</ds:component> |
| 5551 | ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1404-ocil.xml"·timestamp="2020-07-1 | 5551 | ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1404-ocil.xml"·timestamp="2020-07-12T18:46:22"> |
| 5552 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> | 5552 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> |
| 5553 | ······<ns0:generator> | 5553 | ······<ns0:generator> |
| 5554 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 5554 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 5555 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 5555 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 5556 | ········<ns0:schema_version>2.0</ns0:schema_version> | 5556 | ········<ns0:schema_version>2.0</ns0:schema_version> |
| 5557 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 5557 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 5558 | ······</ns0:generator> | 5558 | ······</ns0:generator> |
| Offset 5571, 38 lines modified | Offset 5571, 50 lines modified | ||
| 5571 | ········</ns0:questionnaire> | 5571 | ········</ns0:questionnaire> |
| 5572 | ········<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> | 5572 | ········<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> |
| 5573 | ··········<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> | 5573 | ··········<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> |
| 5574 | ··········<ns0:actions> | 5574 | ··········<ns0:actions> |
| 5575 | ············<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> | 5575 | ············<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> |
| 5576 | ··········</ns0:actions> | 5576 | ··········</ns0:actions> |
| 5577 | ········</ns0:questionnaire> | 5577 | ········</ns0:questionnaire> |
| 5578 | ········<ns0:questionnaire·id="ocil:ssg-sshd_ | 5578 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1"> |
| 5579 | ··········<ns0:title> | 5579 | ··········<ns0:title>Set·SSH·Client·Alive·Count</ns0:title> |
| 5580 | ··········<ns0:actions> | 5580 | ··········<ns0:actions> |
| 5581 | ············<ns0:test_action_ref>ocil:ssg-sshd_ | 5581 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref> |
| 5582 | ··········</ns0:actions> | 5582 | ··········</ns0:actions> |
| 5583 | ········</ns0:questionnaire> | 5583 | ········</ns0:questionnaire> |
| 5584 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> | 5584 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> |
| 5585 | ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> | 5585 | ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> |
| 5586 | ··········<ns0:actions> | 5586 | ··········<ns0:actions> |
| 5587 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> | 5587 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> |
| 5588 | ··········</ns0:actions> | 5588 | ··········</ns0:actions> |
| 5589 | ········</ns0:questionnaire> | 5589 | ········</ns0:questionnaire> |
| 5590 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_ | 5590 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1"> |
| 5591 | ··········<ns0:title> | 5591 | ··········<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title> |
| 5592 | ··········<ns0:actions> | 5592 | ··········<ns0:actions> |
| 5593 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_ | 5593 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref> |
| 5594 | ··········</ns0:actions> | 5594 | ··········</ns0:actions> |
| 5595 | ········</ns0:questionnaire> | 5595 | ········</ns0:questionnaire> |
| 5596 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> | 5596 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> |
| 5597 | ··········<ns0:title>Disable·SSH·Root·Login</ns0:title> | 5597 | ··········<ns0:title>Disable·SSH·Root·Login</ns0:title> |
| 5598 | ··········<ns0:actions> | 5598 | ··········<ns0:actions> |
| 5599 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> | 5599 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> |
| 5600 | ··········</ns0:actions> | 5600 | ··········</ns0:actions> |
| 5601 | ········</ns0:questionnaire> | 5601 | ········</ns0:questionnaire> |
| 5602 | ········<ns0:questionnaire·id="ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1"> | ||
| 5603 | ··········<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate</ns0:title> | ||
| 5604 | ··········<ns0:actions> | ||
| 5605 | ············<ns0:test_action_ref>ocil:ssg-sudo_remove_no_authenticate_action:testaction:1</ns0:test_action_ref> | ||
| 5606 | ··········</ns0:actions> | ||
| 5607 | ········</ns0:questionnaire> | ||
| 5608 | ········<ns0:questionnaire·id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1"> | ||
| 5609 | ··········<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD</ns0:title> | ||
| 5610 | ··········<ns0:actions> | ||
| 5611 | ············<ns0:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ns0:test_action_ref> | ||
| 5612 | ··········</ns0:actions> | ||
| 5613 | ········</ns0:questionnaire> | ||
| 5602 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> | 5614 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> |
| 5603 | ··········<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> | 5615 | ··········<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> |
| 5604 | ··········<ns0:actions> | 5616 | ··········<ns0:actions> |
| 5605 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> | 5617 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> |
| 5606 | ··········</ns0:actions> | 5618 | ··········</ns0:actions> |
| 5607 | ········</ns0:questionnaire> | 5619 | ········</ns0:questionnaire> |
| 5608 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1"> | 5620 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1"> |
| Offset 5619, 26 lines modified | Offset 5631, 26 lines modified | ||
| 5619 | ········</ns0:questionnaire> | 5631 | ········</ns0:questionnaire> |
| 5620 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1"> | 5632 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1"> |
| 5621 | ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title> | 5633 | ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title> |
| 5622 | ··········<ns0:actions> | 5634 | ··········<ns0:actions> |
| 5623 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref> | 5635 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref> |
| 5624 | ··········</ns0:actions> | 5636 | ··········</ns0:actions> |
| 5625 | ········</ns0:questionnaire> | 5637 | ········</ns0:questionnaire> |
| 5626 | ········<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> | ||
| 5627 | ··········<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> | ||
| 5628 | ··········<ns0:actions> | ||
| 5629 | ············<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> | ||
| 5630 | ··········</ns0:actions> | ||
| 5631 | ········</ns0:questionnaire> | ||
| 5632 | ········<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1"> | 5638 | ········<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1"> |
| 5633 | ··········<ns0:title>Enable·syslog-ng·Service</ns0:title> | 5639 | ··········<ns0:title>Enable·syslog-ng·Service</ns0:title> |
| 5634 | ··········<ns0:actions> | 5640 | ··········<ns0:actions> |
| 5635 | ············<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref> | 5641 | ············<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref> |
| 5636 | ··········</ns0:actions> | 5642 | ··········</ns0:actions> |
| 5637 | ········</ns0:questionnaire> | 5643 | ········</ns0:questionnaire> |
| 5644 | ········<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> | ||
| 5645 | ··········<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> | ||
| 5646 | ··········<ns0:actions> | ||
| 5647 | ············<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> | ||
| 5648 | ··········</ns0:actions> | ||
| 5649 | ········</ns0:questionnaire> | ||
| 5638 | ········<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1"> | 5650 | ········<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1"> |
| 5639 | ··········<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title> | 5651 | ··········<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title> |
| 5640 | ··········<ns0:actions> | 5652 | ··········<ns0:actions> |
| 5641 | ············<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref> | 5653 | ············<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref> |
| 5642 | ··········</ns0:actions> | 5654 | ··········</ns0:actions> |
| 5643 | ········</ns0:questionnaire> | 5655 | ········</ns0:questionnaire> |
| 5644 | ········<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1"> | 5656 | ········<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1"> |
| Offset 5649, 26 lines modified | Offset 5661, 14 lines modified | ||
| 5649 | ········</ns0:questionnaire> | 5661 | ········</ns0:questionnaire> |
| 5650 | ········<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1"> | 5662 | ········<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1"> |
| 5651 | ··········<ns0:title>Ensure·rsyslog·is·Installed</ns0:title> | 5663 | ··········<ns0:title>Ensure·rsyslog·is·Installed</ns0:title> |
| 5652 | ··········<ns0:actions> | 5664 | ··········<ns0:actions> |
| 5653 | ············<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref> | 5665 | ············<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref> |
| Max diff block lines reached; 159432/168826 bytes (94.44%) of diff not shown. | |||
| Offset 21, 38 lines modified | Offset 21, 50 lines modified | ||
| 21 | ····</ns0:questionnaire> | 21 | ····</ns0:questionnaire> |
| 22 | ····<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> | 22 | ····<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> |
| 23 | ······<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> | 23 | ······<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> |
| 24 | ······<ns0:actions> | 24 | ······<ns0:actions> |
| 25 | ········<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> | 25 | ········<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> |
| 26 | ······</ns0:actions> | 26 | ······</ns0:actions> |
| 27 | ····</ns0:questionnaire> | 27 | ····</ns0:questionnaire> |
| 28 | ····<ns0:questionnaire·id="ocil:ssg-sshd_ | 28 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1"> |
| 29 | ······<ns0:title> | 29 | ······<ns0:title>Set·SSH·Client·Alive·Count</ns0:title> |
| 30 | ······<ns0:actions> | 30 | ······<ns0:actions> |
| 31 | ········<ns0:test_action_ref>ocil:ssg-sshd_ | 31 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref> |
| 32 | ······</ns0:actions> | 32 | ······</ns0:actions> |
| 33 | ····</ns0:questionnaire> | 33 | ····</ns0:questionnaire> |
| 34 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> | 34 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> |
| 35 | ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> | 35 | ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> |
| 36 | ······<ns0:actions> | 36 | ······<ns0:actions> |
| 37 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> | 37 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> |
| 38 | ······</ns0:actions> | 38 | ······</ns0:actions> |
| 39 | ····</ns0:questionnaire> | 39 | ····</ns0:questionnaire> |
| 40 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_ | 40 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1"> |
| 41 | ······<ns0:title> | 41 | ······<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title> |
| 42 | ······<ns0:actions> | 42 | ······<ns0:actions> |
| 43 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_ | 43 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref> |
| 44 | ······</ns0:actions> | 44 | ······</ns0:actions> |
| 45 | ····</ns0:questionnaire> | 45 | ····</ns0:questionnaire> |
| 46 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> | 46 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> |
| 47 | ······<ns0:title>Disable·SSH·Root·Login</ns0:title> | 47 | ······<ns0:title>Disable·SSH·Root·Login</ns0:title> |
| 48 | ······<ns0:actions> | 48 | ······<ns0:actions> |
| 49 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> | 49 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> |
| 50 | ······</ns0:actions> | 50 | ······</ns0:actions> |
| 51 | ····</ns0:questionnaire> | 51 | ····</ns0:questionnaire> |
| 52 | ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1"> | ||
| 53 | ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate</ns0:title> | ||
| 54 | ······<ns0:actions> | ||
| 55 | ········<ns0:test_action_ref>ocil:ssg-sudo_remove_no_authenticate_action:testaction:1</ns0:test_action_ref> | ||
| 56 | ······</ns0:actions> | ||
| 57 | ····</ns0:questionnaire> | ||
| 58 | ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1"> | ||
| 59 | ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD</ns0:title> | ||
| 60 | ······<ns0:actions> | ||
| 61 | ········<ns0:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ns0:test_action_ref> | ||
| 62 | ······</ns0:actions> | ||
| 63 | ····</ns0:questionnaire> | ||
| 52 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> | 64 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> |
| 53 | ······<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> | 65 | ······<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> |
| 54 | ······<ns0:actions> | 66 | ······<ns0:actions> |
| 55 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> | 67 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> |
| 56 | ······</ns0:actions> | 68 | ······</ns0:actions> |
| 57 | ····</ns0:questionnaire> | 69 | ····</ns0:questionnaire> |
| 58 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1"> | 70 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1"> |
| Offset 69, 26 lines modified | Offset 81, 26 lines modified | ||
| 69 | ····</ns0:questionnaire> | 81 | ····</ns0:questionnaire> |
| 70 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1"> | 82 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1"> |
| 71 | ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title> | 83 | ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title> |
| 72 | ······<ns0:actions> | 84 | ······<ns0:actions> |
| 73 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref> | 85 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref> |
| 74 | ······</ns0:actions> | 86 | ······</ns0:actions> |
| 75 | ····</ns0:questionnaire> | 87 | ····</ns0:questionnaire> |
| 76 | ····<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> | ||
| 77 | ······<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> | ||
| 78 | ······<ns0:actions> | ||
| 79 | ········<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> | ||
| 80 | ······</ns0:actions> | ||
| 81 | ····</ns0:questionnaire> | ||
| 82 | ····<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1"> | 88 | ····<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1"> |
| 83 | ······<ns0:title>Enable·syslog-ng·Service</ns0:title> | 89 | ······<ns0:title>Enable·syslog-ng·Service</ns0:title> |
| 84 | ······<ns0:actions> | 90 | ······<ns0:actions> |
| 85 | ········<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref> | 91 | ········<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref> |
| 86 | ······</ns0:actions> | 92 | ······</ns0:actions> |
| 87 | ····</ns0:questionnaire> | 93 | ····</ns0:questionnaire> |
| 94 | ····<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> | ||
| 95 | ······<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> | ||
| 96 | ······<ns0:actions> | ||
| 97 | ········<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> | ||
| 98 | ······</ns0:actions> | ||
| 99 | ····</ns0:questionnaire> | ||
| 88 | ····<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1"> | 100 | ····<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1"> |
| 89 | ······<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title> | 101 | ······<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title> |
| 90 | ······<ns0:actions> | 102 | ······<ns0:actions> |
| 91 | ········<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref> | 103 | ········<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref> |
| 92 | ······</ns0:actions> | 104 | ······</ns0:actions> |
| 93 | ····</ns0:questionnaire> | 105 | ····</ns0:questionnaire> |
| 94 | ····<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1"> | 106 | ····<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1"> |
| Offset 99, 26 lines modified | Offset 111, 14 lines modified | ||
| 99 | ····</ns0:questionnaire> | 111 | ····</ns0:questionnaire> |
| 100 | ····<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1"> | 112 | ····<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1"> |
| 101 | ······<ns0:title>Ensure·rsyslog·is·Installed</ns0:title> | 113 | ······<ns0:title>Ensure·rsyslog·is·Installed</ns0:title> |
| 102 | ······<ns0:actions> | 114 | ······<ns0:actions> |
| 103 | ········<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref> | 115 | ········<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref> |
| 104 | ······</ns0:actions> | 116 | ······</ns0:actions> |
| 105 | ····</ns0:questionnaire> | 117 | ····</ns0:questionnaire> |
| 106 | ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1"> | ||
| 107 | ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate</ns0:title> | ||
| 108 | ······<ns0:actions> | ||
| 109 | ········<ns0:test_action_ref>ocil:ssg-sudo_remove_no_authenticate_action:testaction:1</ns0:test_action_ref> | ||
| 110 | ······</ns0:actions> | ||
| 111 | ····</ns0:questionnaire> | ||
| 112 | ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1"> | ||
| 113 | ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD</ns0:title> | ||
| 114 | ······<ns0:actions> | ||
| 115 | ········<ns0:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ns0:test_action_ref> | ||
| 116 | ······</ns0:actions> | ||
| 117 | ····</ns0:questionnaire> | ||
| 118 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_srv_ocil:questionnaire:1"> | 118 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_srv_ocil:questionnaire:1"> |
| 119 | ······<ns0:title>Ensure·/srv·Located·On·Separate·Partition</ns0:title> | 119 | ······<ns0:title>Ensure·/srv·Located·On·Separate·Partition</ns0:title> |
| 120 | ······<ns0:actions> | 120 | ······<ns0:actions> |
| 121 | ········<ns0:test_action_ref>ocil:ssg-partition_for_srv_action:testaction:1</ns0:test_action_ref> | 121 | ········<ns0:test_action_ref>ocil:ssg-partition_for_srv_action:testaction:1</ns0:test_action_ref> |
| 122 | ······</ns0:actions> | 122 | ······</ns0:actions> |
| 123 | ····</ns0:questionnaire> | 123 | ····</ns0:questionnaire> |
| 124 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_home_ocil:questionnaire:1"> | 124 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_home_ocil:questionnaire:1"> |
| Offset 233, 15 lines modified | Offset 233, 15 lines modified | ||
| 233 | ······<ns0:when_true> | 233 | ······<ns0:when_true> |
| 234 | ········<ns0:result>PASS</ns0:result> | 234 | ········<ns0:result>PASS</ns0:result> |
| 235 | ······</ns0:when_true> | 235 | ······</ns0:when_true> |
| 236 | ······<ns0:when_false> | 236 | ······<ns0:when_false> |
| 237 | ········<ns0:result>FAIL</ns0:result> | 237 | ········<ns0:result>FAIL</ns0:result> |
| 238 | ······</ns0:when_false> | 238 | ······</ns0:when_false> |
| 239 | ····</ns0:boolean_question_test_action> | 239 | ····</ns0:boolean_question_test_action> |
| 240 | ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_ | 240 | ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_set_keepalive_action:testaction:1"·question_ref="ocil:ssg-sshd_set_keepalive_question:question:1"> |
| 241 | ······<ns0:when_true> | 241 | ······<ns0:when_true> |
| 242 | ········<ns0:result>PASS</ns0:result> | 242 | ········<ns0:result>PASS</ns0:result> |
| 243 | ······</ns0:when_true> | 243 | ······</ns0:when_true> |
| 244 | ······<ns0:when_false> | 244 | ······<ns0:when_false> |
| 245 | ········<ns0:result>FAIL</ns0:result> | 245 | ········<ns0:result>FAIL</ns0:result> |
| 246 | ······</ns0:when_false> | 246 | ······</ns0:when_false> |
| 247 | ····</ns0:boolean_question_test_action> | 247 | ····</ns0:boolean_question_test_action> |
| Offset 249, 15 lines modified | Offset 249, 15 lines modified | ||
| Max diff block lines reached; 14766/22089 bytes (66.85%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>2020-07-12T0 | 7 | ····<ns2:timestamp>2020-07-12T04:36:55</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1"> | 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title> | 12 | ········<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:platform>Ubuntu·1404</ns0:platform> | 14 | ··········<ns0:platform>Ubuntu·1404</ns0:platform> |
| Offset 160, 60 lines modified | Offset 160, 14 lines modified | ||
| 160 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> | 160 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> |
| 161 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> | 161 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> |
| 162 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·<jcerny@redhat.com></dc:contributor> | 162 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·<jcerny@redhat.com></dc:contributor> |
| 163 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·<msrubar@redhat.com></dc:contributor> | 163 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·<msrubar@redhat.com></dc:contributor> |
| 164 | ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> | 164 | ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> |
| 165 | ··</metadata> | 165 | ··</metadata> |
| 166 | ··<model·system="urn:xccdf:scoring:default"/> | 166 | ··<model·system="urn:xccdf:scoring:default"/> |
| 167 | ··<Profile·id="anssi_np_nt28_restrictive"> | ||
| 168 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Restrictive·Level</title> | ||
| 169 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·exposed·to·unauthenticated·flows·or·multiple·sources.</description> | ||
| 170 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> | ||
| 171 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> | ||
| 172 | ····<select·idref="package_telnetd_removed"·selected="true"/> | ||
| 173 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> | ||
| 174 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> | ||
| 175 | ····<select·idref="package_nis_removed"·selected="true"/> | ||
| 176 | ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/> | ||
| 177 | ····<select·idref="file_permissions_etc_shadow"·selected="true"/> | ||
| 178 | ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> | ||
| 179 | ····<select·idref="file_permissions_etc_passwd"·selected="true"/> | ||
| 180 | ····<select·idref="file_permissions_etc_group"·selected="true"/> | ||
| 181 | ····<select·idref="package_ntp_installed"·selected="true"/> | ||
| 182 | ····<select·idref="package_ntpdate_removed"·selected="true"/> | ||
| 183 | ····<select·idref="sshd_set_idle_timeout"·selected="true"/> | ||
| 184 | ····<select·idref="sshd_disable_root_login"·selected="true"/> | ||
| 185 | ····<select·idref="sshd_disable_empty_passwords"·selected="true"/> | ||
| 186 | ····<select·idref="sshd_allow_only_protocol2"·selected="true"/> | ||
| 187 | ····<select·idref="sshd_set_keepalive"·selected="true"/> | ||
| 188 | ····<select·idref="rsyslog_files_ownership"·selected="true"/> | ||
| 189 | ····<select·idref="rsyslog_files_groupownership"·selected="true"/> | ||
| 190 | ····<select·idref="rsyslog_files_permissions"·selected="true"/> | ||
| 191 | ····<select·idref="rsyslog_remote_loghost"·selected="false"/> | ||
| 192 | ····<select·idref="ensure_logrotate_activated"·selected="true"/> | ||
| 193 | ····<select·idref="file_permissions_systemmap"·selected="true"/> | ||
| 194 | ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/> | ||
| 195 | ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/> | ||
| 196 | ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/> | ||
| 197 | ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> | ||
| 198 | ····<select·idref="partition_for_tmp"·selected="true"/> | ||
| 199 | ····<select·idref="partition_for_var"·selected="true"/> | ||
| 200 | ····<select·idref="partition_for_var_log"·selected="true"/> | ||
| 201 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> | ||
| 202 | ····<select·idref="partition_for_home"·selected="true"/> | ||
| 203 | ····<select·idref="package_auditd_installed"·selected="true"/> | ||
| 204 | ····<select·idref="package_cron_installed"·selected="true"/> | ||
| 205 | ····<select·idref="service_auditd_enabled"·selected="true"/> | ||
| 206 | ····<select·idref="service_ntpd_enabled"·selected="true"/> | ||
| 207 | ····<select·idref="remediation_functions"·selected="false"/> | ||
| 208 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | ||
| 209 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> | ||
| 210 | ····<select·idref="hw-install"·selected="false"/> | ||
| 211 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> | ||
| 212 | ··</Profile> | ||
| 213 | ··<Profile·id="anssi_np_nt28_average"> | 167 | ··<Profile·id="anssi_np_nt28_average"> |
| 214 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</title> | 168 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</title> |
| 215 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·already·protected·by·multiple·higher·level·security·stacks.</description> | 169 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·already·protected·by·multiple·higher·level·security·stacks.</description> |
| 216 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> | 170 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> |
| 217 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> | 171 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> |
| 218 | ····<select·idref="package_telnetd_removed"·selected="true"/> | 172 | ····<select·idref="package_telnetd_removed"·selected="true"/> |
| 219 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> | 173 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> |
| Offset 243, 22 lines modified | Offset 197, 22 lines modified | ||
| 243 | ····<select·idref="ensure_logrotate_activated"·selected="true"/> | 197 | ····<select·idref="ensure_logrotate_activated"·selected="true"/> |
| 244 | ····<select·idref="file_permissions_systemmap"·selected="true"/> | 198 | ····<select·idref="file_permissions_systemmap"·selected="true"/> |
| 245 | ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/> | 199 | ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/> |
| 246 | ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/> | 200 | ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/> |
| 247 | ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/> | 201 | ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/> |
| 248 | ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> | 202 | ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> |
| 249 | ····<select·idref="remediation_functions"·selected="false"/> | 203 | ····<select·idref="remediation_functions"·selected="false"/> |
| 204 | ····<select·idref="hw-install"·selected="false"/> | ||
| 250 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 205 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 251 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> | 206 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> |
| 252 | ····<select·idref="hw-install"·selected="false"/> | ||
| 253 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> | 207 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> |
| 254 | ··</Profile> | 208 | ··</Profile> |
| 255 | ··<Profile·id="anssi_np_nt28_ | 209 | ··<Profile·id="anssi_np_nt28_restrictive"> |
| 256 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28· | 210 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Restrictive·Level</title> |
| 257 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations· | 211 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·exposed·to·unauthenticated·flows·or·multiple·sources.</description> |
| 258 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> | 212 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> |
| 259 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> | 213 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> |
| 260 | ····<select·idref="package_telnetd_removed"·selected="true"/> | 214 | ····<select·idref="package_telnetd_removed"·selected="true"/> |
| 261 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> | 215 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> |
| 262 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> | 216 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> |
| 263 | ····<select·idref="package_nis_removed"·selected="true"/> | 217 | ····<select·idref="package_nis_removed"·selected="true"/> |
| 264 | ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/> | 218 | ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/> |
| Offset 288, 16 lines modified | Offset 242, 16 lines modified | ||
| 288 | ····<select·idref="partition_for_var_log"·selected="true"/> | 242 | ····<select·idref="partition_for_var_log"·selected="true"/> |
| 289 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> | 243 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> |
| 290 | ····<select·idref="partition_for_home"·selected="true"/> | 244 | ····<select·idref="partition_for_home"·selected="true"/> |
| 291 | ····<select·idref="package_auditd_installed"·selected="true"/> | 245 | ····<select·idref="package_auditd_installed"·selected="true"/> |
| 292 | ····<select·idref="package_cron_installed"·selected="true"/> | 246 | ····<select·idref="package_cron_installed"·selected="true"/> |
| 293 | ····<select·idref="service_auditd_enabled"·selected="true"/> | 247 | ····<select·idref="service_auditd_enabled"·selected="true"/> |
| 294 | ····<select·idref="service_ntpd_enabled"·selected="true"/> | 248 | ····<select·idref="service_ntpd_enabled"·selected="true"/> |
| 295 | ····<select·idref="grub2_enable_iommu_force"·selected="true"/> | ||
| 296 | ····<select·idref="remediation_functions"·selected="false"/> | 249 | ····<select·idref="remediation_functions"·selected="false"/> |
| 250 | ····<select·idref="hw-install"·selected="false"/> | ||
| 297 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 251 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 298 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> | 252 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> |
| 299 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> | 253 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> |
| 300 | ··</Profile> | 254 | ··</Profile> |
| 301 | ··<Profile·id="anssi_np_nt28_minimal"> | 255 | ··<Profile·id="anssi_np_nt28_minimal"> |
| 302 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Minimal·Level</title> | 256 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Minimal·Level</title> |
| 303 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·to·be·applied·systematically.</description> | 257 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·to·be·applied·systematically.</description> |
| Offset 312, 28 lines modified | Offset 266, 74 lines modified | ||
| 312 | ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> | 266 | ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> |
| 313 | ····<select·idref="file_permissions_etc_passwd"·selected="true"/> | 267 | ····<select·idref="file_permissions_etc_passwd"·selected="true"/> |
| 314 | ····<select·idref="file_permissions_etc_group"·selected="true"/> | 268 | ····<select·idref="file_permissions_etc_group"·selected="true"/> |
| 315 | ····<select·idref="remediation_functions"·selected="false"/> | 269 | ····<select·idref="remediation_functions"·selected="false"/> |
| 316 | ····<select·idref="basics"·selected="false"/> | 270 | ····<select·idref="basics"·selected="false"/> |
| 317 | ····<select·idref="ssh"·selected="false"/> | 271 | ····<select·idref="ssh"·selected="false"/> |
| 318 | ····<select·idref="ssh_server"·selected="false"/> | 272 | ····<select·idref="ssh_server"·selected="false"/> |
| 273 | ····<select·idref="hw-install"·selected="false"/> | ||
| 319 | ····<select·idref="logging"·selected="false"/> | 274 | ····<select·idref="logging"·selected="false"/> |
| 320 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 275 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 321 | ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/> | 276 | ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/> |
| 322 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> | 277 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> |
| 323 | ····<select·idref="log_rotation"·selected="false"/> | 278 | ····<select·idref="log_rotation"·selected="false"/> |
| 324 | ····<select·idref="hw-install"·selected="false"/> | ||
| 325 | ····<select·idref="fs-part"·selected="false"/> | 279 | ····<select·idref="fs-part"·selected="false"/> |
| 326 | ····<select·idref="installation-storage-partitioning"·selected="false"/> | 280 | ····<select·idref="installation-storage-partitioning"·selected="false"/> |
| 327 | ····<select·idref="fs-restrict"·selected="false"/> | 281 | ····<select·idref="fs-restrict"·selected="false"/> |
| 328 | ····<select·idref="permission_important_state_files"·selected="false"/> | 282 | ····<select·idref="permission_important_state_files"·selected="false"/> |
| 329 | ····<select·idref="restriction"·selected="false"/> | 283 | ····<select·idref="restriction"·selected="false"/> |
| 330 | ····<select·idref="coredumps"·selected="false"/> | 284 | ····<select·idref="coredumps"·selected="false"/> |
| 331 | ····<select·idref="enable_execshield_settings"·selected="false"/> | 285 | ····<select·idref="enable_execshield_settings"·selected="false"/> |
| 332 | ··</Profile> | 286 | ··</Profile> |
| 287 | ··<Profile·id="anssi_np_nt28_high"> | ||
| 288 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</title> | ||
| Max diff block lines reached; 121028/133362 bytes (90.75%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>2020-07-12T0 | 7 | ····<ns2:timestamp>2020-07-12T04:36:59</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>CentOS·6</ns0:title> | 12 | ········<ns0:title>CentOS·6</ns0:title> |
| 13 | ········<ns0:affected·family="unix"/> | 13 | ········<ns0:affected·family="unix"/> |
| 14 | ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/> | 14 | ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/> |
| Offset 18, 21 lines modified | Offset 18, 21 lines modified | ||
| 18 | ····</ds:checklists> | 18 | ····</ds:checklists> |
| 19 | ····<ds:checks> | 19 | ····<ds:checks> |
| 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1604-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1604-oval.xml"/> | 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1604-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1604-oval.xml"/> |
| 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1604-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1604-ocil.xml"/> | 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1604-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1604-ocil.xml"/> |
| 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1604-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1604-cpe-oval.xml"/> | 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1604-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1604-cpe-oval.xml"/> |
| 23 | ····</ds:checks> | 23 | ····</ds:checks> |
| 24 | ··</ds:data-stream> | 24 | ··</ds:data-stream> |
| 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1604-oval.xml"·timestamp="2020-07-1 | 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1604-oval.xml"·timestamp="2020-07-12T18:46:28"> |
| 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 27 | ······<ns0:generator> | 27 | ······<ns0:generator> |
| 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 30 | ········<ns2:schema_version>5.11</ns2:schema_version> | 30 | ········<ns2:schema_version>5.11</ns2:schema_version> |
| 31 | ········<ns2:timestamp>2020-07-12T0 | 31 | ········<ns2:timestamp>2020-07-12T04:36:59</ns2:timestamp> |
| 32 | ······</ns0:generator> | 32 | ······</ns0:generator> |
| 33 | ······<ns0:definitions> | 33 | ······<ns0:definitions> |
| 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-grub2_enable_iommu_force:def:1"·version="1"> | 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-grub2_enable_iommu_force:def:1"·version="1"> |
| 35 | ··········<ns0:metadata> | 35 | ··········<ns0:metadata> |
| 36 | ············<ns0:title>Force·IOMMU·usage·in·GRUB2</ns0:title> | 36 | ············<ns0:title>Force·IOMMU·usage·in·GRUB2</ns0:title> |
| 37 | ············<ns0:affected·family="unix"> | 37 | ············<ns0:affected·family="unix"> |
| 38 | ··············<ns0:platform>Ubuntu·1404</ns0:platform> | 38 | ··············<ns0:platform>Ubuntu·1404</ns0:platform> |
| Offset 5548, 15 lines modified | Offset 5548, 15 lines modified | ||
| 5548 | ········<ns0:external_variable·comment="used·for·remediation·only"·datatype="string"·id="oval:ssg-rsyslog_remote_loghost_address:var:1"·version="1"/> | 5548 | ········<ns0:external_variable·comment="used·for·remediation·only"·datatype="string"·id="oval:ssg-rsyslog_remote_loghost_address:var:1"·version="1"/> |
| 5549 | ········<ns0:external_variable·comment="May·be·defined·by·Profiles·to·explicitly·say·if·sshd·is·required·or·not"·datatype="int"·id="oval:ssg-sshd_required:var:1"·version="1"/> | 5549 | ········<ns0:external_variable·comment="May·be·defined·by·Profiles·to·explicitly·say·if·sshd·is·required·or·not"·datatype="int"·id="oval:ssg-sshd_required:var:1"·version="1"/> |
| 5550 | ········<ns0:external_variable·comment="timeout·value"·datatype="int"·id="oval:ssg-sshd_idle_timeout_value:var:1"·version="1"/> | 5550 | ········<ns0:external_variable·comment="timeout·value"·datatype="int"·id="oval:ssg-sshd_idle_timeout_value:var:1"·version="1"/> |
| 5551 | ········<ns0:external_variable·comment="maxauthtries·value"·datatype="int"·id="oval:ssg-sshd_max_auth_tries_value:var:1"·version="1"/> | 5551 | ········<ns0:external_variable·comment="maxauthtries·value"·datatype="int"·id="oval:ssg-sshd_max_auth_tries_value:var:1"·version="1"/> |
| 5552 | ······</ns0:variables> | 5552 | ······</ns0:variables> |
| 5553 | ····</ns0:oval_definitions> | 5553 | ····</ns0:oval_definitions> |
| 5554 | ··</ds:component> | 5554 | ··</ds:component> |
| 5555 | ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1604-ocil.xml"·timestamp="2020-07-1 | 5555 | ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1604-ocil.xml"·timestamp="2020-07-12T18:46:28"> |
| 5556 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> | 5556 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> |
| 5557 | ······<ns0:generator> | 5557 | ······<ns0:generator> |
| 5558 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 5558 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 5559 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 5559 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 5560 | ········<ns0:schema_version>2.0</ns0:schema_version> | 5560 | ········<ns0:schema_version>2.0</ns0:schema_version> |
| 5561 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 5561 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 5562 | ······</ns0:generator> | 5562 | ······</ns0:generator> |
| Offset 5575, 38 lines modified | Offset 5575, 50 lines modified | ||
| 5575 | ········</ns0:questionnaire> | 5575 | ········</ns0:questionnaire> |
| 5576 | ········<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> | 5576 | ········<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> |
| 5577 | ··········<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> | 5577 | ··········<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> |
| 5578 | ··········<ns0:actions> | 5578 | ··········<ns0:actions> |
| 5579 | ············<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> | 5579 | ············<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> |
| 5580 | ··········</ns0:actions> | 5580 | ··········</ns0:actions> |
| 5581 | ········</ns0:questionnaire> | 5581 | ········</ns0:questionnaire> |
| 5582 | ········<ns0:questionnaire·id="ocil:ssg-sshd_ | 5582 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1"> |
| 5583 | ··········<ns0:title> | 5583 | ··········<ns0:title>Set·SSH·Client·Alive·Count</ns0:title> |
| 5584 | ··········<ns0:actions> | 5584 | ··········<ns0:actions> |
| 5585 | ············<ns0:test_action_ref>ocil:ssg-sshd_ | 5585 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref> |
| 5586 | ··········</ns0:actions> | 5586 | ··········</ns0:actions> |
| 5587 | ········</ns0:questionnaire> | 5587 | ········</ns0:questionnaire> |
| 5588 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> | 5588 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> |
| 5589 | ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> | 5589 | ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> |
| 5590 | ··········<ns0:actions> | 5590 | ··········<ns0:actions> |
| 5591 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> | 5591 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> |
| 5592 | ··········</ns0:actions> | 5592 | ··········</ns0:actions> |
| 5593 | ········</ns0:questionnaire> | 5593 | ········</ns0:questionnaire> |
| 5594 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_ | 5594 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1"> |
| 5595 | ··········<ns0:title> | 5595 | ··········<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title> |
| 5596 | ··········<ns0:actions> | 5596 | ··········<ns0:actions> |
| 5597 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_ | 5597 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref> |
| 5598 | ··········</ns0:actions> | 5598 | ··········</ns0:actions> |
| 5599 | ········</ns0:questionnaire> | 5599 | ········</ns0:questionnaire> |
| 5600 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> | 5600 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> |
| 5601 | ··········<ns0:title>Disable·SSH·Root·Login</ns0:title> | 5601 | ··········<ns0:title>Disable·SSH·Root·Login</ns0:title> |
| 5602 | ··········<ns0:actions> | 5602 | ··········<ns0:actions> |
| 5603 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> | 5603 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> |
| 5604 | ··········</ns0:actions> | 5604 | ··········</ns0:actions> |
| 5605 | ········</ns0:questionnaire> | 5605 | ········</ns0:questionnaire> |
| 5606 | ········<ns0:questionnaire·id="ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1"> | ||
| 5607 | ··········<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate</ns0:title> | ||
| 5608 | ··········<ns0:actions> | ||
| 5609 | ············<ns0:test_action_ref>ocil:ssg-sudo_remove_no_authenticate_action:testaction:1</ns0:test_action_ref> | ||
| 5610 | ··········</ns0:actions> | ||
| 5611 | ········</ns0:questionnaire> | ||
| 5612 | ········<ns0:questionnaire·id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1"> | ||
| 5613 | ··········<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD</ns0:title> | ||
| 5614 | ··········<ns0:actions> | ||
| 5615 | ············<ns0:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ns0:test_action_ref> | ||
| 5616 | ··········</ns0:actions> | ||
| 5617 | ········</ns0:questionnaire> | ||
| 5606 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> | 5618 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> |
| 5607 | ··········<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> | 5619 | ··········<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> |
| 5608 | ··········<ns0:actions> | 5620 | ··········<ns0:actions> |
| 5609 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> | 5621 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> |
| 5610 | ··········</ns0:actions> | 5622 | ··········</ns0:actions> |
| 5611 | ········</ns0:questionnaire> | 5623 | ········</ns0:questionnaire> |
| 5612 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1"> | 5624 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1"> |
| Offset 5623, 26 lines modified | Offset 5635, 26 lines modified | ||
| 5623 | ········</ns0:questionnaire> | 5635 | ········</ns0:questionnaire> |
| 5624 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1"> | 5636 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1"> |
| 5625 | ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title> | 5637 | ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title> |
| 5626 | ··········<ns0:actions> | 5638 | ··········<ns0:actions> |
| 5627 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref> | 5639 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref> |
| 5628 | ··········</ns0:actions> | 5640 | ··········</ns0:actions> |
| 5629 | ········</ns0:questionnaire> | 5641 | ········</ns0:questionnaire> |
| 5630 | ········<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> | ||
| 5631 | ··········<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> | ||
| 5632 | ··········<ns0:actions> | ||
| 5633 | ············<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> | ||
| 5634 | ··········</ns0:actions> | ||
| 5635 | ········</ns0:questionnaire> | ||
| 5636 | ········<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1"> | 5642 | ········<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1"> |
| 5637 | ··········<ns0:title>Enable·syslog-ng·Service</ns0:title> | 5643 | ··········<ns0:title>Enable·syslog-ng·Service</ns0:title> |
| 5638 | ··········<ns0:actions> | 5644 | ··········<ns0:actions> |
| 5639 | ············<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref> | 5645 | ············<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref> |
| 5640 | ··········</ns0:actions> | 5646 | ··········</ns0:actions> |
| 5641 | ········</ns0:questionnaire> | 5647 | ········</ns0:questionnaire> |
| 5648 | ········<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> | ||
| 5649 | ··········<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> | ||
| 5650 | ··········<ns0:actions> | ||
| 5651 | ············<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> | ||
| 5652 | ··········</ns0:actions> | ||
| 5653 | ········</ns0:questionnaire> | ||
| 5642 | ········<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1"> | 5654 | ········<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1"> |
| 5643 | ··········<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title> | 5655 | ··········<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title> |
| 5644 | ··········<ns0:actions> | 5656 | ··········<ns0:actions> |
| 5645 | ············<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref> | 5657 | ············<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref> |
| 5646 | ··········</ns0:actions> | 5658 | ··········</ns0:actions> |
| 5647 | ········</ns0:questionnaire> | 5659 | ········</ns0:questionnaire> |
| 5648 | ········<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1"> | 5660 | ········<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1"> |
| Offset 5653, 26 lines modified | Offset 5665, 14 lines modified | ||
| 5653 | ········</ns0:questionnaire> | 5665 | ········</ns0:questionnaire> |
| 5654 | ········<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1"> | 5666 | ········<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1"> |
| 5655 | ··········<ns0:title>Ensure·rsyslog·is·Installed</ns0:title> | 5667 | ··········<ns0:title>Ensure·rsyslog·is·Installed</ns0:title> |
| 5656 | ··········<ns0:actions> | 5668 | ··········<ns0:actions> |
| 5657 | ············<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref> | 5669 | ············<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref> |
| Max diff block lines reached; 159451/168815 bytes (94.45%) of diff not shown. | |||
| Offset 21, 38 lines modified | Offset 21, 50 lines modified | ||
| 21 | ····</ns0:questionnaire> | 21 | ····</ns0:questionnaire> |
| 22 | ····<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> | 22 | ····<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> |
| 23 | ······<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> | 23 | ······<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> |
| 24 | ······<ns0:actions> | 24 | ······<ns0:actions> |
| 25 | ········<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> | 25 | ········<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> |
| 26 | ······</ns0:actions> | 26 | ······</ns0:actions> |
| 27 | ····</ns0:questionnaire> | 27 | ····</ns0:questionnaire> |
| 28 | ····<ns0:questionnaire·id="ocil:ssg-sshd_ | 28 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1"> |
| 29 | ······<ns0:title> | 29 | ······<ns0:title>Set·SSH·Client·Alive·Count</ns0:title> |
| 30 | ······<ns0:actions> | 30 | ······<ns0:actions> |
| 31 | ········<ns0:test_action_ref>ocil:ssg-sshd_ | 31 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref> |
| 32 | ······</ns0:actions> | 32 | ······</ns0:actions> |
| 33 | ····</ns0:questionnaire> | 33 | ····</ns0:questionnaire> |
| 34 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> | 34 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> |
| 35 | ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> | 35 | ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> |
| 36 | ······<ns0:actions> | 36 | ······<ns0:actions> |
| 37 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> | 37 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> |
| 38 | ······</ns0:actions> | 38 | ······</ns0:actions> |
| 39 | ····</ns0:questionnaire> | 39 | ····</ns0:questionnaire> |
| 40 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_ | 40 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1"> |
| 41 | ······<ns0:title> | 41 | ······<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title> |
| 42 | ······<ns0:actions> | 42 | ······<ns0:actions> |
| 43 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_ | 43 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref> |
| 44 | ······</ns0:actions> | 44 | ······</ns0:actions> |
| 45 | ····</ns0:questionnaire> | 45 | ····</ns0:questionnaire> |
| 46 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> | 46 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> |
| 47 | ······<ns0:title>Disable·SSH·Root·Login</ns0:title> | 47 | ······<ns0:title>Disable·SSH·Root·Login</ns0:title> |
| 48 | ······<ns0:actions> | 48 | ······<ns0:actions> |
| 49 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> | 49 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> |
| 50 | ······</ns0:actions> | 50 | ······</ns0:actions> |
| 51 | ····</ns0:questionnaire> | 51 | ····</ns0:questionnaire> |
| 52 | ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1"> | ||
| 53 | ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate</ns0:title> | ||
| 54 | ······<ns0:actions> | ||
| 55 | ········<ns0:test_action_ref>ocil:ssg-sudo_remove_no_authenticate_action:testaction:1</ns0:test_action_ref> | ||
| 56 | ······</ns0:actions> | ||
| 57 | ····</ns0:questionnaire> | ||
| 58 | ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1"> | ||
| 59 | ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD</ns0:title> | ||
| 60 | ······<ns0:actions> | ||
| 61 | ········<ns0:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ns0:test_action_ref> | ||
| 62 | ······</ns0:actions> | ||
| 63 | ····</ns0:questionnaire> | ||
| 52 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> | 64 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"> |
| 53 | ······<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> | 65 | ······<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title> |
| 54 | ······<ns0:actions> | 66 | ······<ns0:actions> |
| 55 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> | 67 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref> |
| 56 | ······</ns0:actions> | 68 | ······</ns0:actions> |
| 57 | ····</ns0:questionnaire> | 69 | ····</ns0:questionnaire> |
| 58 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1"> | 70 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1"> |
| Offset 69, 26 lines modified | Offset 81, 26 lines modified | ||
| 69 | ····</ns0:questionnaire> | 81 | ····</ns0:questionnaire> |
| 70 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1"> | 82 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1"> |
| 71 | ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title> | 83 | ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title> |
| 72 | ······<ns0:actions> | 84 | ······<ns0:actions> |
| 73 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref> | 85 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref> |
| 74 | ······</ns0:actions> | 86 | ······</ns0:actions> |
| 75 | ····</ns0:questionnaire> | 87 | ····</ns0:questionnaire> |
| 76 | ····<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> | ||
| 77 | ······<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> | ||
| 78 | ······<ns0:actions> | ||
| 79 | ········<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> | ||
| 80 | ······</ns0:actions> | ||
| 81 | ····</ns0:questionnaire> | ||
| 82 | ····<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1"> | 88 | ····<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1"> |
| 83 | ······<ns0:title>Enable·syslog-ng·Service</ns0:title> | 89 | ······<ns0:title>Enable·syslog-ng·Service</ns0:title> |
| 84 | ······<ns0:actions> | 90 | ······<ns0:actions> |
| 85 | ········<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref> | 91 | ········<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref> |
| 86 | ······</ns0:actions> | 92 | ······</ns0:actions> |
| 87 | ····</ns0:questionnaire> | 93 | ····</ns0:questionnaire> |
| 94 | ····<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> | ||
| 95 | ······<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> | ||
| 96 | ······<ns0:actions> | ||
| 97 | ········<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> | ||
| 98 | ······</ns0:actions> | ||
| 99 | ····</ns0:questionnaire> | ||
| 88 | ····<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1"> | 100 | ····<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1"> |
| 89 | ······<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title> | 101 | ······<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title> |
| 90 | ······<ns0:actions> | 102 | ······<ns0:actions> |
| 91 | ········<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref> | 103 | ········<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref> |
| 92 | ······</ns0:actions> | 104 | ······</ns0:actions> |
| 93 | ····</ns0:questionnaire> | 105 | ····</ns0:questionnaire> |
| 94 | ····<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1"> | 106 | ····<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1"> |
| Offset 99, 26 lines modified | Offset 111, 14 lines modified | ||
| 99 | ····</ns0:questionnaire> | 111 | ····</ns0:questionnaire> |
| 100 | ····<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1"> | 112 | ····<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1"> |
| 101 | ······<ns0:title>Ensure·rsyslog·is·Installed</ns0:title> | 113 | ······<ns0:title>Ensure·rsyslog·is·Installed</ns0:title> |
| 102 | ······<ns0:actions> | 114 | ······<ns0:actions> |
| 103 | ········<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref> | 115 | ········<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref> |
| 104 | ······</ns0:actions> | 116 | ······</ns0:actions> |
| 105 | ····</ns0:questionnaire> | 117 | ····</ns0:questionnaire> |
| 106 | ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1"> | ||
| 107 | ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate</ns0:title> | ||
| 108 | ······<ns0:actions> | ||
| 109 | ········<ns0:test_action_ref>ocil:ssg-sudo_remove_no_authenticate_action:testaction:1</ns0:test_action_ref> | ||
| 110 | ······</ns0:actions> | ||
| 111 | ····</ns0:questionnaire> | ||
| 112 | ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1"> | ||
| 113 | ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD</ns0:title> | ||
| 114 | ······<ns0:actions> | ||
| 115 | ········<ns0:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ns0:test_action_ref> | ||
| 116 | ······</ns0:actions> | ||
| 117 | ····</ns0:questionnaire> | ||
| 118 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_srv_ocil:questionnaire:1"> | 118 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_srv_ocil:questionnaire:1"> |
| 119 | ······<ns0:title>Ensure·/srv·Located·On·Separate·Partition</ns0:title> | 119 | ······<ns0:title>Ensure·/srv·Located·On·Separate·Partition</ns0:title> |
| 120 | ······<ns0:actions> | 120 | ······<ns0:actions> |
| 121 | ········<ns0:test_action_ref>ocil:ssg-partition_for_srv_action:testaction:1</ns0:test_action_ref> | 121 | ········<ns0:test_action_ref>ocil:ssg-partition_for_srv_action:testaction:1</ns0:test_action_ref> |
| 122 | ······</ns0:actions> | 122 | ······</ns0:actions> |
| 123 | ····</ns0:questionnaire> | 123 | ····</ns0:questionnaire> |
| 124 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_home_ocil:questionnaire:1"> | 124 | ····<ns0:questionnaire·id="ocil:ssg-partition_for_home_ocil:questionnaire:1"> |
| Offset 233, 15 lines modified | Offset 233, 15 lines modified | ||
| 233 | ······<ns0:when_true> | 233 | ······<ns0:when_true> |
| 234 | ········<ns0:result>PASS</ns0:result> | 234 | ········<ns0:result>PASS</ns0:result> |
| 235 | ······</ns0:when_true> | 235 | ······</ns0:when_true> |
| 236 | ······<ns0:when_false> | 236 | ······<ns0:when_false> |
| 237 | ········<ns0:result>FAIL</ns0:result> | 237 | ········<ns0:result>FAIL</ns0:result> |
| 238 | ······</ns0:when_false> | 238 | ······</ns0:when_false> |
| 239 | ····</ns0:boolean_question_test_action> | 239 | ····</ns0:boolean_question_test_action> |
| 240 | ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_ | 240 | ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_set_keepalive_action:testaction:1"·question_ref="ocil:ssg-sshd_set_keepalive_question:question:1"> |
| 241 | ······<ns0:when_true> | 241 | ······<ns0:when_true> |
| 242 | ········<ns0:result>PASS</ns0:result> | 242 | ········<ns0:result>PASS</ns0:result> |
| 243 | ······</ns0:when_true> | 243 | ······</ns0:when_true> |
| 244 | ······<ns0:when_false> | 244 | ······<ns0:when_false> |
| 245 | ········<ns0:result>FAIL</ns0:result> | 245 | ········<ns0:result>FAIL</ns0:result> |
| 246 | ······</ns0:when_false> | 246 | ······</ns0:when_false> |
| 247 | ····</ns0:boolean_question_test_action> | 247 | ····</ns0:boolean_question_test_action> |
| Offset 249, 15 lines modified | Offset 249, 15 lines modified | ||
| Max diff block lines reached; 14766/22089 bytes (66.85%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>2020-07-12T0 | 7 | ····<ns2:timestamp>2020-07-12T04:36:59</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-grub2_enable_iommu_force:def:1"·version="1"> | 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-grub2_enable_iommu_force:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Force·IOMMU·usage·in·GRUB2</ns0:title> | 12 | ········<ns0:title>Force·IOMMU·usage·in·GRUB2</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:platform>Ubuntu·1404</ns0:platform> | 14 | ··········<ns0:platform>Ubuntu·1404</ns0:platform> |
| Offset 160, 60 lines modified | Offset 160, 14 lines modified | ||
| 160 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> | 160 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> |
| 161 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> | 161 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> |
| 162 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·<jcerny@redhat.com></dc:contributor> | 162 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·<jcerny@redhat.com></dc:contributor> |
| 163 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·<msrubar@redhat.com></dc:contributor> | 163 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·<msrubar@redhat.com></dc:contributor> |
| 164 | ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> | 164 | ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> |
| 165 | ··</metadata> | 165 | ··</metadata> |
| 166 | ··<model·system="urn:xccdf:scoring:default"/> | 166 | ··<model·system="urn:xccdf:scoring:default"/> |
| 167 | ··<Profile·id="anssi_np_nt28_restrictive"> | ||
| 168 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Restrictive·Level</title> | ||
| 169 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·exposed·to·unauthenticated·flows·or·multiple·sources.</description> | ||
| 170 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> | ||
| 171 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> | ||
| 172 | ····<select·idref="package_telnetd_removed"·selected="true"/> | ||
| 173 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> | ||
| 174 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> | ||
| 175 | ····<select·idref="package_nis_removed"·selected="true"/> | ||
| 176 | ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/> | ||
| 177 | ····<select·idref="file_permissions_etc_shadow"·selected="true"/> | ||
| 178 | ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> | ||
| 179 | ····<select·idref="file_permissions_etc_passwd"·selected="true"/> | ||
| 180 | ····<select·idref="file_permissions_etc_group"·selected="true"/> | ||
| 181 | ····<select·idref="package_ntp_installed"·selected="true"/> | ||
| 182 | ····<select·idref="package_ntpdate_removed"·selected="true"/> | ||
| 183 | ····<select·idref="sshd_set_idle_timeout"·selected="true"/> | ||
| 184 | ····<select·idref="sshd_disable_root_login"·selected="true"/> | ||
| 185 | ····<select·idref="sshd_disable_empty_passwords"·selected="true"/> | ||
| 186 | ····<select·idref="sshd_allow_only_protocol2"·selected="true"/> | ||
| 187 | ····<select·idref="sshd_set_keepalive"·selected="true"/> | ||
| 188 | ····<select·idref="rsyslog_files_ownership"·selected="true"/> | ||
| 189 | ····<select·idref="rsyslog_files_groupownership"·selected="true"/> | ||
| 190 | ····<select·idref="rsyslog_files_permissions"·selected="true"/> | ||
| 191 | ····<select·idref="rsyslog_remote_loghost"·selected="false"/> | ||
| 192 | ····<select·idref="ensure_logrotate_activated"·selected="true"/> | ||
| 193 | ····<select·idref="file_permissions_boot_system_map"·selected="true"/> | ||
| 194 | ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/> | ||
| 195 | ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/> | ||
| 196 | ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/> | ||
| 197 | ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> | ||
| 198 | ····<select·idref="partition_for_tmp"·selected="true"/> | ||
| 199 | ····<select·idref="partition_for_var"·selected="true"/> | ||
| 200 | ····<select·idref="partition_for_var_log"·selected="true"/> | ||
| 201 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> | ||
| 202 | ····<select·idref="partition_for_home"·selected="true"/> | ||
| 203 | ····<select·idref="package_auditd_installed"·selected="true"/> | ||
| 204 | ····<select·idref="package_cron_installed"·selected="true"/> | ||
| 205 | ····<select·idref="service_auditd_enabled"·selected="true"/> | ||
| 206 | ····<select·idref="service_ntpd_enabled"·selected="true"/> | ||
| 207 | ····<select·idref="remediation_functions"·selected="false"/> | ||
| 208 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | ||
| 209 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> | ||
| 210 | ····<select·idref="hw-install"·selected="false"/> | ||
| 211 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> | ||
| 212 | ··</Profile> | ||
| 213 | ··<Profile·id="anssi_np_nt28_average"> | 167 | ··<Profile·id="anssi_np_nt28_average"> |
| 214 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</title> | 168 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</title> |
| 215 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·already·protected·by·multiple·higher·level·security·stacks.</description> | 169 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·already·protected·by·multiple·higher·level·security·stacks.</description> |
| 216 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> | 170 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> |
| 217 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> | 171 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> |
| 218 | ····<select·idref="package_telnetd_removed"·selected="true"/> | 172 | ····<select·idref="package_telnetd_removed"·selected="true"/> |
| 219 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> | 173 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> |
| Offset 243, 22 lines modified | Offset 197, 22 lines modified | ||
| 243 | ····<select·idref="ensure_logrotate_activated"·selected="true"/> | 197 | ····<select·idref="ensure_logrotate_activated"·selected="true"/> |
| 244 | ····<select·idref="file_permissions_boot_system_map"·selected="true"/> | 198 | ····<select·idref="file_permissions_boot_system_map"·selected="true"/> |
| 245 | ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/> | 199 | ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/> |
| 246 | ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/> | 200 | ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/> |
| 247 | ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/> | 201 | ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/> |
| 248 | ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> | 202 | ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> |
| 249 | ····<select·idref="remediation_functions"·selected="false"/> | 203 | ····<select·idref="remediation_functions"·selected="false"/> |
| 204 | ····<select·idref="hw-install"·selected="false"/> | ||
| 250 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 205 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 251 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> | 206 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> |
| 252 | ····<select·idref="hw-install"·selected="false"/> | ||
| 253 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> | 207 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> |
| 254 | ··</Profile> | 208 | ··</Profile> |
| 255 | ··<Profile·id="anssi_np_nt28_ | 209 | ··<Profile·id="anssi_np_nt28_restrictive"> |
| 256 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28· | 210 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Restrictive·Level</title> |
| 257 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations· | 211 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·exposed·to·unauthenticated·flows·or·multiple·sources.</description> |
| 258 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> | 212 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> |
| 259 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> | 213 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> |
| 260 | ····<select·idref="package_telnetd_removed"·selected="true"/> | 214 | ····<select·idref="package_telnetd_removed"·selected="true"/> |
| 261 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> | 215 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> |
| 262 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> | 216 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> |
| 263 | ····<select·idref="package_nis_removed"·selected="true"/> | 217 | ····<select·idref="package_nis_removed"·selected="true"/> |
| 264 | ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/> | 218 | ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/> |
| Offset 288, 16 lines modified | Offset 242, 16 lines modified | ||
| 288 | ····<select·idref="partition_for_var_log"·selected="true"/> | 242 | ····<select·idref="partition_for_var_log"·selected="true"/> |
| 289 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> | 243 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> |
| 290 | ····<select·idref="partition_for_home"·selected="true"/> | 244 | ····<select·idref="partition_for_home"·selected="true"/> |
| 291 | ····<select·idref="package_auditd_installed"·selected="true"/> | 245 | ····<select·idref="package_auditd_installed"·selected="true"/> |
| 292 | ····<select·idref="package_cron_installed"·selected="true"/> | 246 | ····<select·idref="package_cron_installed"·selected="true"/> |
| 293 | ····<select·idref="service_auditd_enabled"·selected="true"/> | 247 | ····<select·idref="service_auditd_enabled"·selected="true"/> |
| 294 | ····<select·idref="service_ntpd_enabled"·selected="true"/> | 248 | ····<select·idref="service_ntpd_enabled"·selected="true"/> |
| 295 | ····<select·idref="grub2_enable_iommu_force"·selected="true"/> | ||
| 296 | ····<select·idref="remediation_functions"·selected="false"/> | 249 | ····<select·idref="remediation_functions"·selected="false"/> |
| 250 | ····<select·idref="hw-install"·selected="false"/> | ||
| 297 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 251 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 298 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> | 252 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> |
| 299 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> | 253 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> |
| 300 | ··</Profile> | 254 | ··</Profile> |
| 301 | ··<Profile·id="anssi_np_nt28_minimal"> | 255 | ··<Profile·id="anssi_np_nt28_minimal"> |
| 302 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Minimal·Level</title> | 256 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Minimal·Level</title> |
| 303 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·to·be·applied·systematically.</description> | 257 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·to·be·applied·systematically.</description> |
| Offset 312, 28 lines modified | Offset 266, 74 lines modified | ||
| 312 | ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> | 266 | ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> |
| 313 | ····<select·idref="file_permissions_etc_passwd"·selected="true"/> | 267 | ····<select·idref="file_permissions_etc_passwd"·selected="true"/> |
| 314 | ····<select·idref="file_permissions_etc_group"·selected="true"/> | 268 | ····<select·idref="file_permissions_etc_group"·selected="true"/> |
| 315 | ····<select·idref="remediation_functions"·selected="false"/> | 269 | ····<select·idref="remediation_functions"·selected="false"/> |
| 316 | ····<select·idref="basics"·selected="false"/> | 270 | ····<select·idref="basics"·selected="false"/> |
| 317 | ····<select·idref="ssh"·selected="false"/> | 271 | ····<select·idref="ssh"·selected="false"/> |
| 318 | ····<select·idref="ssh_server"·selected="false"/> | 272 | ····<select·idref="ssh_server"·selected="false"/> |
| 273 | ····<select·idref="hw-install"·selected="false"/> | ||
| 319 | ····<select·idref="logging"·selected="false"/> | 274 | ····<select·idref="logging"·selected="false"/> |
| 320 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 275 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 321 | ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/> | 276 | ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/> |
| 322 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> | 277 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> |
| 323 | ····<select·idref="log_rotation"·selected="false"/> | 278 | ····<select·idref="log_rotation"·selected="false"/> |
| 324 | ····<select·idref="hw-install"·selected="false"/> | ||
| 325 | ····<select·idref="fs-part"·selected="false"/> | 279 | ····<select·idref="fs-part"·selected="false"/> |
| 326 | ····<select·idref="installation-storage-partitioning"·selected="false"/> | 280 | ····<select·idref="installation-storage-partitioning"·selected="false"/> |
| 327 | ····<select·idref="fs-restrict"·selected="false"/> | 281 | ····<select·idref="fs-restrict"·selected="false"/> |
| 328 | ····<select·idref="permission_important_state_files"·selected="false"/> | 282 | ····<select·idref="permission_important_state_files"·selected="false"/> |
| 329 | ····<select·idref="restriction"·selected="false"/> | 283 | ····<select·idref="restriction"·selected="false"/> |
| 330 | ····<select·idref="coredumps"·selected="false"/> | 284 | ····<select·idref="coredumps"·selected="false"/> |
| 331 | ····<select·idref="enable_execshield_settings"·selected="false"/> | 285 | ····<select·idref="enable_execshield_settings"·selected="false"/> |
| 332 | ··</Profile> | 286 | ··</Profile> |
| 287 | ··<Profile·id="anssi_np_nt28_high"> | ||
| 288 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</title> | ||
| Max diff block lines reached; 121029/133381 bytes (90.74%) of diff not shown. | |||
| Offset 1, 3 lines modified | Offset 1, 3 lines modified | ||
| 1 | -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary | 1 | -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary |
| 2 | -rw-r--r--···0········0········0·····158 | 2 | -rw-r--r--···0········0········0·····1584·2018-07-26·14:58:28.000000·control.tar.xz |
| 3 | -rw-r--r--···0········0········0···153 | 3 | -rw-r--r--···0········0········0···153688·2018-07-26·14:58:28.000000·data.tar.xz |
| Offset 89, 44 lines modified | Offset 89, 44 lines modified | ||
| 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis | 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis |
| 90 | class·remove_nis·{ | 90 | class·remove_nis·{ |
| 91 | ··package·{·'nis': | 91 | ··package·{·'nis': |
| 92 | ····ensure·=>·'purged', | 92 | ····ensure·=>·'purged', |
| 93 | ··} | 93 | ··} |
| 94 | } | 94 | } |
| 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4891"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server |
| 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove· | 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd |
| 100 | #» ···from·the·system,·and·may·remove·any·packages | 100 | #» ···from·the·system,·and·may·remove·any·packages |
| 101 | #» ···that·depend·on· | 101 | #» ···that·depend·on·telnetd.·Execute·this |
| 102 | #» ···remediation·AFTER·testing·on·a·non-production | 102 | #» ···remediation·AFTER·testing·on·a·non-production |
| 103 | #» ···system! | 103 | #» ···system! |
| 104 | apt-get·remove·--purge· | 104 | apt-get·remove·--purge·telnetd |
| 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure· | 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed |
| 106 | ··package: | 106 | ··package: |
| 107 | ····name="{{item}}" | 107 | ····name="{{item}}" |
| 108 | ····state=absent | 108 | ····state=absent |
| 109 | ··with_items: | 109 | ··with_items: |
| 110 | ····-· | 110 | ····-·telnetd |
| 111 | ··tags: | 111 | ··tags: |
| 112 | ····-·package_ | 112 | ····-·package_telnetd_removed |
| 113 | ····-·high_severity | 113 | ····-·high_severity |
| 114 | ····-·disable_strategy | 114 | ····-·disable_strategy |
| 115 | ····-·low_complexity | 115 | ····-·low_complexity |
| 116 | ····-·low_disruption | 116 | ····-·low_disruption |
| 117 | ····-·CCE- | 117 | ····-·CCE- |
| 118 | ····-·NIST-800-53-AC-17(8) | 118 | ····-·NIST-800-53-AC-17(8) |
| 119 | ····-·NIST-800-53-CM-7 | 119 | ····-·NIST-800-53-CM-7 |
| 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_ | 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd |
| 121 | class·remove_ | 121 | class·remove_telnetd·{ |
| 122 | ··package·{·' | 122 | ··package·{·'telnetd': |
| 123 | ····ensure·=>·'purged', | 123 | ····ensure·=>·'purged', |
| 124 | ··} | 124 | ··} |
| 125 | } | 125 | } |
| 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4904"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package | 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4904"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package |
| 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 128 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 128 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate | 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate |
| Offset 185, 44 lines modified | Offset 185, 44 lines modified | ||
| 185 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl | 185 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl |
| 186 | class·remove_telnetd-ssl·{ | 186 | class·remove_telnetd-ssl·{ |
| 187 | ··package·{·'telnetd-ssl': | 187 | ··package·{·'telnetd-ssl': |
| 188 | ····ensure·=>·'purged', | 188 | ····ensure·=>·'purged', |
| 189 | ··} | 189 | ··} |
| 190 | } | 190 | } |
| 191 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server | 191 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server |
| 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 193 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 193 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 195 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd | 195 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 196 | #» ···from·the·system,·and·may·remove·any·packages | 196 | #» ···from·the·system,·and·may·remove·any·packages |
| 197 | #» ···that·depend·on·telnetd.·Execute·this | 197 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 198 | #» ···remediation·AFTER·testing·on·a·non-production | 198 | #» ···remediation·AFTER·testing·on·a·non-production |
| 199 | #» ···system! | 199 | #» ···system! |
| 200 | apt-get·remove·--purge·telnetd | 200 | apt-get·remove·--purge·inetutils-telnetd |
| 201 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed | 201 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed |
| 202 | ··package: | 202 | ··package: |
| 203 | ····name="{{item}}" | 203 | ····name="{{item}}" |
| 204 | ····state=absent | 204 | ····state=absent |
| 205 | ··with_items: | 205 | ··with_items: |
| 206 | ····-·telnetd | 206 | ····-·inetutils-telnetd |
| 207 | ··tags: | 207 | ··tags: |
| 208 | ····-·package_telnetd_removed | 208 | ····-·package_inetutils-telnetd_removed |
| 209 | ····-·high_severity | 209 | ····-·high_severity |
| 210 | ····-·disable_strategy | 210 | ····-·disable_strategy |
| 211 | ····-·low_complexity | 211 | ····-·low_complexity |
| 212 | ····-·low_disruption | 212 | ····-·low_disruption |
| 213 | ····-·CCE- | 213 | ····-·CCE- |
| 214 | ····-·NIST-800-53-AC-17(8) | 214 | ····-·NIST-800-53-AC-17(8) |
| 215 | ····-·NIST-800-53-CM-7 | 215 | ····-·NIST-800-53-CM-7 |
| 216 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd | 216 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd |
| 217 | class·remove_telnetd·{ | 217 | class·remove_inetutils-telnetd·{ |
| 218 | ··package·{·'telnetd': | 218 | ··package·{·'inetutils-telnetd': |
| 219 | ····ensure·=>·'purged', | 219 | ····ensure·=>·'purged', |
| 220 | ··} | 220 | ··} |
| 221 | } | 221 | } |
| 222 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 222 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 223 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 223 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 224 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4952"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service | 224 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4952"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 225 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 225 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| Offset 269, 26 lines modified | Offset 269, 23 lines modified | ||
| 269 | verified·by·ensuring·that·the·following | 269 | verified·by·ensuring·that·the·following |
| 270 | line·appears: | 270 | line·appears: |
| 271 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that | 271 | <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that |
| 272 | result·in·security·vulnerabilities·and | 272 | result·in·security·vulnerabilities·and |
| 273 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 273 | should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 274 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 274 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 275 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 275 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 276 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_ | 276 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5083"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count |
| 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_ | 277 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, |
| 278 | e | 278 | edit·<code>/etc/ssh/sshd_config</code>·as |
| 279 | 279 | follows: | |
| 280 | <pre> | 280 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> |
| 281 | 281 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 282 | 282 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | |
| 283 | remote·login·via·SSH·will·require·a·password, | ||
| 284 | even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 285 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 286 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 283 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 287 | ············<a·href="http:// | 284 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5099"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 288 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. | 285 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval. |
| 289 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. | 286 | After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out. |
| 290 | <br><br> | 287 | <br><br> |
| 291 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 288 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 292 | follows: | 289 | follows: |
| 293 | <pre>ClientAliveInterval·<b>interval</b></pre> | 290 | <pre>ClientAliveInterval·<b>interval</b></pre> |
| 294 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout | 291 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout |
| Offset 298, 23 lines modified | Offset 295, 26 lines modified | ||
| 298 | shell,·that·value·will·preempt·any·SSH | 295 | shell,·that·value·will·preempt·any·SSH |
| 299 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 296 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 300 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out | 297 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out |
| 301 | guards·against·compromises·one·system·leading·trivially | 298 | guards·against·compromises·one·system·leading·trivially |
| 302 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 299 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 303 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 300 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 304 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 301 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 305 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_ | 302 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5122"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords |
| 306 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_ | 303 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with |
| 307 | e | 304 | empty·passwords,·add·or·correct·the·following·line·in |
| Max diff block lines reached; 97587/128487 bytes (75.95%) of diff not shown. | |||
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:debianproject:debian:8</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:debianproject:debian:8</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·0px"><small>contains·42·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Debian·8·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Debian·8·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Debian·8·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Debian·8·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Debian·8·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Debian·8·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Debian·8·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Debian·8·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 89, 44 lines modified | Offset 89, 44 lines modified | ||
| 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis | 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis |
| 90 | class·remove_nis·{ | 90 | class·remove_nis·{ |
| 91 | ··package·{·'nis': | 91 | ··package·{·'nis': |
| 92 | ····ensure·=>·'purged', | 92 | ····ensure·=>·'purged', |
| 93 | ··} | 93 | ··} |
| 94 | } | 94 | } |
| 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4891"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server |
| 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove· | 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd |
| 100 | #» ···from·the·system,·and·may·remove·any·packages | 100 | #» ···from·the·system,·and·may·remove·any·packages |
| 101 | #» ···that·depend·on· | 101 | #» ···that·depend·on·telnetd.·Execute·this |
| 102 | #» ···remediation·AFTER·testing·on·a·non-production | 102 | #» ···remediation·AFTER·testing·on·a·non-production |
| 103 | #» ···system! | 103 | #» ···system! |
| 104 | apt-get·remove·--purge· | 104 | apt-get·remove·--purge·telnetd |
| 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure· | 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed |
| 106 | ··package: | 106 | ··package: |
| 107 | ····name="{{item}}" | 107 | ····name="{{item}}" |
| 108 | ····state=absent | 108 | ····state=absent |
| 109 | ··with_items: | 109 | ··with_items: |
| 110 | ····-· | 110 | ····-·telnetd |
| 111 | ··tags: | 111 | ··tags: |
| 112 | ····-·package_ | 112 | ····-·package_telnetd_removed |
| 113 | ····-·high_severity | 113 | ····-·high_severity |
| 114 | ····-·disable_strategy | 114 | ····-·disable_strategy |
| 115 | ····-·low_complexity | 115 | ····-·low_complexity |
| 116 | ····-·low_disruption | 116 | ····-·low_disruption |
| 117 | ····-·CCE- | 117 | ····-·CCE- |
| 118 | ····-·NIST-800-53-AC-17(8) | 118 | ····-·NIST-800-53-AC-17(8) |
| 119 | ····-·NIST-800-53-CM-7 | 119 | ····-·NIST-800-53-CM-7 |
| 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_ | 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd |
| 121 | class·remove_ | 121 | class·remove_telnetd·{ |
| 122 | ··package·{·' | 122 | ··package·{·'telnetd': |
| 123 | ····ensure·=>·'purged', | 123 | ····ensure·=>·'purged', |
| 124 | ··} | 124 | ··} |
| 125 | } | 125 | } |
| 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4904"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package | 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4904"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package |
| 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 128 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 128 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate | 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate |
| Offset 185, 44 lines modified | Offset 185, 44 lines modified | ||
| 185 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl | 185 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl |
| 186 | class·remove_telnetd-ssl·{ | 186 | class·remove_telnetd-ssl·{ |
| 187 | ··package·{·'telnetd-ssl': | 187 | ··package·{·'telnetd-ssl': |
| 188 | ····ensure·=>·'purged', | 188 | ····ensure·=>·'purged', |
| 189 | ··} | 189 | ··} |
| 190 | } | 190 | } |
| 191 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server | 191 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server |
| 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 193 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 193 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 195 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd | 195 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 196 | #» ···from·the·system,·and·may·remove·any·packages | 196 | #» ···from·the·system,·and·may·remove·any·packages |
| 197 | #» ···that·depend·on·telnetd.·Execute·this | 197 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 198 | #» ···remediation·AFTER·testing·on·a·non-production | 198 | #» ···remediation·AFTER·testing·on·a·non-production |
| 199 | #» ···system! | 199 | #» ···system! |
| 200 | apt-get·remove·--purge·telnetd | 200 | apt-get·remove·--purge·inetutils-telnetd |
| 201 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed | 201 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed |
| 202 | ··package: | 202 | ··package: |
| 203 | ····name="{{item}}" | 203 | ····name="{{item}}" |
| 204 | ····state=absent | 204 | ····state=absent |
| 205 | ··with_items: | 205 | ··with_items: |
| 206 | ····-·telnetd | 206 | ····-·inetutils-telnetd |
| 207 | ··tags: | 207 | ··tags: |
| 208 | ····-·package_telnetd_removed | 208 | ····-·package_inetutils-telnetd_removed |
| 209 | ····-·high_severity | 209 | ····-·high_severity |
| 210 | ····-·disable_strategy | 210 | ····-·disable_strategy |
| 211 | ····-·low_complexity | 211 | ····-·low_complexity |
| 212 | ····-·low_disruption | 212 | ····-·low_disruption |
| 213 | ····-·CCE- | 213 | ····-·CCE- |
| 214 | ····-·NIST-800-53-AC-17(8) | 214 | ····-·NIST-800-53-AC-17(8) |
| 215 | ····-·NIST-800-53-CM-7 | 215 | ····-·NIST-800-53-CM-7 |
| 216 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd | 216 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd |
| 217 | class·remove_telnetd·{ | 217 | class·remove_inetutils-telnetd·{ |
| 218 | ··package·{·'telnetd': | 218 | ··package·{·'inetutils-telnetd': |
| 219 | ····ensure·=>·'purged', | 219 | ····ensure·=>·'purged', |
| 220 | ··} | 220 | ··} |
| 221 | } | 221 | } |
| 222 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 222 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 223 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 223 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 224 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4952"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service | 224 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4952"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 225 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 225 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| Offset 295, 19 lines modified | Offset 295, 39 lines modified | ||
| 295 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4983">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4983"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_auditd | 295 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4983">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4983"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_auditd |
| 296 | class·install_auditd·{ | 296 | class·install_auditd·{ |
| 297 | ··package·{·'auditd': | 297 | ··package·{·'auditd': |
| 298 | ····ensure·=>·'installed', | 298 | ····ensure·=>·'installed', |
| 299 | ··} | 299 | ··} |
| 300 | } | 300 | } |
| 301 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ | 301 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntp_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntp_enabled"·id="guide-tree-leaf-idm4986"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntp_enabled">Enable·the·ntpd·service |
| 302 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntp_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 303 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 304 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 305 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4995">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4995"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntp | ||
| 306 | ··service: | ||
| 307 | ····name="{{item}}" | ||
| 308 | ····enabled="yes" | ||
| 309 | ····state="started" | ||
| 310 | ··with_items: | ||
| 311 | ····-·ntp | ||
| 312 | ··tags: | ||
| 313 | ····-·service_ntp_enabled | ||
| 314 | ····-·high_severity | ||
| Max diff block lines reached; 126621/155260 bytes (81.55%) of diff not shown. | |||
| Offset 89, 44 lines modified | Offset 89, 44 lines modified | ||
| 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis | 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis |
| 90 | class·remove_nis·{ | 90 | class·remove_nis·{ |
| 91 | ··package·{·'nis': | 91 | ··package·{·'nis': |
| 92 | ····ensure·=>·'purged', | 92 | ····ensure·=>·'purged', |
| 93 | ··} | 93 | ··} |
| 94 | } | 94 | } |
| 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4891"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server |
| 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove· | 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd |
| 100 | #» ···from·the·system,·and·may·remove·any·packages | 100 | #» ···from·the·system,·and·may·remove·any·packages |
| 101 | #» ···that·depend·on· | 101 | #» ···that·depend·on·telnetd.·Execute·this |
| 102 | #» ···remediation·AFTER·testing·on·a·non-production | 102 | #» ···remediation·AFTER·testing·on·a·non-production |
| 103 | #» ···system! | 103 | #» ···system! |
| 104 | apt-get·remove·--purge· | 104 | apt-get·remove·--purge·telnetd |
| 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure· | 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed |
| 106 | ··package: | 106 | ··package: |
| 107 | ····name="{{item}}" | 107 | ····name="{{item}}" |
| 108 | ····state=absent | 108 | ····state=absent |
| 109 | ··with_items: | 109 | ··with_items: |
| 110 | ····-· | 110 | ····-·telnetd |
| 111 | ··tags: | 111 | ··tags: |
| 112 | ····-·package_ | 112 | ····-·package_telnetd_removed |
| 113 | ····-·high_severity | 113 | ····-·high_severity |
| 114 | ····-·disable_strategy | 114 | ····-·disable_strategy |
| 115 | ····-·low_complexity | 115 | ····-·low_complexity |
| 116 | ····-·low_disruption | 116 | ····-·low_disruption |
| 117 | ····-·CCE- | 117 | ····-·CCE- |
| 118 | ····-·NIST-800-53-AC-17(8) | 118 | ····-·NIST-800-53-AC-17(8) |
| 119 | ····-·NIST-800-53-CM-7 | 119 | ····-·NIST-800-53-CM-7 |
| 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_ | 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd |
| 121 | class·remove_ | 121 | class·remove_telnetd·{ |
| 122 | ··package·{·' | 122 | ··package·{·'telnetd': |
| 123 | ····ensure·=>·'purged', | 123 | ····ensure·=>·'purged', |
| 124 | ··} | 124 | ··} |
| 125 | } | 125 | } |
| 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·id="guide-tree-leaf-idm4914"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">Uninstall·the·ssl·compliant·telnet·server | 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·id="guide-tree-leaf-idm4914"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">Uninstall·the·ssl·compliant·telnet·server |
| 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon,·even·with·ssl·support,·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet,·even·with·ssl·support,·should·not·be·installed.·When·remote·shell·is·required,·up-to-date·ssh·daemon·can·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon,·even·with·ssl·support,·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet,·even·with·ssl·support,·should·not·be·installed.·When·remote·shell·is·required,·up-to-date·ssh·daemon·can·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 128 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 128 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| Offset 155, 44 lines modified | Offset 155, 44 lines modified | ||
| 155 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl | 155 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl |
| 156 | class·remove_telnetd-ssl·{ | 156 | class·remove_telnetd-ssl·{ |
| 157 | ··package·{·'telnetd-ssl': | 157 | ··package·{·'telnetd-ssl': |
| 158 | ····ensure·=>·'purged', | 158 | ····ensure·=>·'purged', |
| 159 | ··} | 159 | ··} |
| 160 | } | 160 | } |
| 161 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server | 161 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server |
| 162 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 162 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 163 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 163 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 164 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 164 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 165 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd | 165 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 166 | #» ···from·the·system,·and·may·remove·any·packages | 166 | #» ···from·the·system,·and·may·remove·any·packages |
| 167 | #» ···that·depend·on·telnetd.·Execute·this | 167 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 168 | #» ···remediation·AFTER·testing·on·a·non-production | 168 | #» ···remediation·AFTER·testing·on·a·non-production |
| 169 | #» ···system! | 169 | #» ···system! |
| 170 | apt-get·remove·--purge·telnetd | 170 | apt-get·remove·--purge·inetutils-telnetd |
| 171 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed | 171 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed |
| 172 | ··package: | 172 | ··package: |
| 173 | ····name="{{item}}" | 173 | ····name="{{item}}" |
| 174 | ····state=absent | 174 | ····state=absent |
| 175 | ··with_items: | 175 | ··with_items: |
| 176 | ····-·telnetd | 176 | ····-·inetutils-telnetd |
| 177 | ··tags: | 177 | ··tags: |
| 178 | ····-·package_telnetd_removed | 178 | ····-·package_inetutils-telnetd_removed |
| 179 | ····-·high_severity | 179 | ····-·high_severity |
| 180 | ····-·disable_strategy | 180 | ····-·disable_strategy |
| 181 | ····-·low_complexity | 181 | ····-·low_complexity |
| 182 | ····-·low_disruption | 182 | ····-·low_disruption |
| 183 | ····-·CCE- | 183 | ····-·CCE- |
| 184 | ····-·NIST-800-53-AC-17(8) | 184 | ····-·NIST-800-53-AC-17(8) |
| 185 | ····-·NIST-800-53-CM-7 | 185 | ····-·NIST-800-53-CM-7 |
| 186 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd | 186 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd |
| 187 | class·remove_telnetd·{ | 187 | class·remove_inetutils-telnetd·{ |
| 188 | ··package·{·'telnetd': | 188 | ··package·{·'inetutils-telnetd': |
| 189 | ····ensure·=>·'purged', | 189 | ····ensure·=>·'purged', |
| 190 | ··} | 190 | ··} |
| 191 | } | 191 | } |
| 192 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration | 192 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration |
| 193 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·id="guide-tree-leaf-idm5164"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_apt"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">Disable·unauthenticated·repositories·in·APT·configuration | 193 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·id="guide-tree-leaf-idm5164"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_apt"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">Disable·unauthenticated·repositories·in·APT·configuration |
| 194 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Unauthenticated·repositories·should·not·be·used·for·updates.</p><span·class="label·label-primary">Rationale:</span><p>Repositories·hosts·all·packages·that·will·be·intsalled·on·the·system·during·update. | 194 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Unauthenticated·repositories·should·not·be·used·for·updates.</p><span·class="label·label-primary">Rationale:</span><p>Repositories·hosts·all·packages·that·will·be·intsalled·on·the·system·during·update. |
| 195 | ····If·a·repository·is·not·authenticated,·the·associated·packages·can't·be·trusted, | 195 | ····If·a·repository·is·not·authenticated,·the·associated·packages·can't·be·trusted, |
| Offset 225, 95 lines modified | Offset 225, 95 lines modified | ||
| 225 | choose.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages">Configure·<tt>rsyslogd</tt>·to·Accept·Remote·Messages·If·Acting·as·a·Log·Server | 225 | choose.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages">Configure·<tt>rsyslogd</tt>·to·Accept·Remote·Messages·If·Acting·as·a·Log·Server |
| 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>By·default,·<code>rsyslog</code>·does·not·listen·over·the·network | 226 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>By·default,·<code>rsyslog</code>·does·not·listen·over·the·network |
| 227 | for·log·messages.·If·needed,·modules·can·be·enabled·to·allow | 227 | for·log·messages.·If·needed,·modules·can·be·enabled·to·allow |
| 228 | the·rsyslog·daemon·to·receive·messages·from·other·systems·and·for·the·system | 228 | the·rsyslog·daemon·to·receive·messages·from·other·systems·and·for·the·system |
| 229 | thus·to·act·as·a·log·server. | 229 | thus·to·act·as·a·log·server. |
| 230 | If·the·machine·is·not·a·log·server,·then·lines·concerning·these·modules | 230 | If·the·machine·is·not·a·log·server,·then·lines·concerning·these·modules |
| 231 | should·remain·commented·out. | 231 | should·remain·commented·out. |
| 232 | <br><br></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ | 232 | <br><br></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_syslogng_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_syslogng_enabled"·id="guide-tree-leaf-idm5323"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_syslogng_enabled">Enable·syslog-ng·Service |
| 233 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_syslogng_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>syslog-ng·can·be·installed·in·replacement·of·rsyslog.· | ||
| 234 | ········The·<code>syslog-ng-core</code>·package·can·be·installed·with·the·following·command: | ||
| 235 | ········<pre>#·apt-get·install·syslog-ng-core</pre></p><span·class="label·label-primary">Rationale:</span><p>The·syslog-ng-core·package·provides·the·syslog-ng·daemon,·which·provides | ||
| 236 | system·logging·services.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 237 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 238 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>,·<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf">5.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001311</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(2)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_syslogng_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_syslogng_enabled"·id="guide-tree-leaf-idm5340"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_syslogng_enabled">Enable·syslog-ng·Service | ||
| 239 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_syslogng_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>syslog-ng</code>·service·(in·replacement·of·rsyslog)·provides·syslog-style·logging·by·default·on·Debian·8. | 233 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_syslogng_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>syslog-ng</code>·service·(in·replacement·of·rsyslog)·provides·syslog-style·logging·by·default·on·Debian·8. |
| 240 | ········The·<code>syslog-ng</code>·service·can·be·enabled·with·the·following·command: | 234 | ········The·<code>syslog-ng</code>·service·can·be·enabled·with·the·following·command: |
| 241 | ········<pre>$·sudo·chkconfig·--level·2345·syslog-ng·on</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>syslog-ng</code>·service·must·be·running·in·order·to·provide | 235 | ········<pre>$·sudo·chkconfig·--level·2345·syslog-ng·on</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>syslog-ng</code>·service·must·be·running·in·order·to·provide |
| 242 | logging·services,·which·are·essential·to·system·administration.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 236 | logging·services,·which·are·essential·to·system·administration.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 243 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 237 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 244 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>,·<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf">5.1.2</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001311</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001557</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ | 238 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>,·<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf">5.1.2</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001311</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001557</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_syslogng_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_syslogng_installed"·id="guide-tree-leaf-idm5342"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_syslogng_installed">Ensure·syslog-ng·is·Installed |
| 239 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_syslogng_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>syslog-ng·can·be·installed·in·replacement·of·rsyslog.· | ||
| 240 | ········The·<code>syslog-ng-core</code>·package·can·be·installed·with·the·following·command: | ||
| 241 | ········<pre>#·apt-get·install·syslog-ng-core</pre></p><span·class="label·label-primary">Rationale:</span><p>The·syslog-ng-core·package·provides·the·syslog-ng·daemon,·which·provides | ||
| 242 | system·logging·services.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 243 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 244 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>,·<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf">5.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001311</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(2)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"·id="guide-tree-leaf-idm5406"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">Enable·rsyslog·Service | ||
| 245 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsyslog</code>·service·provides·syslog-style·logging·by·default·on·Debian·8. | 245 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsyslog</code>·service·provides·syslog-style·logging·by·default·on·Debian·8. |
| 246 | ········The·<code>rsyslog</code>·service·can·be·enabled·with·the·following·command: | 246 | ········The·<code>rsyslog</code>·service·can·be·enabled·with·the·following·command: |
| 247 | ········<pre>$·sudo·chkconfig·--level·2345·rsyslog·on</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsyslog</code>·service·must·be·running·in·order·to·provide | 247 | ········<pre>$·sudo·chkconfig·--level·2345·rsyslog·on</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsyslog</code>·service·must·be·running·in·order·to·provide |
| 248 | logging·services,·which·are·essential·to·system·administration.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 248 | logging·services,·which·are·essential·to·system·administration.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 249 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 249 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 250 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>,·<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf">5.1.2</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001311</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001557</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm542 | 250 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>,·<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf">5.1.2</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001311</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001557</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm5423">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm5423"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·rsyslog |
| 251 | ··service: | 251 | ··service: |
| Max diff block lines reached; 31769/63172 bytes (50.29%) of diff not shown. | |||
| Offset 89, 44 lines modified | Offset 89, 44 lines modified | ||
| 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis | 89 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis |
| 90 | class·remove_nis·{ | 90 | class·remove_nis·{ |
| 91 | ··package·{·'nis': | 91 | ··package·{·'nis': |
| 92 | ····ensure·=>·'purged', | 92 | ····ensure·=>·'purged', |
| 93 | ··} | 93 | ··} |
| 94 | } | 94 | } |
| 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 95 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4891"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server |
| 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 96 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 97 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove· | 99 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd |
| 100 | #» ···from·the·system,·and·may·remove·any·packages | 100 | #» ···from·the·system,·and·may·remove·any·packages |
| 101 | #» ···that·depend·on· | 101 | #» ···that·depend·on·telnetd.·Execute·this |
| 102 | #» ···remediation·AFTER·testing·on·a·non-production | 102 | #» ···remediation·AFTER·testing·on·a·non-production |
| 103 | #» ···system! | 103 | #» ···system! |
| 104 | apt-get·remove·--purge· | 104 | apt-get·remove·--purge·telnetd |
| 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure· | 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed |
| 106 | ··package: | 106 | ··package: |
| 107 | ····name="{{item}}" | 107 | ····name="{{item}}" |
| 108 | ····state=absent | 108 | ····state=absent |
| 109 | ··with_items: | 109 | ··with_items: |
| 110 | ····-· | 110 | ····-·telnetd |
| 111 | ··tags: | 111 | ··tags: |
| 112 | ····-·package_ | 112 | ····-·package_telnetd_removed |
| 113 | ····-·high_severity | 113 | ····-·high_severity |
| 114 | ····-·disable_strategy | 114 | ····-·disable_strategy |
| 115 | ····-·low_complexity | 115 | ····-·low_complexity |
| 116 | ····-·low_disruption | 116 | ····-·low_disruption |
| 117 | ····-·CCE- | 117 | ····-·CCE- |
| 118 | ····-·NIST-800-53-AC-17(8) | 118 | ····-·NIST-800-53-AC-17(8) |
| 119 | ····-·NIST-800-53-CM-7 | 119 | ····-·NIST-800-53-CM-7 |
| 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_ | 120 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd |
| 121 | class·remove_ | 121 | class·remove_telnetd·{ |
| 122 | ··package·{·' | 122 | ··package·{·'telnetd': |
| 123 | ····ensure·=>·'purged', | 123 | ····ensure·=>·'purged', |
| 124 | ··} | 124 | ··} |
| 125 | } | 125 | } |
| 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4904"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package | 126 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4904"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package |
| 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 127 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 128 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 128 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate | 129 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate |
| Offset 185, 44 lines modified | Offset 185, 44 lines modified | ||
| 185 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl | 185 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl |
| 186 | class·remove_telnetd-ssl·{ | 186 | class·remove_telnetd-ssl·{ |
| 187 | ··package·{·'telnetd-ssl': | 187 | ··package·{·'telnetd-ssl': |
| 188 | ····ensure·=>·'purged', | 188 | ····ensure·=>·'purged', |
| 189 | ··} | 189 | ··} |
| 190 | } | 190 | } |
| 191 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server | 191 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server |
| 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 193 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 193 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 195 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd | 195 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 196 | #» ···from·the·system,·and·may·remove·any·packages | 196 | #» ···from·the·system,·and·may·remove·any·packages |
| 197 | #» ···that·depend·on·telnetd.·Execute·this | 197 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 198 | #» ···remediation·AFTER·testing·on·a·non-production | 198 | #» ···remediation·AFTER·testing·on·a·non-production |
| 199 | #» ···system! | 199 | #» ···system! |
| 200 | apt-get·remove·--purge·telnetd | 200 | apt-get·remove·--purge·inetutils-telnetd |
| 201 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed | 201 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed |
| 202 | ··package: | 202 | ··package: |
| 203 | ····name="{{item}}" | 203 | ····name="{{item}}" |
| 204 | ····state=absent | 204 | ····state=absent |
| 205 | ··with_items: | 205 | ··with_items: |
| 206 | ····-·telnetd | 206 | ····-·inetutils-telnetd |
| 207 | ··tags: | 207 | ··tags: |
| 208 | ····-·package_telnetd_removed | 208 | ····-·package_inetutils-telnetd_removed |
| 209 | ····-·high_severity | 209 | ····-·high_severity |
| 210 | ····-·disable_strategy | 210 | ····-·disable_strategy |
| 211 | ····-·low_complexity | 211 | ····-·low_complexity |
| 212 | ····-·low_disruption | 212 | ····-·low_disruption |
| 213 | ····-·CCE- | 213 | ····-·CCE- |
| 214 | ····-·NIST-800-53-AC-17(8) | 214 | ····-·NIST-800-53-AC-17(8) |
| 215 | ····-·NIST-800-53-CM-7 | 215 | ····-·NIST-800-53-CM-7 |
| 216 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd | 216 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd |
| 217 | class·remove_telnetd·{ | 217 | class·remove_inetutils-telnetd·{ |
| 218 | ··package·{·'telnetd': | 218 | ··package·{·'inetutils-telnetd': |
| 219 | ····ensure·=>·'purged', | 219 | ····ensure·=>·'purged', |
| 220 | ··} | 220 | ··} |
| 221 | } | 221 | } |
| 222 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 222 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 223 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 223 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 224 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4952"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service | 224 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4952"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service |
| 225 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 225 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| Offset 295, 19 lines modified | Offset 295, 39 lines modified | ||
| 295 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4983">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4983"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_auditd | 295 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4983">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4983"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_auditd |
| 296 | class·install_auditd·{ | 296 | class·install_auditd·{ |
| 297 | ··package·{·'auditd': | 297 | ··package·{·'auditd': |
| 298 | ····ensure·=>·'installed', | 298 | ····ensure·=>·'installed', |
| 299 | ··} | 299 | ··} |
| 300 | } | 300 | } |
| 301 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ | 301 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntp_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntp_enabled"·id="guide-tree-leaf-idm4986"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntp_enabled">Enable·the·ntpd·service |
| 302 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntp_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 303 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 304 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 305 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4995">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4995"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntp | ||
| 306 | ··service: | ||
| 307 | ····name="{{item}}" | ||
| 308 | ····enabled="yes" | ||
| 309 | ····state="started" | ||
| 310 | ··with_items: | ||
| 311 | ····-·ntp | ||
| 312 | ··tags: | ||
| 313 | ····-·service_ntp_enabled | ||
| 314 | ····-·high_severity | ||
| 315 | ····-·enable_strategy | ||
| 316 | ····-·low_complexity | ||
| 317 | ····-·low_disruption | ||
| 318 | ····-·CCE- | ||
| 319 | ····-·NIST-800-53-AU-8(1) | ||
| 320 | ····-·PCI-DSS-Req-10.4 | ||
| 321 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_auditd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_auditd_enabled"·id="guide-tree-leaf-idm5000"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_auditd_enabled">Enable·the·auditd·service | ||
| 302 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_auditd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 322 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_auditd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 303 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 323 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 304 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 324 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 305 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000347</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000157</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000880</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001353</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001462</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001487</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001115</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001454</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000067</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000158</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000831</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001190</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001263</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000130</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000120</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001589</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm50 | 325 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000347</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000157</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000880</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001353</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001462</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001487</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001115</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001454</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000067</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000158</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000831</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001190</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001263</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000130</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000120</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001589</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm5031">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm5031"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·auditd |
| 306 | ··service: | 326 | ··service: |
| 307 | ····name="{{item}}" | 327 | ····name="{{item}}" |
| 308 | ····enabled="yes" | 328 | ····enabled="yes" |
| 309 | ····state="started" | 329 | ····state="started" |
| 310 | ··with_items: | 330 | ··with_items: |
| Max diff block lines reached; 113939/143305 bytes (79.51%) of diff not shown. | |||
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:debianproject:debian:8</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:debianproject:debian:8</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 58 | the·software·which·Debian·8·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 58 | the·software·which·Debian·8·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 59 | then·enumerates·the·software·packages·installed·on·a·default·Debian·8·system·and·provides·guidance·about·which | 59 | then·enumerates·the·software·packages·installed·on·a·default·Debian·8·system·and·provides·guidance·about·which |
| 60 | ones·can·be·safely·disabled. | 60 | ones·can·be·safely·disabled. |
| 61 | <br><br> | 61 | <br><br> |
| 62 | Debian·8·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 62 | Debian·8·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| Offset 75, 19 lines modified | Offset 75, 15 lines modified | ||
| 75 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed | 75 | server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed |
| 76 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 76 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 77 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 77 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 78 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 78 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 79 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 79 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 80 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration | 80 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration |
| 81 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_system"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_system">System·Settings | 81 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_system"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_system">System·Settings |
| 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_logging"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_logging">Configure·Syslog |
| 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_software">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·following·sections·contain·information·on | ||
| 84 | security-relevant·choices·during·the·initial·operating·system | ||
| 85 | installation·process·and·the·setup·of·software | ||
| 86 | updates.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_software"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_logging"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_logging">Configure·Syslog | ||
| 87 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_logging">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·syslog·service·has·been·the·default·Unix·logging·mechanism·for | 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_logging">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·syslog·service·has·been·the·default·Unix·logging·mechanism·for |
| 88 | many·years.·It·has·a·number·of·downsides,·including·inconsistent·log·format, | 84 | many·years.·It·has·a·number·of·downsides,·including·inconsistent·log·format, |
| 89 | lack·of·authentication·for·received·messages,·and·lack·of·authentication, | 85 | lack·of·authentication·for·received·messages,·and·lack·of·authentication, |
| 90 | encryption,·or·reliable·transport·for·messages·sent·over·a·network.·However, | 86 | encryption,·or·reliable·transport·for·messages·sent·over·a·network.·However, |
| 91 | due·to·its·long·history,·syslog·is·a·de·facto·standard·which·is·supported·by | 87 | due·to·its·long·history,·syslog·is·a·de·facto·standard·which·is·supported·by |
| 92 | almost·all·Unix·applications. | 88 | almost·all·Unix·applications. |
| 93 | <br> | 89 | <br> |
| Offset 206, 16 lines modified | Offset 202, 15 lines modified | ||
| 206 | providing·a·username·and·password·to·a·login·program,·which·tests | 202 | providing·a·username·and·password·to·a·login·program,·which·tests |
| 207 | these·values·for·correctness·using·the·<code>/etc/passwd</code>·and | 203 | these·values·for·correctness·using·the·<code>/etc/passwd</code>·and |
| 208 | <code>/etc/shadow</code>·files.·Password-based·login·is·vulnerable·to | 204 | <code>/etc/shadow</code>·files.·Password-based·login·is·vulnerable·to |
| 209 | guessing·of·weak·passwords,·and·to·sniffing·and·man-in-the-middle | 205 | guessing·of·weak·passwords,·and·to·sniffing·and·man-in-the-middle |
| 210 | attacks·against·passwords·entered·over·a·network·or·at·an·insecure | 206 | attacks·against·passwords·entered·over·a·network·or·at·an·insecure |
| 211 | console.·Therefore,·mechanisms·for·accessing·accounts·by·entering | 207 | console.·Therefore,·mechanisms·for·accessing·accounts·by·entering |
| 212 | usernames·and·passwords·should·be·restricted·to·those·which·are | 208 | usernames·and·passwords·should·be·restricted·to·those·which·are |
| 213 | operationally·necessary.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 209 | operationally·necessary.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_permissions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_permissions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks |
| 214 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_hw-install">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardware·dependent,·but·efficient·against·various·risks.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_permissions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_permissions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks | ||
| 215 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_permissions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Traditional·Unix·security·relies·heavily·on·file·and | 210 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_permissions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Traditional·Unix·security·relies·heavily·on·file·and |
| 216 | directory·permissions·to·prevent·unauthorized·users·from·reading·or | 211 | directory·permissions·to·prevent·unauthorized·users·from·reading·or |
| 217 | modifying·files·to·which·they·should·not·have·access. | 212 | modifying·files·to·which·they·should·not·have·access. |
| 218 | <br><br> | 213 | <br><br> |
| 219 | Several·of·the·commands·in·this·section·search·filesystems | 214 | Several·of·the·commands·in·this·section·search·filesystems |
| 220 | for·files·or·directories·with·certain·characteristics,·and·are | 215 | for·files·or·directories·with·certain·characteristics,·and·are |
| 221 | intended·to·be·run·on·every·local·partition·on·a·given·system. | 216 | intended·to·be·run·on·every·local·partition·on·a·given·system. |
| Offset 271, 13 lines modified | Offset 266, 18 lines modified | ||
| 271 | protection·against·exploitation·of·memory·corruption·errors·such·as·buffer | 266 | protection·against·exploitation·of·memory·corruption·errors·such·as·buffer |
| 272 | overflows.·These·features·include·random·placement·of·the·stack·and·other | 267 | overflows.·These·features·include·random·placement·of·the·stack·and·other |
| 273 | memory·regions,·prevention·of·execution·in·memory·that·should·only·hold·data, | 268 | memory·regions,·prevention·of·execution·in·memory·that·should·only·hold·data, |
| 274 | and·special·handling·of·text·buffers.·These·protections·are·enabled·by·default | 269 | and·special·handling·of·text·buffers.·These·protections·are·enabled·by·default |
| 275 | on·32-bit·systems·and·controlled·through·<code>sysctl</code>·variables· | 270 | on·32-bit·systems·and·controlled·through·<code>sysctl</code>·variables· |
| 276 | <code>kernel.exec-shield</code>·and·<code>kernel.randomize_va_space</code>.·On·the·latest | 271 | <code>kernel.exec-shield</code>·and·<code>kernel.randomize_va_space</code>.·On·the·latest |
| 277 | 64-bit·systems,·<code>kernel.exec-shield</code>·cannot·be·enabled·or·disabled·with· | 272 | 64-bit·systems,·<code>kernel.exec-shield</code>·cannot·be·enabled·or·disabled·with· |
| 278 | <code>sysctl</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_enable_execshield_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_restriction"><td·style="padding-left:·76px"></td></tr>< | 273 | <code>sysctl</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_enable_execshield_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_restriction"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_hw-install"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage |
| 274 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_hw-install">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardware·dependent,·but·efficient·against·various·risks.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_software"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_software"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software | ||
| 275 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_software">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·following·sections·contain·information·on | ||
| 276 | security-relevant·choices·during·the·initial·operating·system | ||
| 277 | installation·process·and·the·setup·of·software | ||
| 278 | updates.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_software"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr></tbody></table></div><div·id="rear-matter"><div·class="row·top-spacer-10"><div·class="col-md-12·well·well-lg"><div·class="rear-matter">Red·Hat·and·Red·Hat·Enterprise·Linux·are·either·registered | ||
| 279 | trademarks·or·trademarks·of·Red·Hat,·Inc.·in·the·United·States·and·other | 279 | trademarks·or·trademarks·of·Red·Hat,·Inc.·in·the·United·States·and·other |
| 280 | countries.·All·other·names·are·registered·trademarks·or·trademarks·of·their | 280 | countries.·All·other·names·are·registered·trademarks·or·trademarks·of·their |
| 281 | respective·companies. | 281 | respective·companies. |
| 282 | </div></div></div></div></div></div><footer·id="footer"><div·class="container"><p·class="muted·credit"> | 282 | </div></div></div></div></div></div><footer·id="footer"><div·class="container"><p·class="muted·credit"> |
| 283 | ················Generated·using·<a·href="http://open-scap.org">OpenSCAP</a>·1.2.16</p></div></footer></body></html> | 283 | ················Generated·using·<a·href="http://open-scap.org">OpenSCAP</a>·1.2.16</p></div></footer></body></html> |
| Offset 91, 44 lines modified | Offset 91, 44 lines modified | ||
| 91 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis | 91 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis |
| 92 | class·remove_nis·{ | 92 | class·remove_nis·{ |
| 93 | ··package·{·'nis': | 93 | ··package·{·'nis': |
| 94 | ····ensure·=>·'purged', | 94 | ····ensure·=>·'purged', |
| 95 | ··} | 95 | ··} |
| 96 | } | 96 | } |
| 97 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ | 97 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4891"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server |
| 98 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ | 98 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 99 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 99 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 100 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 100 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 101 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove· | 101 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd |
| 102 | #» ···from·the·system,·and·may·remove·any·packages | 102 | #» ···from·the·system,·and·may·remove·any·packages |
| 103 | #» ···that·depend·on· | 103 | #» ···that·depend·on·telnetd.·Execute·this |
| 104 | #» ···remediation·AFTER·testing·on·a·non-production | 104 | #» ···remediation·AFTER·testing·on·a·non-production |
| 105 | #» ···system! | 105 | #» ···system! |
| 106 | apt-get·remove·--purge· | 106 | apt-get·remove·--purge·telnetd |
| 107 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure· | 107 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed |
| 108 | ··package: | 108 | ··package: |
| 109 | ····name="{{item}}" | 109 | ····name="{{item}}" |
| 110 | ····state=absent | 110 | ····state=absent |
| 111 | ··with_items: | 111 | ··with_items: |
| 112 | ····-· | 112 | ····-·telnetd |
| 113 | ··tags: | 113 | ··tags: |
| 114 | ····-·package_ | 114 | ····-·package_telnetd_removed |
| 115 | ····-·high_severity | 115 | ····-·high_severity |
| 116 | ····-·disable_strategy | 116 | ····-·disable_strategy |
| 117 | ····-·low_complexity | 117 | ····-·low_complexity |
| 118 | ····-·low_disruption | 118 | ····-·low_disruption |
| 119 | ····-·CCE- | 119 | ····-·CCE- |
| 120 | ····-·NIST-800-53-AC-17(8) | 120 | ····-·NIST-800-53-AC-17(8) |
| 121 | ····-·NIST-800-53-CM-7 | 121 | ····-·NIST-800-53-CM-7 |
| 122 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_ | 122 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd |
| 123 | class·remove_ | 123 | class·remove_telnetd·{ |
| 124 | ··package·{·' | 124 | ··package·{·'telnetd': |
| 125 | ····ensure·=>·'purged', | 125 | ····ensure·=>·'purged', |
| 126 | ··} | 126 | ··} |
| 127 | } | 127 | } |
| 128 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4904"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package | 128 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4904"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package |
| 129 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 129 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 130 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 130 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 131 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate | 131 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate |
| Offset 187, 44 lines modified | Offset 187, 44 lines modified | ||
| 187 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl | 187 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl |
| 188 | class·remove_telnetd-ssl·{ | 188 | class·remove_telnetd-ssl·{ |
| 189 | ··package·{·'telnetd-ssl': | 189 | ··package·{·'telnetd-ssl': |
| 190 | ····ensure·=>·'purged', | 190 | ····ensure·=>·'purged', |
| 191 | ··} | 191 | ··} |
| 192 | } | 192 | } |
| 193 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server | 193 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server |
| 194 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 194 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 195 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 195 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 196 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 196 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 197 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd | 197 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 198 | #» ···from·the·system,·and·may·remove·any·packages | 198 | #» ···from·the·system,·and·may·remove·any·packages |
| 199 | #» ···that·depend·on·telnetd.·Execute·this | 199 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 200 | #» ···remediation·AFTER·testing·on·a·non-production | 200 | #» ···remediation·AFTER·testing·on·a·non-production |
| 201 | #» ···system! | 201 | #» ···system! |
| 202 | apt-get·remove·--purge·telnetd | 202 | apt-get·remove·--purge·inetutils-telnetd |
| 203 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed | 203 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed |
| 204 | ··package: | 204 | ··package: |
| 205 | ····name="{{item}}" | 205 | ····name="{{item}}" |
| 206 | ····state=absent | 206 | ····state=absent |
| 207 | ··with_items: | 207 | ··with_items: |
| 208 | ····-·telnetd | 208 | ····-·inetutils-telnetd |
| 209 | ··tags: | 209 | ··tags: |
| 210 | ····-·package_telnetd_removed | 210 | ····-·package_inetutils-telnetd_removed |
| 211 | ····-·high_severity | 211 | ····-·high_severity |
| 212 | ····-·disable_strategy | 212 | ····-·disable_strategy |
| 213 | ····-·low_complexity | 213 | ····-·low_complexity |
| 214 | ····-·low_disruption | 214 | ····-·low_disruption |
| 215 | ····-·CCE- | 215 | ····-·CCE- |
| 216 | ····-·NIST-800-53-AC-17(8) | 216 | ····-·NIST-800-53-AC-17(8) |
| 217 | ····-·NIST-800-53-CM-7 | 217 | ····-·NIST-800-53-CM-7 |
| 218 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd | 218 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd |
| 219 | class·remove_telnetd·{ | 219 | class·remove_inetutils-telnetd·{ |
| 220 | ··package·{·'telnetd': | 220 | ··package·{·'inetutils-telnetd': |
| 221 | ····ensure·=>·'purged', | 221 | ····ensure·=>·'purged', |
| 222 | ··} | 222 | ··} |
| 223 | } | 223 | } |
| 224 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services | 224 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services |
| 225 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. | 225 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems. |
| 226 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_cron_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_cron_enabled"·id="guide-tree-leaf-idm4943"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_cron_enabled">Enable·the·cron·service | 226 | Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_cron_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_cron_enabled"·id="guide-tree-leaf-idm4943"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_cron_enabled">Enable·the·cron·service |
| 227 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_cron_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 227 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_cron_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| Offset 316, 19 lines modified | Offset 316, 39 lines modified | ||
| 316 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4983">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4983"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_auditd | 316 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4983">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4983"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_auditd |
| 317 | class·install_auditd·{ | 317 | class·install_auditd·{ |
| 318 | ··package·{·'auditd': | 318 | ··package·{·'auditd': |
| 319 | ····ensure·=>·'installed', | 319 | ····ensure·=>·'installed', |
| 320 | ··} | 320 | ··} |
| 321 | } | 321 | } |
| 322 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ | 322 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntp_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntp_enabled"·id="guide-tree-leaf-idm4986"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntp_enabled">Enable·the·ntpd·service |
| 323 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntp_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 324 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 325 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 326 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm4995">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4995"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntp | ||
| 327 | ··service: | ||
| 328 | ····name="{{item}}" | ||
| 329 | ····enabled="yes" | ||
| 330 | ····state="started" | ||
| 331 | ··with_items: | ||
| 332 | ····-·ntp | ||
| 333 | ··tags: | ||
| 334 | ····-·service_ntp_enabled | ||
| 335 | ····-·high_severity | ||
| 336 | ····-·enable_strategy | ||
| 337 | ····-·low_complexity | ||
| 338 | ····-·low_disruption | ||
| 339 | ····-·CCE- | ||
| 340 | ····-·NIST-800-53-AU-8(1) | ||
| 341 | ····-·PCI-DSS-Req-10.4 | ||
| 342 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_auditd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_auditd_enabled"·id="guide-tree-leaf-idm5000"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_auditd_enabled">Enable·the·auditd·service | ||
| 323 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_auditd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 343 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_auditd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 324 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 344 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 325 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 345 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 326 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000347</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000157</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000880</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001353</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001462</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001487</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001115</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001454</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000067</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000158</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000831</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001190</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001263</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000130</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000120</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001589</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm50 | 346 | ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000347</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000157</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000880</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001353</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001462</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001487</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001115</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001454</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000067</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000158</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000831</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001190</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001263</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000130</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000120</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001589</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm5031">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm5031"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·auditd |
| 327 | ··service: | 347 | ··service: |
| 328 | ····name="{{item}}" | 348 | ····name="{{item}}" |
| 329 | ····enabled="yes" | 349 | ····enabled="yes" |
| 330 | ····state="started" | 350 | ····state="started" |
| 331 | ··with_items: | 351 | ··with_items: |
| Max diff block lines reached; 97285/126615 bytes (76.84%) of diff not shown. | |||
| Offset 44, 22 lines modified | Offset 44, 22 lines modified | ||
| 44 | ········-·package_nis_removed | 44 | ········-·package_nis_removed |
| 45 | ········-·low_severity | 45 | ········-·low_severity |
| 46 | ········-·disable_strategy | 46 | ········-·disable_strategy |
| 47 | ········-·low_complexity | 47 | ········-·low_complexity |
| 48 | ········-·low_disruption | 48 | ········-·low_disruption |
| 49 | ········-·CCE- | 49 | ········-·CCE- |
| 50 | ···· | 50 | ···· |
| 51 | ····-·name:·Ensure· | 51 | ····-·name:·Ensure·telnetd·is·removed |
| 52 | ······package: | 52 | ······package: |
| 53 | ········name="{{item}}" | 53 | ········name="{{item}}" |
| 54 | ········state=absent | 54 | ········state=absent |
| 55 | ······with_items: | 55 | ······with_items: |
| 56 | ········-· | 56 | ········-·telnetd |
| 57 | ······tags: | 57 | ······tags: |
| 58 | ········-·package_ | 58 | ········-·package_telnetd_removed |
| 59 | ········-·high_severity | 59 | ········-·high_severity |
| 60 | ········-·disable_strategy | 60 | ········-·disable_strategy |
| 61 | ········-·low_complexity | 61 | ········-·low_complexity |
| 62 | ········-·low_disruption | 62 | ········-·low_disruption |
| 63 | ········-·CCE- | 63 | ········-·CCE- |
| 64 | ········-·NIST-800-53-AC-17(8) | 64 | ········-·NIST-800-53-AC-17(8) |
| 65 | ········-·NIST-800-53-CM-7 | 65 | ········-·NIST-800-53-CM-7 |
| Offset 90, 22 lines modified | Offset 90, 22 lines modified | ||
| 90 | ········-·disable_strategy | 90 | ········-·disable_strategy |
| 91 | ········-·low_complexity | 91 | ········-·low_complexity |
| 92 | ········-·low_disruption | 92 | ········-·low_disruption |
| 93 | ········-·CCE- | 93 | ········-·CCE- |
| 94 | ········-·NIST-800-53-AC-17(8) | 94 | ········-·NIST-800-53-AC-17(8) |
| 95 | ········-·NIST-800-53-CM-7 | 95 | ········-·NIST-800-53-CM-7 |
| 96 | ···· | 96 | ···· |
| 97 | ····-·name:·Ensure·telnetd·is·removed | 97 | ····-·name:·Ensure·inetutils-telnetd·is·removed |
| 98 | ······package: | 98 | ······package: |
| 99 | ········name="{{item}}" | 99 | ········name="{{item}}" |
| 100 | ········state=absent | 100 | ········state=absent |
| 101 | ······with_items: | 101 | ······with_items: |
| 102 | ········-·telnetd | 102 | ········-·inetutils-telnetd |
| 103 | ······tags: | 103 | ······tags: |
| 104 | ········-·package_telnetd_removed | 104 | ········-·package_inetutils-telnetd_removed |
| 105 | ········-·high_severity | 105 | ········-·high_severity |
| 106 | ········-·disable_strategy | 106 | ········-·disable_strategy |
| 107 | ········-·low_complexity | 107 | ········-·low_complexity |
| 108 | ········-·low_disruption | 108 | ········-·low_disruption |
| 109 | ········-·CCE- | 109 | ········-·CCE- |
| 110 | ········-·NIST-800-53-AC-17(8) | 110 | ········-·NIST-800-53-AC-17(8) |
| 111 | ········-·NIST-800-53-CM-7 | 111 | ········-·NIST-800-53-CM-7 |
| Offset 44, 22 lines modified | Offset 44, 22 lines modified | ||
| 44 | ········-·package_nis_removed | 44 | ········-·package_nis_removed |
| 45 | ········-·low_severity | 45 | ········-·low_severity |
| 46 | ········-·disable_strategy | 46 | ········-·disable_strategy |
| 47 | ········-·low_complexity | 47 | ········-·low_complexity |
| 48 | ········-·low_disruption | 48 | ········-·low_disruption |
| 49 | ········-·CCE- | 49 | ········-·CCE- |
| 50 | ···· | 50 | ···· |
| 51 | ····-·name:·Ensure· | 51 | ····-·name:·Ensure·telnetd·is·removed |
| 52 | ······package: | 52 | ······package: |
| 53 | ········name="{{item}}" | 53 | ········name="{{item}}" |
| 54 | ········state=absent | 54 | ········state=absent |
| 55 | ······with_items: | 55 | ······with_items: |
| 56 | ········-· | 56 | ········-·telnetd |
| 57 | ······tags: | 57 | ······tags: |
| 58 | ········-·package_ | 58 | ········-·package_telnetd_removed |
| 59 | ········-·high_severity | 59 | ········-·high_severity |
| 60 | ········-·disable_strategy | 60 | ········-·disable_strategy |
| 61 | ········-·low_complexity | 61 | ········-·low_complexity |
| 62 | ········-·low_disruption | 62 | ········-·low_disruption |
| 63 | ········-·CCE- | 63 | ········-·CCE- |
| 64 | ········-·NIST-800-53-AC-17(8) | 64 | ········-·NIST-800-53-AC-17(8) |
| 65 | ········-·NIST-800-53-CM-7 | 65 | ········-·NIST-800-53-CM-7 |
| Offset 90, 22 lines modified | Offset 90, 22 lines modified | ||
| 90 | ········-·disable_strategy | 90 | ········-·disable_strategy |
| 91 | ········-·low_complexity | 91 | ········-·low_complexity |
| 92 | ········-·low_disruption | 92 | ········-·low_disruption |
| 93 | ········-·CCE- | 93 | ········-·CCE- |
| 94 | ········-·NIST-800-53-AC-17(8) | 94 | ········-·NIST-800-53-AC-17(8) |
| 95 | ········-·NIST-800-53-CM-7 | 95 | ········-·NIST-800-53-CM-7 |
| 96 | ···· | 96 | ···· |
| 97 | ····-·name:·Ensure·telnetd·is·removed | 97 | ····-·name:·Ensure·inetutils-telnetd·is·removed |
| 98 | ······package: | 98 | ······package: |
| 99 | ········name="{{item}}" | 99 | ········name="{{item}}" |
| 100 | ········state=absent | 100 | ········state=absent |
| 101 | ······with_items: | 101 | ······with_items: |
| 102 | ········-·telnetd | 102 | ········-·inetutils-telnetd |
| 103 | ······tags: | 103 | ······tags: |
| 104 | ········-·package_telnetd_removed | 104 | ········-·package_inetutils-telnetd_removed |
| 105 | ········-·high_severity | 105 | ········-·high_severity |
| 106 | ········-·disable_strategy | 106 | ········-·disable_strategy |
| 107 | ········-·low_complexity | 107 | ········-·low_complexity |
| 108 | ········-·low_disruption | 108 | ········-·low_disruption |
| 109 | ········-·CCE- | 109 | ········-·CCE- |
| 110 | ········-·NIST-800-53-AC-17(8) | 110 | ········-·NIST-800-53-AC-17(8) |
| 111 | ········-·NIST-800-53-CM-7 | 111 | ········-·NIST-800-53-CM-7 |
| Offset 151, 52 lines modified | Offset 151, 52 lines modified | ||
| 151 | ········-·package_auditd_installed | 151 | ········-·package_auditd_installed |
| 152 | ········-·medium_severity | 152 | ········-·medium_severity |
| 153 | ········-·enable_strategy | 153 | ········-·enable_strategy |
| 154 | ········-·low_complexity | 154 | ········-·low_complexity |
| 155 | ········-·low_disruption | 155 | ········-·low_disruption |
| 156 | ········-·CCE- | 156 | ········-·CCE- |
| 157 | ···· | 157 | ···· |
| 158 | ····-·name:·Enable·service· | 158 | ····-·name:·Enable·service·ntp |
| 159 | ······service: | 159 | ······service: |
| 160 | ········name="{{item}}" | 160 | ········name="{{item}}" |
| 161 | ········enabled="yes" | 161 | ········enabled="yes" |
| 162 | ········state="started" | 162 | ········state="started" |
| 163 | ······with_items: | 163 | ······with_items: |
| 164 | ········-· | 164 | ········-·ntp |
| 165 | ······tags: | 165 | ······tags: |
| 166 | ········-·service_ | 166 | ········-·service_ntp_enabled |
| 167 | ········-· | 167 | ········-·high_severity |
| 168 | ········-·enable_strategy | 168 | ········-·enable_strategy |
| 169 | ········-·low_complexity | 169 | ········-·low_complexity |
| 170 | ········-·low_disruption | 170 | ········-·low_disruption |
| 171 | ········-·CCE- | 171 | ········-·CCE- |
| 172 | ········-·NIST-800-53-A | 172 | ········-·NIST-800-53-AU-8(1) |
| 173 | ········-· | 173 | ········-·PCI-DSS-Req-10.4 |
| 174 | ········-·NIST-800-53-AU-10 | ||
| 175 | ········-·NIST-800-53-AU-12(a) | ||
| 176 | ········-·NIST-800-53-AU-12(c) | ||
| 177 | ········-·NIST-800-53-IR-5 | ||
| 178 | ········-·PCI-DSS-Req-10 | ||
| 179 | ···· | 174 | ···· |
| 180 | ····-·name:·Enable·service· | 175 | ····-·name:·Enable·service·auditd |
| 181 | ······service: | 176 | ······service: |
| 182 | ········name="{{item}}" | 177 | ········name="{{item}}" |
| 183 | ········enabled="yes" | 178 | ········enabled="yes" |
| 184 | ········state="started" | 179 | ········state="started" |
| 185 | ······with_items: | 180 | ······with_items: |
| 186 | ········-· | 181 | ········-·auditd |
| 187 | ······tags: | 182 | ······tags: |
| 188 | ········-·service_ | 183 | ········-·service_auditd_enabled |
| 189 | ········-· | 184 | ········-·medium_severity |
| 190 | ········-·enable_strategy | 185 | ········-·enable_strategy |
| 191 | ········-·low_complexity | 186 | ········-·low_complexity |
| 192 | ········-·low_disruption | 187 | ········-·low_disruption |
| 193 | ········-·CCE- | 188 | ········-·CCE- |
| 194 | ········-·NIST-800-53-A | 189 | ········-·NIST-800-53-AC-17(1) |
| 195 | ········-· | 190 | ········-·NIST-800-53-AU-1(b) |
| 191 | ········-·NIST-800-53-AU-10 | ||
| 192 | ········-·NIST-800-53-AU-12(a) | ||
| 193 | ········-·NIST-800-53-AU-12(c) | ||
| 194 | ········-·NIST-800-53-IR-5 | ||
| 195 | ········-·PCI-DSS-Req-10 | ||
| 196 | ···· | 196 | ···· |
| 197 | ····-·name:·Enable·service·rsyslog | 197 | ····-·name:·Enable·service·rsyslog |
| 198 | ······service: | 198 | ······service: |
| 199 | ········name="{{item}}" | 199 | ········name="{{item}}" |
| 200 | ········enabled="yes" | 200 | ········enabled="yes" |
| 201 | ········state="started" | 201 | ········state="started" |
| 202 | ······with_items: | 202 | ······with_items: |
| Offset 44, 22 lines modified | Offset 44, 22 lines modified | ||
| 44 | ········-·package_nis_removed | 44 | ········-·package_nis_removed |
| 45 | ········-·low_severity | 45 | ········-·low_severity |
| 46 | ········-·disable_strategy | 46 | ········-·disable_strategy |
| 47 | ········-·low_complexity | 47 | ········-·low_complexity |
| 48 | ········-·low_disruption | 48 | ········-·low_disruption |
| 49 | ········-·CCE- | 49 | ········-·CCE- |
| 50 | ···· | 50 | ···· |
| 51 | ····-·name:·Ensure· | 51 | ····-·name:·Ensure·telnetd·is·removed |
| 52 | ······package: | 52 | ······package: |
| 53 | ········name="{{item}}" | 53 | ········name="{{item}}" |
| 54 | ········state=absent | 54 | ········state=absent |
| 55 | ······with_items: | 55 | ······with_items: |
| 56 | ········-· | 56 | ········-·telnetd |
| 57 | ······tags: | 57 | ······tags: |
| 58 | ········-·package_ | 58 | ········-·package_telnetd_removed |
| 59 | ········-·high_severity | 59 | ········-·high_severity |
| 60 | ········-·disable_strategy | 60 | ········-·disable_strategy |
| 61 | ········-·low_complexity | 61 | ········-·low_complexity |
| 62 | ········-·low_disruption | 62 | ········-·low_disruption |
| 63 | ········-·CCE- | 63 | ········-·CCE- |
| 64 | ········-·NIST-800-53-AC-17(8) | 64 | ········-·NIST-800-53-AC-17(8) |
| 65 | ········-·NIST-800-53-CM-7 | 65 | ········-·NIST-800-53-CM-7 |
| Offset 76, 22 lines modified | Offset 76, 22 lines modified | ||
| 76 | ········-·disable_strategy | 76 | ········-·disable_strategy |
| 77 | ········-·low_complexity | 77 | ········-·low_complexity |
| 78 | ········-·low_disruption | 78 | ········-·low_disruption |
| 79 | ········-·CCE- | 79 | ········-·CCE- |
| 80 | ········-·NIST-800-53-AC-17(8) | 80 | ········-·NIST-800-53-AC-17(8) |
| 81 | ········-·NIST-800-53-CM-7 | 81 | ········-·NIST-800-53-CM-7 |
| 82 | ···· | 82 | ···· |
| 83 | ····-·name:·Ensure·telnetd·is·removed | 83 | ····-·name:·Ensure·inetutils-telnetd·is·removed |
| 84 | ······package: | 84 | ······package: |
| 85 | ········name="{{item}}" | 85 | ········name="{{item}}" |
| 86 | ········state=absent | 86 | ········state=absent |
| 87 | ······with_items: | 87 | ······with_items: |
| 88 | ········-·telnetd | 88 | ········-·inetutils-telnetd |
| 89 | ······tags: | 89 | ······tags: |
| 90 | ········-·package_telnetd_removed | 90 | ········-·package_inetutils-telnetd_removed |
| 91 | ········-·high_severity | 91 | ········-·high_severity |
| 92 | ········-·disable_strategy | 92 | ········-·disable_strategy |
| 93 | ········-·low_complexity | 93 | ········-·low_complexity |
| 94 | ········-·low_disruption | 94 | ········-·low_disruption |
| 95 | ········-·CCE- | 95 | ········-·CCE- |
| 96 | ········-·NIST-800-53-AC-17(8) | 96 | ········-·NIST-800-53-AC-17(8) |
| 97 | ········-·NIST-800-53-CM-7 | 97 | ········-·NIST-800-53-CM-7 |
| Offset 44, 22 lines modified | Offset 44, 22 lines modified | ||
| 44 | ········-·package_nis_removed | 44 | ········-·package_nis_removed |
| 45 | ········-·low_severity | 45 | ········-·low_severity |
| 46 | ········-·disable_strategy | 46 | ········-·disable_strategy |
| 47 | ········-·low_complexity | 47 | ········-·low_complexity |
| 48 | ········-·low_disruption | 48 | ········-·low_disruption |
| 49 | ········-·CCE- | 49 | ········-·CCE- |
| 50 | ···· | 50 | ···· |
| 51 | ····-·name:·Ensure· | 51 | ····-·name:·Ensure·telnetd·is·removed |
| 52 | ······package: | 52 | ······package: |
| 53 | ········name="{{item}}" | 53 | ········name="{{item}}" |
| 54 | ········state=absent | 54 | ········state=absent |
| 55 | ······with_items: | 55 | ······with_items: |
| 56 | ········-· | 56 | ········-·telnetd |
| 57 | ······tags: | 57 | ······tags: |
| 58 | ········-·package_ | 58 | ········-·package_telnetd_removed |
| 59 | ········-·high_severity | 59 | ········-·high_severity |
| 60 | ········-·disable_strategy | 60 | ········-·disable_strategy |
| 61 | ········-·low_complexity | 61 | ········-·low_complexity |
| 62 | ········-·low_disruption | 62 | ········-·low_disruption |
| 63 | ········-·CCE- | 63 | ········-·CCE- |
| 64 | ········-·NIST-800-53-AC-17(8) | 64 | ········-·NIST-800-53-AC-17(8) |
| 65 | ········-·NIST-800-53-CM-7 | 65 | ········-·NIST-800-53-CM-7 |
| Offset 90, 22 lines modified | Offset 90, 22 lines modified | ||
| 90 | ········-·disable_strategy | 90 | ········-·disable_strategy |
| 91 | ········-·low_complexity | 91 | ········-·low_complexity |
| 92 | ········-·low_disruption | 92 | ········-·low_disruption |
| 93 | ········-·CCE- | 93 | ········-·CCE- |
| 94 | ········-·NIST-800-53-AC-17(8) | 94 | ········-·NIST-800-53-AC-17(8) |
| 95 | ········-·NIST-800-53-CM-7 | 95 | ········-·NIST-800-53-CM-7 |
| 96 | ···· | 96 | ···· |
| 97 | ····-·name:·Ensure·telnetd·is·removed | 97 | ····-·name:·Ensure·inetutils-telnetd·is·removed |
| 98 | ······package: | 98 | ······package: |
| 99 | ········name="{{item}}" | 99 | ········name="{{item}}" |
| 100 | ········state=absent | 100 | ········state=absent |
| 101 | ······with_items: | 101 | ······with_items: |
| 102 | ········-·telnetd | 102 | ········-·inetutils-telnetd |
| 103 | ······tags: | 103 | ······tags: |
| 104 | ········-·package_telnetd_removed | 104 | ········-·package_inetutils-telnetd_removed |
| 105 | ········-·high_severity | 105 | ········-·high_severity |
| 106 | ········-·disable_strategy | 106 | ········-·disable_strategy |
| 107 | ········-·low_complexity | 107 | ········-·low_complexity |
| 108 | ········-·low_disruption | 108 | ········-·low_disruption |
| 109 | ········-·CCE- | 109 | ········-·CCE- |
| 110 | ········-·NIST-800-53-AC-17(8) | 110 | ········-·NIST-800-53-AC-17(8) |
| 111 | ········-·NIST-800-53-CM-7 | 111 | ········-·NIST-800-53-CM-7 |
| Offset 151, 52 lines modified | Offset 151, 52 lines modified | ||
| 151 | ········-·package_auditd_installed | 151 | ········-·package_auditd_installed |
| 152 | ········-·medium_severity | 152 | ········-·medium_severity |
| 153 | ········-·enable_strategy | 153 | ········-·enable_strategy |
| 154 | ········-·low_complexity | 154 | ········-·low_complexity |
| 155 | ········-·low_disruption | 155 | ········-·low_disruption |
| 156 | ········-·CCE- | 156 | ········-·CCE- |
| 157 | ···· | 157 | ···· |
| 158 | ····-·name:·Enable·service· | 158 | ····-·name:·Enable·service·ntp |
| 159 | ······service: | 159 | ······service: |
| 160 | ········name="{{item}}" | 160 | ········name="{{item}}" |
| 161 | ········enabled="yes" | 161 | ········enabled="yes" |
| 162 | ········state="started" | 162 | ········state="started" |
| 163 | ······with_items: | 163 | ······with_items: |
| 164 | ········-· | 164 | ········-·ntp |
| 165 | ······tags: | 165 | ······tags: |
| 166 | ········-·service_ | 166 | ········-·service_ntp_enabled |
| 167 | ········-· | 167 | ········-·high_severity |
| 168 | ········-·enable_strategy | 168 | ········-·enable_strategy |
| 169 | ········-·low_complexity | 169 | ········-·low_complexity |
| 170 | ········-·low_disruption | 170 | ········-·low_disruption |
| 171 | ········-·CCE- | 171 | ········-·CCE- |
| 172 | ········-·NIST-800-53-A | 172 | ········-·NIST-800-53-AU-8(1) |
| 173 | ········-· | 173 | ········-·PCI-DSS-Req-10.4 |
| 174 | ········-·NIST-800-53-AU-10 | ||
| 175 | ········-·NIST-800-53-AU-12(a) | ||
| 176 | ········-·NIST-800-53-AU-12(c) | ||
| 177 | ········-·NIST-800-53-IR-5 | ||
| 178 | ········-·PCI-DSS-Req-10 | ||
| 179 | ···· | 174 | ···· |
| 180 | ····-·name:·Enable·service· | 175 | ····-·name:·Enable·service·auditd |
| 181 | ······service: | 176 | ······service: |
| 182 | ········name="{{item}}" | 177 | ········name="{{item}}" |
| 183 | ········enabled="yes" | 178 | ········enabled="yes" |
| 184 | ········state="started" | 179 | ········state="started" |
| 185 | ······with_items: | 180 | ······with_items: |
| 186 | ········-· | 181 | ········-·auditd |
| 187 | ······tags: | 182 | ······tags: |
| 188 | ········-·service_ | 183 | ········-·service_auditd_enabled |
| 189 | ········-· | 184 | ········-·medium_severity |
| 190 | ········-·enable_strategy | 185 | ········-·enable_strategy |
| 191 | ········-·low_complexity | 186 | ········-·low_complexity |
| 192 | ········-·low_disruption | 187 | ········-·low_disruption |
| 193 | ········-·CCE- | 188 | ········-·CCE- |
| 194 | ········-·NIST-800-53-A | 189 | ········-·NIST-800-53-AC-17(1) |
| 195 | ········-· | 190 | ········-·NIST-800-53-AU-1(b) |
| 191 | ········-·NIST-800-53-AU-10 | ||
| 192 | ········-·NIST-800-53-AU-12(a) | ||
| 193 | ········-·NIST-800-53-AU-12(c) | ||
| 194 | ········-·NIST-800-53-IR-5 | ||
| 195 | ········-·PCI-DSS-Req-10 | ||
| 196 | ···· | 196 | ···· |
| 197 | ····-·name:·Enable·service·rsyslog | 197 | ····-·name:·Enable·service·rsyslog |
| 198 | ······service: | 198 | ······service: |
| 199 | ········name="{{item}}" | 199 | ········name="{{item}}" |
| 200 | ········enabled="yes" | 200 | ········enabled="yes" |
| 201 | ········state="started" | 201 | ········state="started" |
| 202 | ······with_items: | 202 | ······with_items: |
| Offset 46, 22 lines modified | Offset 46, 22 lines modified | ||
| 46 | ········-·package_nis_removed | 46 | ········-·package_nis_removed |
| 47 | ········-·low_severity | 47 | ········-·low_severity |
| 48 | ········-·disable_strategy | 48 | ········-·disable_strategy |
| 49 | ········-·low_complexity | 49 | ········-·low_complexity |
| 50 | ········-·low_disruption | 50 | ········-·low_disruption |
| 51 | ········-·CCE- | 51 | ········-·CCE- |
| 52 | ···· | 52 | ···· |
| 53 | ····-·name:·Ensure· | 53 | ····-·name:·Ensure·telnetd·is·removed |
| 54 | ······package: | 54 | ······package: |
| 55 | ········name="{{item}}" | 55 | ········name="{{item}}" |
| 56 | ········state=absent | 56 | ········state=absent |
| 57 | ······with_items: | 57 | ······with_items: |
| 58 | ········-· | 58 | ········-·telnetd |
| 59 | ······tags: | 59 | ······tags: |
| 60 | ········-·package_ | 60 | ········-·package_telnetd_removed |
| 61 | ········-·high_severity | 61 | ········-·high_severity |
| 62 | ········-·disable_strategy | 62 | ········-·disable_strategy |
| 63 | ········-·low_complexity | 63 | ········-·low_complexity |
| 64 | ········-·low_disruption | 64 | ········-·low_disruption |
| 65 | ········-·CCE- | 65 | ········-·CCE- |
| 66 | ········-·NIST-800-53-AC-17(8) | 66 | ········-·NIST-800-53-AC-17(8) |
| 67 | ········-·NIST-800-53-CM-7 | 67 | ········-·NIST-800-53-CM-7 |
| Offset 92, 22 lines modified | Offset 92, 22 lines modified | ||
| 92 | ········-·disable_strategy | 92 | ········-·disable_strategy |
| 93 | ········-·low_complexity | 93 | ········-·low_complexity |
| 94 | ········-·low_disruption | 94 | ········-·low_disruption |
| 95 | ········-·CCE- | 95 | ········-·CCE- |
| 96 | ········-·NIST-800-53-AC-17(8) | 96 | ········-·NIST-800-53-AC-17(8) |
| 97 | ········-·NIST-800-53-CM-7 | 97 | ········-·NIST-800-53-CM-7 |
| 98 | ···· | 98 | ···· |
| 99 | ····-·name:·Ensure·telnetd·is·removed | 99 | ····-·name:·Ensure·inetutils-telnetd·is·removed |
| 100 | ······package: | 100 | ······package: |
| 101 | ········name="{{item}}" | 101 | ········name="{{item}}" |
| 102 | ········state=absent | 102 | ········state=absent |
| 103 | ······with_items: | 103 | ······with_items: |
| 104 | ········-·telnetd | 104 | ········-·inetutils-telnetd |
| 105 | ······tags: | 105 | ······tags: |
| 106 | ········-·package_telnetd_removed | 106 | ········-·package_inetutils-telnetd_removed |
| 107 | ········-·high_severity | 107 | ········-·high_severity |
| 108 | ········-·disable_strategy | 108 | ········-·disable_strategy |
| 109 | ········-·low_complexity | 109 | ········-·low_complexity |
| 110 | ········-·low_disruption | 110 | ········-·low_disruption |
| 111 | ········-·CCE- | 111 | ········-·CCE- |
| 112 | ········-·NIST-800-53-AC-17(8) | 112 | ········-·NIST-800-53-AC-17(8) |
| 113 | ········-·NIST-800-53-CM-7 | 113 | ········-·NIST-800-53-CM-7 |
| Offset 169, 52 lines modified | Offset 169, 52 lines modified | ||
| 169 | ········-·package_auditd_installed | 169 | ········-·package_auditd_installed |
| 170 | ········-·medium_severity | 170 | ········-·medium_severity |
| 171 | ········-·enable_strategy | 171 | ········-·enable_strategy |
| 172 | ········-·low_complexity | 172 | ········-·low_complexity |
| 173 | ········-·low_disruption | 173 | ········-·low_disruption |
| 174 | ········-·CCE- | 174 | ········-·CCE- |
| 175 | ···· | 175 | ···· |
| 176 | ····-·name:·Enable·service· | 176 | ····-·name:·Enable·service·ntp |
| 177 | ······service: | 177 | ······service: |
| 178 | ········name="{{item}}" | 178 | ········name="{{item}}" |
| 179 | ········enabled="yes" | 179 | ········enabled="yes" |
| 180 | ········state="started" | 180 | ········state="started" |
| 181 | ······with_items: | 181 | ······with_items: |
| 182 | ········-· | 182 | ········-·ntp |
| 183 | ······tags: | 183 | ······tags: |
| 184 | ········-·service_ | 184 | ········-·service_ntp_enabled |
| 185 | ········-· | 185 | ········-·high_severity |
| 186 | ········-·enable_strategy | 186 | ········-·enable_strategy |
| 187 | ········-·low_complexity | 187 | ········-·low_complexity |
| 188 | ········-·low_disruption | 188 | ········-·low_disruption |
| 189 | ········-·CCE- | 189 | ········-·CCE- |
| 190 | ········-·NIST-800-53-A | 190 | ········-·NIST-800-53-AU-8(1) |
| 191 | ········-· | 191 | ········-·PCI-DSS-Req-10.4 |
| 192 | ········-·NIST-800-53-AU-10 | ||
| 193 | ········-·NIST-800-53-AU-12(a) | ||
| 194 | ········-·NIST-800-53-AU-12(c) | ||
| 195 | ········-·NIST-800-53-IR-5 | ||
| 196 | ········-·PCI-DSS-Req-10 | ||
| 197 | ···· | 192 | ···· |
| 198 | ····-·name:·Enable·service· | 193 | ····-·name:·Enable·service·auditd |
| 199 | ······service: | 194 | ······service: |
| 200 | ········name="{{item}}" | 195 | ········name="{{item}}" |
| 201 | ········enabled="yes" | 196 | ········enabled="yes" |
| 202 | ········state="started" | 197 | ········state="started" |
| 203 | ······with_items: | 198 | ······with_items: |
| 204 | ········-· | 199 | ········-·auditd |
| 205 | ······tags: | 200 | ······tags: |
| 206 | ········-·service_ | 201 | ········-·service_auditd_enabled |
| 207 | ········-· | 202 | ········-·medium_severity |
| 208 | ········-·enable_strategy | 203 | ········-·enable_strategy |
| 209 | ········-·low_complexity | 204 | ········-·low_complexity |
| 210 | ········-·low_disruption | 205 | ········-·low_disruption |
| 211 | ········-·CCE- | 206 | ········-·CCE- |
| 212 | ········-·NIST-800-53-A | 207 | ········-·NIST-800-53-AC-17(1) |
| 213 | ········-· | 208 | ········-·NIST-800-53-AU-1(b) |
| 209 | ········-·NIST-800-53-AU-10 | ||
| 210 | ········-·NIST-800-53-AU-12(a) | ||
| 211 | ········-·NIST-800-53-AU-12(c) | ||
| 212 | ········-·NIST-800-53-IR-5 | ||
| 213 | ········-·PCI-DSS-Req-10 | ||
| 214 | ···· | 214 | ···· |
| 215 | ····-·name:·Enable·service·rsyslog | 215 | ····-·name:·Enable·service·rsyslog |
| 216 | ······service: | 216 | ······service: |
| 217 | ········name="{{item}}" | 217 | ········name="{{item}}" |
| 218 | ········enabled="yes" | 218 | ········enabled="yes" |
| 219 | ········state="started" | 219 | ········state="started" |
| 220 | ······with_items: | 220 | ······with_items: |
| Offset 31, 25 lines modified | Offset 31, 25 lines modified | ||
| 31 | #» ···remediation·AFTER·testing·on·a·non-production | 31 | #» ···remediation·AFTER·testing·on·a·non-production |
| 32 | #» ···system! | 32 | #» ···system! |
| 33 | apt-get·remove·--purge·nis | 33 | apt-get·remove·--purge·nis |
| 34 | #·END·fix·for·'package_nis_removed' | 34 | #·END·fix·for·'package_nis_removed' |
| 35 | ############################################################################### | 35 | ############################################################################### |
| 36 | #·BEGIN·fix·(2·/·37)·for·'package_ | 36 | #·BEGIN·fix·(2·/·37)·for·'package_telnetd_removed' |
| 37 | ############################################################################### | 37 | ############################################################################### |
| 38 | (>&2·echo·"Remediating·rule·2/37:·'package_ | 38 | (>&2·echo·"Remediating·rule·2/37:·'package_telnetd_removed'") |
| 39 | #·CAUTION:·This·remediation·script·will·remove· | 39 | #·CAUTION:·This·remediation·script·will·remove·telnetd |
| 40 | #» ···from·the·system,·and·may·remove·any·packages | 40 | #» ···from·the·system,·and·may·remove·any·packages |
| 41 | #» ···that·depend·on· | 41 | #» ···that·depend·on·telnetd.·Execute·this |
| 42 | #» ···remediation·AFTER·testing·on·a·non-production | 42 | #» ···remediation·AFTER·testing·on·a·non-production |
| 43 | #» ···system! | 43 | #» ···system! |
| 44 | apt-get·remove·--purge· | 44 | apt-get·remove·--purge·telnetd |
| 45 | #·END·fix·for·'package_ | 45 | #·END·fix·for·'package_telnetd_removed' |
| 46 | ############################################################################### | 46 | ############################################################################### |
| 47 | #·BEGIN·fix·(3·/·37)·for·'package_ntpdate_removed' | 47 | #·BEGIN·fix·(3·/·37)·for·'package_ntpdate_removed' |
| 48 | ############################################################################### | 48 | ############################################################################### |
| 49 | (>&2·echo·"Remediating·rule·3/37:·'package_ntpdate_removed'") | 49 | (>&2·echo·"Remediating·rule·3/37:·'package_ntpdate_removed'") |
| 50 | #·CAUTION:·This·remediation·script·will·remove·ntpdate | 50 | #·CAUTION:·This·remediation·script·will·remove·ntpdate |
| 51 | #» ···from·the·system,·and·may·remove·any·packages | 51 | #» ···from·the·system,·and·may·remove·any·packages |
| Offset 70, 25 lines modified | Offset 70, 25 lines modified | ||
| 70 | #» ···remediation·AFTER·testing·on·a·non-production | 70 | #» ···remediation·AFTER·testing·on·a·non-production |
| 71 | #» ···system! | 71 | #» ···system! |
| 72 | apt-get·remove·--purge·telnetd-ssl | 72 | apt-get·remove·--purge·telnetd-ssl |
| 73 | #·END·fix·for·'package_telnetd-ssl_removed' | 73 | #·END·fix·for·'package_telnetd-ssl_removed' |
| 74 | ############################################################################### | 74 | ############################################################################### |
| 75 | #·BEGIN·fix·(5·/·37)·for·'package_telnetd_removed' | 75 | #·BEGIN·fix·(5·/·37)·for·'package_inetutils-telnetd_removed' |
| 76 | ############################################################################### | 76 | ############################################################################### |
| 77 | (>&2·echo·"Remediating·rule·5/37:·'package_telnetd_removed'") | 77 | (>&2·echo·"Remediating·rule·5/37:·'package_inetutils-telnetd_removed'") |
| 78 | #·CAUTION:·This·remediation·script·will·remove·telnetd | 78 | #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 79 | #» ···from·the·system,·and·may·remove·any·packages | 79 | #» ···from·the·system,·and·may·remove·any·packages |
| 80 | #» ···that·depend·on·telnetd.·Execute·this | 80 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 81 | #» ···remediation·AFTER·testing·on·a·non-production | 81 | #» ···remediation·AFTER·testing·on·a·non-production |
| 82 | #» ···system! | 82 | #» ···system! |
| 83 | apt-get·remove·--purge·telnetd | 83 | apt-get·remove·--purge·inetutils-telnetd |
| 84 | #·END·fix·for·'package_telnetd_removed' | 84 | #·END·fix·for·'package_inetutils-telnetd_removed' |
| 85 | ############################################################################### | 85 | ############################################################################### |
| 86 | #·BEGIN·fix·(6·/·37)·for·'package_ntp_installed' | 86 | #·BEGIN·fix·(6·/·37)·for·'package_ntp_installed' |
| 87 | ############################################################################### | 87 | ############################################################################### |
| 88 | (>&2·echo·"Remediating·rule·6/37:·'package_ntp_installed'") | 88 | (>&2·echo·"Remediating·rule·6/37:·'package_ntp_installed'") |
| 89 | #·FIX·FOR·THIS·RULE·IS·MISSING | 89 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 90 | #·END·fix·for·'package_ntp_installed' | 90 | #·END·fix·for·'package_ntp_installed' |
| Offset 97, 33 lines modified | Offset 97, 33 lines modified | ||
| 97 | #·BEGIN·fix·(7·/·37)·for·'sshd_allow_only_protocol2' | 97 | #·BEGIN·fix·(7·/·37)·for·'sshd_allow_only_protocol2' |
| 98 | ############################################################################### | 98 | ############################################################################### |
| 99 | (>&2·echo·"Remediating·rule·7/37:·'sshd_allow_only_protocol2'") | 99 | (>&2·echo·"Remediating·rule·7/37:·'sshd_allow_only_protocol2'") |
| 100 | #·FIX·FOR·THIS·RULE·IS·MISSING | 100 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 101 | #·END·fix·for·'sshd_allow_only_protocol2' | 101 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 102 | ############################################################################### | 102 | ############################################################################### |
| 103 | #·BEGIN·fix·(8·/·37)·for·'sshd_ | 103 | #·BEGIN·fix·(8·/·37)·for·'sshd_set_keepalive' |
| 104 | ############################################################################### | 104 | ############################################################################### |
| 105 | (>&2·echo·"Remediating·rule·8/37:·'sshd_ | 105 | (>&2·echo·"Remediating·rule·8/37:·'sshd_set_keepalive'") |
| 106 | #·FIX·FOR·THIS·RULE·IS·MISSING | 106 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 107 | #·END·fix·for·'sshd_ | 107 | #·END·fix·for·'sshd_set_keepalive' |
| 108 | ############################################################################### | 108 | ############################################################################### |
| 109 | #·BEGIN·fix·(9·/·37)·for·'sshd_set_idle_timeout' | 109 | #·BEGIN·fix·(9·/·37)·for·'sshd_set_idle_timeout' |
| 110 | ############################################################################### | 110 | ############################################################################### |
| 111 | (>&2·echo·"Remediating·rule·9/37:·'sshd_set_idle_timeout'") | 111 | (>&2·echo·"Remediating·rule·9/37:·'sshd_set_idle_timeout'") |
| 112 | #·FIX·FOR·THIS·RULE·IS·MISSING | 112 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 113 | #·END·fix·for·'sshd_set_idle_timeout' | 113 | #·END·fix·for·'sshd_set_idle_timeout' |
| 114 | ############################################################################### | 114 | ############################################################################### |
| 115 | #·BEGIN·fix·(10·/·37)·for·'sshd_set_ | 115 | #·BEGIN·fix·(10·/·37)·for·'sshd_disable_empty_passwords' |
| 116 | ############################################################################### | 116 | ############################################################################### |
| 117 | (>&2·echo·"Remediating·rule·10/37:·'sshd_set_ | 117 | (>&2·echo·"Remediating·rule·10/37:·'sshd_disable_empty_passwords'") |
| 118 | #·FIX·FOR·THIS·RULE·IS·MISSING | 118 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 119 | #·END·fix·for·'sshd_set_ | 119 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 120 | ############################################################################### | 120 | ############################################################################### |
| 121 | #·BEGIN·fix·(11·/·37)·for·'sshd_disable_root_login' | 121 | #·BEGIN·fix·(11·/·37)·for·'sshd_disable_root_login' |
| 122 | ############################################################################### | 122 | ############################################################################### |
| 123 | (>&2·echo·"Remediating·rule·11/37:·'sshd_disable_root_login'") | 123 | (>&2·echo·"Remediating·rule·11/37:·'sshd_disable_root_login'") |
| 124 | #·FIX·FOR·THIS·RULE·IS·MISSING | 124 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 125 | #·END·fix·for·'sshd_disable_root_login' | 125 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 160, 26 lines modified | Offset 160, 26 lines modified | ||
| 160 | #·BEGIN·fix·(16·/·37)·for·'rsyslog_files_groupownership' | 160 | #·BEGIN·fix·(16·/·37)·for·'rsyslog_files_groupownership' |
| 161 | ############################################################################### | 161 | ############################################################################### |
| 162 | (>&2·echo·"Remediating·rule·16/37:·'rsyslog_files_groupownership'") | 162 | (>&2·echo·"Remediating·rule·16/37:·'rsyslog_files_groupownership'") |
| 163 | #·FIX·FOR·THIS·RULE·IS·MISSING | 163 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 164 | #·END·fix·for·'rsyslog_files_groupownership' | 164 | #·END·fix·for·'rsyslog_files_groupownership' |
| 165 | ############################################################################### | 165 | ############################################################################### |
| 166 | #·BEGIN·fix·(17·/·37)·for·' | 166 | #·BEGIN·fix·(17·/·37)·for·'service_syslogng_enabled' |
| 167 | ############################################################################### | 167 | ############################################################################### |
| 168 | (>&2·echo·"Remediating·rule·17/37:·' | 168 | (>&2·echo·"Remediating·rule·17/37:·'service_syslogng_enabled'") |
| 169 | #·FIX·FOR·THIS·RULE·IS·MISSING | 169 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 170 | #·END·fix·for·' | 170 | #·END·fix·for·'service_syslogng_enabled' |
| 171 | ############################################################################### | 171 | ############################################################################### |
| 172 | #·BEGIN·fix·(18·/·37)·for·' | 172 | #·BEGIN·fix·(18·/·37)·for·'package_syslogng_installed' |
| 173 | ############################################################################### | 173 | ############################################################################### |
| 174 | (>&2·echo·"Remediating·rule·18/37:·' | 174 | (>&2·echo·"Remediating·rule·18/37:·'package_syslogng_installed'") |
| 175 | #·FIX·FOR·THIS·RULE·IS·MISSING | 175 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 176 | #·END·fix·for·' | 176 | #·END·fix·for·'package_syslogng_installed' |
| 177 | ############################################################################### | 177 | ############################################################################### |
| 178 | #·BEGIN·fix·(19·/·37)·for·'ensure_logrotate_activated' | 178 | #·BEGIN·fix·(19·/·37)·for·'ensure_logrotate_activated' |
| 179 | ############################################################################### | 179 | ############################################################################### |
| 180 | (>&2·echo·"Remediating·rule·19/37:·'ensure_logrotate_activated'") | 180 | (>&2·echo·"Remediating·rule·19/37:·'ensure_logrotate_activated'") |
| 181 | #·FIX·FOR·THIS·RULE·IS·MISSING | 181 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 182 | #·END·fix·for·'ensure_logrotate_activated' | 182 | #·END·fix·for·'ensure_logrotate_activated' |
| Offset 31, 25 lines modified | Offset 31, 25 lines modified | ||
| 31 | #» ···remediation·AFTER·testing·on·a·non-production | 31 | #» ···remediation·AFTER·testing·on·a·non-production |
| 32 | #» ···system! | 32 | #» ···system! |
| 33 | apt-get·remove·--purge·nis | 33 | apt-get·remove·--purge·nis |
| 34 | #·END·fix·for·'package_nis_removed' | 34 | #·END·fix·for·'package_nis_removed' |
| 35 | ############################################################################### | 35 | ############################################################################### |
| 36 | #·BEGIN·fix·(2·/·42)·for·'package_ | 36 | #·BEGIN·fix·(2·/·42)·for·'package_telnetd_removed' |
| 37 | ############################################################################### | 37 | ############################################################################### |
| 38 | (>&2·echo·"Remediating·rule·2/42:·'package_ | 38 | (>&2·echo·"Remediating·rule·2/42:·'package_telnetd_removed'") |
| 39 | #·CAUTION:·This·remediation·script·will·remove· | 39 | #·CAUTION:·This·remediation·script·will·remove·telnetd |
| 40 | #» ···from·the·system,·and·may·remove·any·packages | 40 | #» ···from·the·system,·and·may·remove·any·packages |
| 41 | #» ···that·depend·on· | 41 | #» ···that·depend·on·telnetd.·Execute·this |
| 42 | #» ···remediation·AFTER·testing·on·a·non-production | 42 | #» ···remediation·AFTER·testing·on·a·non-production |
| 43 | #» ···system! | 43 | #» ···system! |
| 44 | apt-get·remove·--purge· | 44 | apt-get·remove·--purge·telnetd |
| 45 | #·END·fix·for·'package_ | 45 | #·END·fix·for·'package_telnetd_removed' |
| 46 | ############################################################################### | 46 | ############################################################################### |
| 47 | #·BEGIN·fix·(3·/·42)·for·'package_ntpdate_removed' | 47 | #·BEGIN·fix·(3·/·42)·for·'package_ntpdate_removed' |
| 48 | ############################################################################### | 48 | ############################################################################### |
| 49 | (>&2·echo·"Remediating·rule·3/42:·'package_ntpdate_removed'") | 49 | (>&2·echo·"Remediating·rule·3/42:·'package_ntpdate_removed'") |
| 50 | #·CAUTION:·This·remediation·script·will·remove·ntpdate | 50 | #·CAUTION:·This·remediation·script·will·remove·ntpdate |
| 51 | #» ···from·the·system,·and·may·remove·any·packages | 51 | #» ···from·the·system,·and·may·remove·any·packages |
| Offset 70, 25 lines modified | Offset 70, 25 lines modified | ||
| 70 | #» ···remediation·AFTER·testing·on·a·non-production | 70 | #» ···remediation·AFTER·testing·on·a·non-production |
| 71 | #» ···system! | 71 | #» ···system! |
| 72 | apt-get·remove·--purge·telnetd-ssl | 72 | apt-get·remove·--purge·telnetd-ssl |
| 73 | #·END·fix·for·'package_telnetd-ssl_removed' | 73 | #·END·fix·for·'package_telnetd-ssl_removed' |
| 74 | ############################################################################### | 74 | ############################################################################### |
| 75 | #·BEGIN·fix·(5·/·42)·for·'package_telnetd_removed' | 75 | #·BEGIN·fix·(5·/·42)·for·'package_inetutils-telnetd_removed' |
| 76 | ############################################################################### | 76 | ############################################################################### |
| 77 | (>&2·echo·"Remediating·rule·5/42:·'package_telnetd_removed'") | 77 | (>&2·echo·"Remediating·rule·5/42:·'package_inetutils-telnetd_removed'") |
| 78 | #·CAUTION:·This·remediation·script·will·remove·telnetd | 78 | #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 79 | #» ···from·the·system,·and·may·remove·any·packages | 79 | #» ···from·the·system,·and·may·remove·any·packages |
| 80 | #» ···that·depend·on·telnetd.·Execute·this | 80 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 81 | #» ···remediation·AFTER·testing·on·a·non-production | 81 | #» ···remediation·AFTER·testing·on·a·non-production |
| 82 | #» ···system! | 82 | #» ···system! |
| 83 | apt-get·remove·--purge·telnetd | 83 | apt-get·remove·--purge·inetutils-telnetd |
| 84 | #·END·fix·for·'package_telnetd_removed' | 84 | #·END·fix·for·'package_inetutils-telnetd_removed' |
| 85 | ############################################################################### | 85 | ############################################################################### |
| 86 | #·BEGIN·fix·(6·/·42)·for·'package_ntp_installed' | 86 | #·BEGIN·fix·(6·/·42)·for·'package_ntp_installed' |
| 87 | ############################################################################### | 87 | ############################################################################### |
| 88 | (>&2·echo·"Remediating·rule·6/42:·'package_ntp_installed'") | 88 | (>&2·echo·"Remediating·rule·6/42:·'package_ntp_installed'") |
| 89 | #·FIX·FOR·THIS·RULE·IS·MISSING | 89 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 90 | #·END·fix·for·'package_ntp_installed' | 90 | #·END·fix·for·'package_ntp_installed' |
| Offset 104, 54 lines modified | Offset 104, 54 lines modified | ||
| 104 | #·BEGIN·fix·(8·/·42)·for·'package_auditd_installed' | 104 | #·BEGIN·fix·(8·/·42)·for·'package_auditd_installed' |
| 105 | ############################################################################### | 105 | ############################################################################### |
| 106 | (>&2·echo·"Remediating·rule·8/42:·'package_auditd_installed'") | 106 | (>&2·echo·"Remediating·rule·8/42:·'package_auditd_installed'") |
| 107 | #·FIX·FOR·THIS·RULE·IS·MISSING | 107 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 108 | #·END·fix·for·'package_auditd_installed' | 108 | #·END·fix·for·'package_auditd_installed' |
| 109 | ############################################################################### | 109 | ############################################################################### |
| 110 | #·BEGIN·fix·(9·/·42)·for·'service_ | 110 | #·BEGIN·fix·(9·/·42)·for·'service_ntp_enabled' |
| 111 | ############################################################################### | 111 | ############################################################################### |
| 112 | (>&2·echo·"Remediating·rule·9/42:·'service_ | 112 | (>&2·echo·"Remediating·rule·9/42:·'service_ntp_enabled'") |
| 113 | #·FIX·FOR·THIS·RULE·IS·MISSING | 113 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 114 | #·END·fix·for·'service_ | 114 | #·END·fix·for·'service_ntp_enabled' |
| 115 | ############################################################################### | 115 | ############################################################################### |
| 116 | #·BEGIN·fix·(10·/·42)·for·'service_ | 116 | #·BEGIN·fix·(10·/·42)·for·'service_auditd_enabled' |
| 117 | ############################################################################### | 117 | ############################################################################### |
| 118 | (>&2·echo·"Remediating·rule·10/42:·'service_ | 118 | (>&2·echo·"Remediating·rule·10/42:·'service_auditd_enabled'") |
| 119 | #·FIX·FOR·THIS·RULE·IS·MISSING | 119 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 120 | #·END·fix·for·'service_ | 120 | #·END·fix·for·'service_auditd_enabled' |
| 121 | ############################################################################### | 121 | ############################################################################### |
| 122 | #·BEGIN·fix·(11·/·42)·for·'sshd_allow_only_protocol2' | 122 | #·BEGIN·fix·(11·/·42)·for·'sshd_allow_only_protocol2' |
| 123 | ############################################################################### | 123 | ############################################################################### |
| 124 | (>&2·echo·"Remediating·rule·11/42:·'sshd_allow_only_protocol2'") | 124 | (>&2·echo·"Remediating·rule·11/42:·'sshd_allow_only_protocol2'") |
| 125 | #·FIX·FOR·THIS·RULE·IS·MISSING | 125 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 126 | #·END·fix·for·'sshd_allow_only_protocol2' | 126 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 127 | ############################################################################### | 127 | ############################################################################### |
| 128 | #·BEGIN·fix·(12·/·42)·for·'sshd_ | 128 | #·BEGIN·fix·(12·/·42)·for·'sshd_set_keepalive' |
| 129 | ############################################################################### | 129 | ############################################################################### |
| 130 | (>&2·echo·"Remediating·rule·12/42:·'sshd_ | 130 | (>&2·echo·"Remediating·rule·12/42:·'sshd_set_keepalive'") |
| 131 | #·FIX·FOR·THIS·RULE·IS·MISSING | 131 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 132 | #·END·fix·for·'sshd_ | 132 | #·END·fix·for·'sshd_set_keepalive' |
| 133 | ############################################################################### | 133 | ############################################################################### |
| 134 | #·BEGIN·fix·(13·/·42)·for·'sshd_set_idle_timeout' | 134 | #·BEGIN·fix·(13·/·42)·for·'sshd_set_idle_timeout' |
| 135 | ############################################################################### | 135 | ############################################################################### |
| 136 | (>&2·echo·"Remediating·rule·13/42:·'sshd_set_idle_timeout'") | 136 | (>&2·echo·"Remediating·rule·13/42:·'sshd_set_idle_timeout'") |
| 137 | #·FIX·FOR·THIS·RULE·IS·MISSING | 137 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 138 | #·END·fix·for·'sshd_set_idle_timeout' | 138 | #·END·fix·for·'sshd_set_idle_timeout' |
| 139 | ############################################################################### | 139 | ############################################################################### |
| 140 | #·BEGIN·fix·(14·/·42)·for·'sshd_set_ | 140 | #·BEGIN·fix·(14·/·42)·for·'sshd_disable_empty_passwords' |
| 141 | ############################################################################### | 141 | ############################################################################### |
| 142 | (>&2·echo·"Remediating·rule·14/42:·'sshd_set_ | 142 | (>&2·echo·"Remediating·rule·14/42:·'sshd_disable_empty_passwords'") |
| 143 | #·FIX·FOR·THIS·RULE·IS·MISSING | 143 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 144 | #·END·fix·for·'sshd_set_ | 144 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 145 | ############################################################################### | 145 | ############################################################################### |
| 146 | #·BEGIN·fix·(15·/·42)·for·'sshd_disable_root_login' | 146 | #·BEGIN·fix·(15·/·42)·for·'sshd_disable_root_login' |
| 147 | ############################################################################### | 147 | ############################################################################### |
| 148 | (>&2·echo·"Remediating·rule·15/42:·'sshd_disable_root_login'") | 148 | (>&2·echo·"Remediating·rule·15/42:·'sshd_disable_root_login'") |
| 149 | #·FIX·FOR·THIS·RULE·IS·MISSING | 149 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 150 | #·END·fix·for·'sshd_disable_root_login' | 150 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 188, 26 lines modified | Offset 188, 26 lines modified | ||
| 188 | #·BEGIN·fix·(20·/·42)·for·'rsyslog_files_groupownership' | 188 | #·BEGIN·fix·(20·/·42)·for·'rsyslog_files_groupownership' |
| 189 | ############################################################################### | 189 | ############################################################################### |
| 190 | (>&2·echo·"Remediating·rule·20/42:·'rsyslog_files_groupownership'") | 190 | (>&2·echo·"Remediating·rule·20/42:·'rsyslog_files_groupownership'") |
| 191 | #·FIX·FOR·THIS·RULE·IS·MISSING | 191 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 192 | #·END·fix·for·'rsyslog_files_groupownership' | 192 | #·END·fix·for·'rsyslog_files_groupownership' |
| 193 | ############################################################################### | 193 | ############################################################################### |
| 194 | #·BEGIN·fix·(21·/·42)·for·' | 194 | #·BEGIN·fix·(21·/·42)·for·'service_syslogng_enabled' |
| 195 | ############################################################################### | 195 | ############################################################################### |
| 196 | (>&2·echo·"Remediating·rule·21/42:·' | 196 | (>&2·echo·"Remediating·rule·21/42:·'service_syslogng_enabled'") |
| 197 | #·FIX·FOR·THIS·RULE·IS·MISSING | 197 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 198 | #·END·fix·for·' | 198 | #·END·fix·for·'service_syslogng_enabled' |
| 199 | ############################################################################### | 199 | ############################################################################### |
| 200 | #·BEGIN·fix·(22·/·42)·for·' | 200 | #·BEGIN·fix·(22·/·42)·for·'package_syslogng_installed' |
| 201 | ############################################################################### | 201 | ############################################################################### |
| 202 | (>&2·echo·"Remediating·rule·22/42:·' | 202 | (>&2·echo·"Remediating·rule·22/42:·'package_syslogng_installed'") |
| 203 | #·FIX·FOR·THIS·RULE·IS·MISSING | 203 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 204 | #·END·fix·for·' | 204 | #·END·fix·for·'package_syslogng_installed' |
| Max diff block lines reached; 4709/12406 bytes (37.96%) of diff not shown. | |||
| Offset 31, 25 lines modified | Offset 31, 25 lines modified | ||
| 31 | #» ···remediation·AFTER·testing·on·a·non-production | 31 | #» ···remediation·AFTER·testing·on·a·non-production |
| 32 | #» ···system! | 32 | #» ···system! |
| 33 | apt-get·remove·--purge·nis | 33 | apt-get·remove·--purge·nis |
| 34 | #·END·fix·for·'package_nis_removed' | 34 | #·END·fix·for·'package_nis_removed' |
| 35 | ############################################################################### | 35 | ############################################################################### |
| 36 | #·BEGIN·fix·(2·/·16)·for·'package_ | 36 | #·BEGIN·fix·(2·/·16)·for·'package_telnetd_removed' |
| 37 | ############################################################################### | 37 | ############################################################################### |
| 38 | (>&2·echo·"Remediating·rule·2/16:·'package_ | 38 | (>&2·echo·"Remediating·rule·2/16:·'package_telnetd_removed'") |
| 39 | #·CAUTION:·This·remediation·script·will·remove· | 39 | #·CAUTION:·This·remediation·script·will·remove·telnetd |
| 40 | #» ···from·the·system,·and·may·remove·any·packages | 40 | #» ···from·the·system,·and·may·remove·any·packages |
| 41 | #» ···that·depend·on· | 41 | #» ···that·depend·on·telnetd.·Execute·this |
| 42 | #» ···remediation·AFTER·testing·on·a·non-production | 42 | #» ···remediation·AFTER·testing·on·a·non-production |
| 43 | #» ···system! | 43 | #» ···system! |
| 44 | apt-get·remove·--purge· | 44 | apt-get·remove·--purge·telnetd |
| 45 | #·END·fix·for·'package_ | 45 | #·END·fix·for·'package_telnetd_removed' |
| 46 | ############################################################################### | 46 | ############################################################################### |
| 47 | #·BEGIN·fix·(3·/·16)·for·'package_telnetd-ssl_removed' | 47 | #·BEGIN·fix·(3·/·16)·for·'package_telnetd-ssl_removed' |
| 48 | ############################################################################### | 48 | ############################################################################### |
| 49 | (>&2·echo·"Remediating·rule·3/16:·'package_telnetd-ssl_removed'") | 49 | (>&2·echo·"Remediating·rule·3/16:·'package_telnetd-ssl_removed'") |
| 50 | #·CAUTION:·This·remediation·script·will·remove·telnetd-ssl | 50 | #·CAUTION:·This·remediation·script·will·remove·telnetd-ssl |
| 51 | #» ···from·the·system,·and·may·remove·any·packages | 51 | #» ···from·the·system,·and·may·remove·any·packages |
| Offset 57, 25 lines modified | Offset 57, 25 lines modified | ||
| 57 | #» ···remediation·AFTER·testing·on·a·non-production | 57 | #» ···remediation·AFTER·testing·on·a·non-production |
| 58 | #» ···system! | 58 | #» ···system! |
| 59 | apt-get·remove·--purge·telnetd-ssl | 59 | apt-get·remove·--purge·telnetd-ssl |
| 60 | #·END·fix·for·'package_telnetd-ssl_removed' | 60 | #·END·fix·for·'package_telnetd-ssl_removed' |
| 61 | ############################################################################### | 61 | ############################################################################### |
| 62 | #·BEGIN·fix·(4·/·16)·for·'package_telnetd_removed' | 62 | #·BEGIN·fix·(4·/·16)·for·'package_inetutils-telnetd_removed' |
| 63 | ############################################################################### | 63 | ############################################################################### |
| 64 | (>&2·echo·"Remediating·rule·4/16:·'package_telnetd_removed'") | 64 | (>&2·echo·"Remediating·rule·4/16:·'package_inetutils-telnetd_removed'") |
| 65 | #·CAUTION:·This·remediation·script·will·remove·telnetd | 65 | #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 66 | #» ···from·the·system,·and·may·remove·any·packages | 66 | #» ···from·the·system,·and·may·remove·any·packages |
| 67 | #» ···that·depend·on·telnetd.·Execute·this | 67 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 68 | #» ···remediation·AFTER·testing·on·a·non-production | 68 | #» ···remediation·AFTER·testing·on·a·non-production |
| 69 | #» ···system! | 69 | #» ···system! |
| 70 | apt-get·remove·--purge·telnetd | 70 | apt-get·remove·--purge·inetutils-telnetd |
| 71 | #·END·fix·for·'package_telnetd_removed' | 71 | #·END·fix·for·'package_inetutils-telnetd_removed' |
| 72 | ############################################################################### | 72 | ############################################################################### |
| 73 | #·BEGIN·fix·(5·/·16)·for·'apt_conf_disallow_unauthenticated' | 73 | #·BEGIN·fix·(5·/·16)·for·'apt_conf_disallow_unauthenticated' |
| 74 | ############################################################################### | 74 | ############################################################################### |
| 75 | (>&2·echo·"Remediating·rule·5/16:·'apt_conf_disallow_unauthenticated'") | 75 | (>&2·echo·"Remediating·rule·5/16:·'apt_conf_disallow_unauthenticated'") |
| 76 | #·FIX·FOR·THIS·RULE·IS·MISSING | 76 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 77 | #·END·fix·for·'apt_conf_disallow_unauthenticated' | 77 | #·END·fix·for·'apt_conf_disallow_unauthenticated' |
| Offset 84, 26 lines modified | Offset 84, 26 lines modified | ||
| 84 | #·BEGIN·fix·(6·/·16)·for·'apt_sources_list_official' | 84 | #·BEGIN·fix·(6·/·16)·for·'apt_sources_list_official' |
| 85 | ############################################################################### | 85 | ############################################################################### |
| 86 | (>&2·echo·"Remediating·rule·6/16:·'apt_sources_list_official'") | 86 | (>&2·echo·"Remediating·rule·6/16:·'apt_sources_list_official'") |
| 87 | #·FIX·FOR·THIS·RULE·IS·MISSING | 87 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 88 | #·END·fix·for·'apt_sources_list_official' | 88 | #·END·fix·for·'apt_sources_list_official' |
| 89 | ############################################################################### | 89 | ############################################################################### |
| 90 | #·BEGIN·fix·(7·/·16)·for·' | 90 | #·BEGIN·fix·(7·/·16)·for·'service_syslogng_enabled' |
| 91 | ############################################################################### | 91 | ############################################################################### |
| 92 | (>&2·echo·"Remediating·rule·7/16:·' | 92 | (>&2·echo·"Remediating·rule·7/16:·'service_syslogng_enabled'") |
| 93 | #·FIX·FOR·THIS·RULE·IS·MISSING | 93 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 94 | #·END·fix·for·' | 94 | #·END·fix·for·'service_syslogng_enabled' |
| 95 | ############################################################################### | 95 | ############################################################################### |
| 96 | #·BEGIN·fix·(8·/·16)·for·' | 96 | #·BEGIN·fix·(8·/·16)·for·'package_syslogng_installed' |
| 97 | ############################################################################### | 97 | ############################################################################### |
| 98 | (>&2·echo·"Remediating·rule·8/16:·' | 98 | (>&2·echo·"Remediating·rule·8/16:·'package_syslogng_installed'") |
| 99 | #·FIX·FOR·THIS·RULE·IS·MISSING | 99 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 100 | #·END·fix·for·' | 100 | #·END·fix·for·'package_syslogng_installed' |
| 101 | ############################################################################### | 101 | ############################################################################### |
| 102 | #·BEGIN·fix·(9·/·16)·for·'service_rsyslog_enabled' | 102 | #·BEGIN·fix·(9·/·16)·for·'service_rsyslog_enabled' |
| 103 | ############################################################################### | 103 | ############################################################################### |
| 104 | (>&2·echo·"Remediating·rule·9/16:·'service_rsyslog_enabled'") | 104 | (>&2·echo·"Remediating·rule·9/16:·'service_rsyslog_enabled'") |
| 105 | #·FIX·FOR·THIS·RULE·IS·MISSING | 105 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 106 | #·END·fix·for·'service_rsyslog_enabled' | 106 | #·END·fix·for·'service_rsyslog_enabled' |
| Offset 31, 25 lines modified | Offset 31, 25 lines modified | ||
| 31 | #» ···remediation·AFTER·testing·on·a·non-production | 31 | #» ···remediation·AFTER·testing·on·a·non-production |
| 32 | #» ···system! | 32 | #» ···system! |
| 33 | apt-get·remove·--purge·nis | 33 | apt-get·remove·--purge·nis |
| 34 | #·END·fix·for·'package_nis_removed' | 34 | #·END·fix·for·'package_nis_removed' |
| 35 | ############################################################################### | 35 | ############################################################################### |
| 36 | #·BEGIN·fix·(2·/·41)·for·'package_ | 36 | #·BEGIN·fix·(2·/·41)·for·'package_telnetd_removed' |
| 37 | ############################################################################### | 37 | ############################################################################### |
| 38 | (>&2·echo·"Remediating·rule·2/41:·'package_ | 38 | (>&2·echo·"Remediating·rule·2/41:·'package_telnetd_removed'") |
| 39 | #·CAUTION:·This·remediation·script·will·remove· | 39 | #·CAUTION:·This·remediation·script·will·remove·telnetd |
| 40 | #» ···from·the·system,·and·may·remove·any·packages | 40 | #» ···from·the·system,·and·may·remove·any·packages |
| 41 | #» ···that·depend·on· | 41 | #» ···that·depend·on·telnetd.·Execute·this |
| 42 | #» ···remediation·AFTER·testing·on·a·non-production | 42 | #» ···remediation·AFTER·testing·on·a·non-production |
| 43 | #» ···system! | 43 | #» ···system! |
| 44 | apt-get·remove·--purge· | 44 | apt-get·remove·--purge·telnetd |
| 45 | #·END·fix·for·'package_ | 45 | #·END·fix·for·'package_telnetd_removed' |
| 46 | ############################################################################### | 46 | ############################################################################### |
| 47 | #·BEGIN·fix·(3·/·41)·for·'package_ntpdate_removed' | 47 | #·BEGIN·fix·(3·/·41)·for·'package_ntpdate_removed' |
| 48 | ############################################################################### | 48 | ############################################################################### |
| 49 | (>&2·echo·"Remediating·rule·3/41:·'package_ntpdate_removed'") | 49 | (>&2·echo·"Remediating·rule·3/41:·'package_ntpdate_removed'") |
| 50 | #·CAUTION:·This·remediation·script·will·remove·ntpdate | 50 | #·CAUTION:·This·remediation·script·will·remove·ntpdate |
| 51 | #» ···from·the·system,·and·may·remove·any·packages | 51 | #» ···from·the·system,·and·may·remove·any·packages |
| Offset 70, 25 lines modified | Offset 70, 25 lines modified | ||
| 70 | #» ···remediation·AFTER·testing·on·a·non-production | 70 | #» ···remediation·AFTER·testing·on·a·non-production |
| 71 | #» ···system! | 71 | #» ···system! |
| 72 | apt-get·remove·--purge·telnetd-ssl | 72 | apt-get·remove·--purge·telnetd-ssl |
| 73 | #·END·fix·for·'package_telnetd-ssl_removed' | 73 | #·END·fix·for·'package_telnetd-ssl_removed' |
| 74 | ############################################################################### | 74 | ############################################################################### |
| 75 | #·BEGIN·fix·(5·/·41)·for·'package_telnetd_removed' | 75 | #·BEGIN·fix·(5·/·41)·for·'package_inetutils-telnetd_removed' |
| 76 | ############################################################################### | 76 | ############################################################################### |
| 77 | (>&2·echo·"Remediating·rule·5/41:·'package_telnetd_removed'") | 77 | (>&2·echo·"Remediating·rule·5/41:·'package_inetutils-telnetd_removed'") |
| 78 | #·CAUTION:·This·remediation·script·will·remove·telnetd | 78 | #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 79 | #» ···from·the·system,·and·may·remove·any·packages | 79 | #» ···from·the·system,·and·may·remove·any·packages |
| 80 | #» ···that·depend·on·telnetd.·Execute·this | 80 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 81 | #» ···remediation·AFTER·testing·on·a·non-production | 81 | #» ···remediation·AFTER·testing·on·a·non-production |
| 82 | #» ···system! | 82 | #» ···system! |
| 83 | apt-get·remove·--purge·telnetd | 83 | apt-get·remove·--purge·inetutils-telnetd |
| 84 | #·END·fix·for·'package_telnetd_removed' | 84 | #·END·fix·for·'package_inetutils-telnetd_removed' |
| 85 | ############################################################################### | 85 | ############################################################################### |
| 86 | #·BEGIN·fix·(6·/·41)·for·'package_ntp_installed' | 86 | #·BEGIN·fix·(6·/·41)·for·'package_ntp_installed' |
| 87 | ############################################################################### | 87 | ############################################################################### |
| 88 | (>&2·echo·"Remediating·rule·6/41:·'package_ntp_installed'") | 88 | (>&2·echo·"Remediating·rule·6/41:·'package_ntp_installed'") |
| 89 | #·FIX·FOR·THIS·RULE·IS·MISSING | 89 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 90 | #·END·fix·for·'package_ntp_installed' | 90 | #·END·fix·for·'package_ntp_installed' |
| Offset 104, 54 lines modified | Offset 104, 54 lines modified | ||
| 104 | #·BEGIN·fix·(8·/·41)·for·'package_auditd_installed' | 104 | #·BEGIN·fix·(8·/·41)·for·'package_auditd_installed' |
| 105 | ############################################################################### | 105 | ############################################################################### |
| 106 | (>&2·echo·"Remediating·rule·8/41:·'package_auditd_installed'") | 106 | (>&2·echo·"Remediating·rule·8/41:·'package_auditd_installed'") |
| 107 | #·FIX·FOR·THIS·RULE·IS·MISSING | 107 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 108 | #·END·fix·for·'package_auditd_installed' | 108 | #·END·fix·for·'package_auditd_installed' |
| 109 | ############################################################################### | 109 | ############################################################################### |
| 110 | #·BEGIN·fix·(9·/·41)·for·'service_ | 110 | #·BEGIN·fix·(9·/·41)·for·'service_ntp_enabled' |
| 111 | ############################################################################### | 111 | ############################################################################### |
| 112 | (>&2·echo·"Remediating·rule·9/41:·'service_ | 112 | (>&2·echo·"Remediating·rule·9/41:·'service_ntp_enabled'") |
| 113 | #·FIX·FOR·THIS·RULE·IS·MISSING | 113 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 114 | #·END·fix·for·'service_ | 114 | #·END·fix·for·'service_ntp_enabled' |
| 115 | ############################################################################### | 115 | ############################################################################### |
| 116 | #·BEGIN·fix·(10·/·41)·for·'service_ | 116 | #·BEGIN·fix·(10·/·41)·for·'service_auditd_enabled' |
| 117 | ############################################################################### | 117 | ############################################################################### |
| 118 | (>&2·echo·"Remediating·rule·10/41:·'service_ | 118 | (>&2·echo·"Remediating·rule·10/41:·'service_auditd_enabled'") |
| 119 | #·FIX·FOR·THIS·RULE·IS·MISSING | 119 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 120 | #·END·fix·for·'service_ | 120 | #·END·fix·for·'service_auditd_enabled' |
| 121 | ############################################################################### | 121 | ############################################################################### |
| 122 | #·BEGIN·fix·(11·/·41)·for·'sshd_allow_only_protocol2' | 122 | #·BEGIN·fix·(11·/·41)·for·'sshd_allow_only_protocol2' |
| 123 | ############################################################################### | 123 | ############################################################################### |
| 124 | (>&2·echo·"Remediating·rule·11/41:·'sshd_allow_only_protocol2'") | 124 | (>&2·echo·"Remediating·rule·11/41:·'sshd_allow_only_protocol2'") |
| 125 | #·FIX·FOR·THIS·RULE·IS·MISSING | 125 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 126 | #·END·fix·for·'sshd_allow_only_protocol2' | 126 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 127 | ############################################################################### | 127 | ############################################################################### |
| 128 | #·BEGIN·fix·(12·/·41)·for·'sshd_ | 128 | #·BEGIN·fix·(12·/·41)·for·'sshd_set_keepalive' |
| 129 | ############################################################################### | 129 | ############################################################################### |
| 130 | (>&2·echo·"Remediating·rule·12/41:·'sshd_ | 130 | (>&2·echo·"Remediating·rule·12/41:·'sshd_set_keepalive'") |
| 131 | #·FIX·FOR·THIS·RULE·IS·MISSING | 131 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 132 | #·END·fix·for·'sshd_ | 132 | #·END·fix·for·'sshd_set_keepalive' |
| 133 | ############################################################################### | 133 | ############################################################################### |
| 134 | #·BEGIN·fix·(13·/·41)·for·'sshd_set_idle_timeout' | 134 | #·BEGIN·fix·(13·/·41)·for·'sshd_set_idle_timeout' |
| 135 | ############################################################################### | 135 | ############################################################################### |
| 136 | (>&2·echo·"Remediating·rule·13/41:·'sshd_set_idle_timeout'") | 136 | (>&2·echo·"Remediating·rule·13/41:·'sshd_set_idle_timeout'") |
| 137 | #·FIX·FOR·THIS·RULE·IS·MISSING | 137 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 138 | #·END·fix·for·'sshd_set_idle_timeout' | 138 | #·END·fix·for·'sshd_set_idle_timeout' |
| 139 | ############################################################################### | 139 | ############################################################################### |
| 140 | #·BEGIN·fix·(14·/·41)·for·'sshd_set_ | 140 | #·BEGIN·fix·(14·/·41)·for·'sshd_disable_empty_passwords' |
| 141 | ############################################################################### | 141 | ############################################################################### |
| 142 | (>&2·echo·"Remediating·rule·14/41:·'sshd_set_ | 142 | (>&2·echo·"Remediating·rule·14/41:·'sshd_disable_empty_passwords'") |
| 143 | #·FIX·FOR·THIS·RULE·IS·MISSING | 143 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 144 | #·END·fix·for·'sshd_set_ | 144 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 145 | ############################################################################### | 145 | ############################################################################### |
| 146 | #·BEGIN·fix·(15·/·41)·for·'sshd_disable_root_login' | 146 | #·BEGIN·fix·(15·/·41)·for·'sshd_disable_root_login' |
| 147 | ############################################################################### | 147 | ############################################################################### |
| 148 | (>&2·echo·"Remediating·rule·15/41:·'sshd_disable_root_login'") | 148 | (>&2·echo·"Remediating·rule·15/41:·'sshd_disable_root_login'") |
| 149 | #·FIX·FOR·THIS·RULE·IS·MISSING | 149 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 150 | #·END·fix·for·'sshd_disable_root_login' | 150 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 188, 26 lines modified | Offset 188, 26 lines modified | ||
| 188 | #·BEGIN·fix·(20·/·41)·for·'rsyslog_files_groupownership' | 188 | #·BEGIN·fix·(20·/·41)·for·'rsyslog_files_groupownership' |
| 189 | ############################################################################### | 189 | ############################################################################### |
| 190 | (>&2·echo·"Remediating·rule·20/41:·'rsyslog_files_groupownership'") | 190 | (>&2·echo·"Remediating·rule·20/41:·'rsyslog_files_groupownership'") |
| 191 | #·FIX·FOR·THIS·RULE·IS·MISSING | 191 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 192 | #·END·fix·for·'rsyslog_files_groupownership' | 192 | #·END·fix·for·'rsyslog_files_groupownership' |
| 193 | ############################################################################### | 193 | ############################################################################### |
| 194 | #·BEGIN·fix·(21·/·41)·for·' | 194 | #·BEGIN·fix·(21·/·41)·for·'service_syslogng_enabled' |
| 195 | ############################################################################### | 195 | ############################################################################### |
| 196 | (>&2·echo·"Remediating·rule·21/41:·' | 196 | (>&2·echo·"Remediating·rule·21/41:·'service_syslogng_enabled'") |
| 197 | #·FIX·FOR·THIS·RULE·IS·MISSING | 197 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 198 | #·END·fix·for·' | 198 | #·END·fix·for·'service_syslogng_enabled' |
| 199 | ############################################################################### | 199 | ############################################################################### |
| 200 | #·BEGIN·fix·(22·/·41)·for·' | 200 | #·BEGIN·fix·(22·/·41)·for·'package_syslogng_installed' |
| 201 | ############################################################################### | 201 | ############################################################################### |
| 202 | (>&2·echo·"Remediating·rule·22/41:·' | 202 | (>&2·echo·"Remediating·rule·22/41:·'package_syslogng_installed'") |
| 203 | #·FIX·FOR·THIS·RULE·IS·MISSING | 203 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 204 | #·END·fix·for·' | 204 | #·END·fix·for·'package_syslogng_installed' |
| Max diff block lines reached; 280/7977 bytes (3.51%) of diff not shown. | |||
| Offset 33, 25 lines modified | Offset 33, 25 lines modified | ||
| 33 | #» ···remediation·AFTER·testing·on·a·non-production | 33 | #» ···remediation·AFTER·testing·on·a·non-production |
| 34 | #» ···system! | 34 | #» ···system! |
| 35 | apt-get·remove·--purge·nis | 35 | apt-get·remove·--purge·nis |
| 36 | #·END·fix·for·'package_nis_removed' | 36 | #·END·fix·for·'package_nis_removed' |
| 37 | ############################################################################### | 37 | ############################################################################### |
| 38 | #·BEGIN·fix·(2·/·36)·for·'package_ | 38 | #·BEGIN·fix·(2·/·36)·for·'package_telnetd_removed' |
| 39 | ############################################################################### | 39 | ############################################################################### |
| 40 | (>&2·echo·"Remediating·rule·2/36:·'package_ | 40 | (>&2·echo·"Remediating·rule·2/36:·'package_telnetd_removed'") |
| 41 | #·CAUTION:·This·remediation·script·will·remove· | 41 | #·CAUTION:·This·remediation·script·will·remove·telnetd |
| 42 | #» ···from·the·system,·and·may·remove·any·packages | 42 | #» ···from·the·system,·and·may·remove·any·packages |
| 43 | #» ···that·depend·on· | 43 | #» ···that·depend·on·telnetd.·Execute·this |
| 44 | #» ···remediation·AFTER·testing·on·a·non-production | 44 | #» ···remediation·AFTER·testing·on·a·non-production |
| 45 | #» ···system! | 45 | #» ···system! |
| 46 | apt-get·remove·--purge· | 46 | apt-get·remove·--purge·telnetd |
| 47 | #·END·fix·for·'package_ | 47 | #·END·fix·for·'package_telnetd_removed' |
| 48 | ############################################################################### | 48 | ############################################################################### |
| 49 | #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed' | 49 | #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed' |
| 50 | ############################################################################### | 50 | ############################################################################### |
| 51 | (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'") | 51 | (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'") |
| 52 | #·CAUTION:·This·remediation·script·will·remove·ntpdate | 52 | #·CAUTION:·This·remediation·script·will·remove·ntpdate |
| 53 | #» ···from·the·system,·and·may·remove·any·packages | 53 | #» ···from·the·system,·and·may·remove·any·packages |
| Offset 72, 25 lines modified | Offset 72, 25 lines modified | ||
| 72 | #» ···remediation·AFTER·testing·on·a·non-production | 72 | #» ···remediation·AFTER·testing·on·a·non-production |
| 73 | #» ···system! | 73 | #» ···system! |
| 74 | apt-get·remove·--purge·telnetd-ssl | 74 | apt-get·remove·--purge·telnetd-ssl |
| 75 | #·END·fix·for·'package_telnetd-ssl_removed' | 75 | #·END·fix·for·'package_telnetd-ssl_removed' |
| 76 | ############################################################################### | 76 | ############################################################################### |
| 77 | #·BEGIN·fix·(5·/·36)·for·'package_telnetd_removed' | 77 | #·BEGIN·fix·(5·/·36)·for·'package_inetutils-telnetd_removed' |
| 78 | ############################################################################### | 78 | ############################################################################### |
| 79 | (>&2·echo·"Remediating·rule·5/36:·'package_telnetd_removed'") | 79 | (>&2·echo·"Remediating·rule·5/36:·'package_inetutils-telnetd_removed'") |
| 80 | #·CAUTION:·This·remediation·script·will·remove·telnetd | 80 | #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd |
| 81 | #» ···from·the·system,·and·may·remove·any·packages | 81 | #» ···from·the·system,·and·may·remove·any·packages |
| 82 | #» ···that·depend·on·telnetd.·Execute·this | 82 | #» ···that·depend·on·inetutils-telnetd.·Execute·this |
| 83 | #» ···remediation·AFTER·testing·on·a·non-production | 83 | #» ···remediation·AFTER·testing·on·a·non-production |
| 84 | #» ···system! | 84 | #» ···system! |
| 85 | apt-get·remove·--purge·telnetd | 85 | apt-get·remove·--purge·inetutils-telnetd |
| 86 | #·END·fix·for·'package_telnetd_removed' | 86 | #·END·fix·for·'package_inetutils-telnetd_removed' |
| 87 | ############################################################################### | 87 | ############################################################################### |
| 88 | #·BEGIN·fix·(6·/·36)·for·'service_cron_enabled' | 88 | #·BEGIN·fix·(6·/·36)·for·'service_cron_enabled' |
| 89 | ############################################################################### | 89 | ############################################################################### |
| 90 | (>&2·echo·"Remediating·rule·6/36:·'service_cron_enabled'") | 90 | (>&2·echo·"Remediating·rule·6/36:·'service_cron_enabled'") |
| 91 | #·FIX·FOR·THIS·RULE·IS·MISSING | 91 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 92 | #·END·fix·for·'service_cron_enabled' | 92 | #·END·fix·for·'service_cron_enabled' |
| Offset 113, 54 lines modified | Offset 113, 54 lines modified | ||
| 113 | #·BEGIN·fix·(9·/·36)·for·'package_auditd_installed' | 113 | #·BEGIN·fix·(9·/·36)·for·'package_auditd_installed' |
| 114 | ############################################################################### | 114 | ############################################################################### |
| 115 | (>&2·echo·"Remediating·rule·9/36:·'package_auditd_installed'") | 115 | (>&2·echo·"Remediating·rule·9/36:·'package_auditd_installed'") |
| 116 | #·FIX·FOR·THIS·RULE·IS·MISSING | 116 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 117 | #·END·fix·for·'package_auditd_installed' | 117 | #·END·fix·for·'package_auditd_installed' |
| 118 | ############################################################################### | 118 | ############################################################################### |
| 119 | #·BEGIN·fix·(10·/·36)·for·'service_ | 119 | #·BEGIN·fix·(10·/·36)·for·'service_ntp_enabled' |
| 120 | ############################################################################### | 120 | ############################################################################### |
| 121 | (>&2·echo·"Remediating·rule·10/36:·'service_ | 121 | (>&2·echo·"Remediating·rule·10/36:·'service_ntp_enabled'") |
| 122 | #·FIX·FOR·THIS·RULE·IS·MISSING | 122 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 123 | #·END·fix·for·'service_ | 123 | #·END·fix·for·'service_ntp_enabled' |
| 124 | ############################################################################### | 124 | ############################################################################### |
| 125 | #·BEGIN·fix·(11·/·36)·for·'service_ | 125 | #·BEGIN·fix·(11·/·36)·for·'service_auditd_enabled' |
| 126 | ############################################################################### | 126 | ############################################################################### |
| 127 | (>&2·echo·"Remediating·rule·11/36:·'service_ | 127 | (>&2·echo·"Remediating·rule·11/36:·'service_auditd_enabled'") |
| 128 | #·FIX·FOR·THIS·RULE·IS·MISSING | 128 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 129 | #·END·fix·for·'service_ | 129 | #·END·fix·for·'service_auditd_enabled' |
| 130 | ############################################################################### | 130 | ############################################################################### |
| 131 | #·BEGIN·fix·(12·/·36)·for·'sshd_allow_only_protocol2' | 131 | #·BEGIN·fix·(12·/·36)·for·'sshd_allow_only_protocol2' |
| 132 | ############################################################################### | 132 | ############################################################################### |
| 133 | (>&2·echo·"Remediating·rule·12/36:·'sshd_allow_only_protocol2'") | 133 | (>&2·echo·"Remediating·rule·12/36:·'sshd_allow_only_protocol2'") |
| 134 | #·FIX·FOR·THIS·RULE·IS·MISSING | 134 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 135 | #·END·fix·for·'sshd_allow_only_protocol2' | 135 | #·END·fix·for·'sshd_allow_only_protocol2' |
| 136 | ############################################################################### | 136 | ############################################################################### |
| 137 | #·BEGIN·fix·(13·/·36)·for·'sshd_ | 137 | #·BEGIN·fix·(13·/·36)·for·'sshd_set_keepalive' |
| 138 | ############################################################################### | 138 | ############################################################################### |
| 139 | (>&2·echo·"Remediating·rule·13/36:·'sshd_ | 139 | (>&2·echo·"Remediating·rule·13/36:·'sshd_set_keepalive'") |
| 140 | #·FIX·FOR·THIS·RULE·IS·MISSING | 140 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 141 | #·END·fix·for·'sshd_ | 141 | #·END·fix·for·'sshd_set_keepalive' |
| 142 | ############################################################################### | 142 | ############################################################################### |
| 143 | #·BEGIN·fix·(14·/·36)·for·'sshd_set_idle_timeout' | 143 | #·BEGIN·fix·(14·/·36)·for·'sshd_set_idle_timeout' |
| 144 | ############################################################################### | 144 | ############################################################################### |
| 145 | (>&2·echo·"Remediating·rule·14/36:·'sshd_set_idle_timeout'") | 145 | (>&2·echo·"Remediating·rule·14/36:·'sshd_set_idle_timeout'") |
| 146 | #·FIX·FOR·THIS·RULE·IS·MISSING | 146 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 147 | #·END·fix·for·'sshd_set_idle_timeout' | 147 | #·END·fix·for·'sshd_set_idle_timeout' |
| 148 | ############################################################################### | 148 | ############################################################################### |
| 149 | #·BEGIN·fix·(15·/·36)·for·'sshd_set_ | 149 | #·BEGIN·fix·(15·/·36)·for·'sshd_disable_empty_passwords' |
| 150 | ############################################################################### | 150 | ############################################################################### |
| 151 | (>&2·echo·"Remediating·rule·15/36:·'sshd_set_ | 151 | (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_empty_passwords'") |
| 152 | #·FIX·FOR·THIS·RULE·IS·MISSING | 152 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 153 | #·END·fix·for·'sshd_set_ | 153 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 154 | ############################################################################### | 154 | ############################################################################### |
| 155 | #·BEGIN·fix·(16·/·36)·for·'sshd_disable_root_login' | 155 | #·BEGIN·fix·(16·/·36)·for·'sshd_disable_root_login' |
| 156 | ############################################################################### | 156 | ############################################################################### |
| 157 | (>&2·echo·"Remediating·rule·16/36:·'sshd_disable_root_login'") | 157 | (>&2·echo·"Remediating·rule·16/36:·'sshd_disable_root_login'") |
| 158 | #·FIX·FOR·THIS·RULE·IS·MISSING | 158 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 159 | #·END·fix·for·'sshd_disable_root_login' | 159 | #·END·fix·for·'sshd_disable_root_login' |
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>2020-07-12T0 | 7 | ····<ns2:timestamp>2020-07-12T04:17:30</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_debian8:def:1"·version="3"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_debian8:def:1"·version="3"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Debian·8</ns0:title> | 12 | ········<ns0:title>Debian·8</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:platform>Debian·8</ns0:platform> | 14 | ··········<ns0:platform>Debian·8</ns0:platform> |
| Offset 18, 21 lines modified | Offset 18, 21 lines modified | ||
| 18 | ····</ds:checklists> | 18 | ····</ds:checklists> |
| 19 | ····<ds:checks> | 19 | ····<ds:checks> |
| 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-debian8-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-debian8-oval.xml"/> | 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-debian8-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-debian8-oval.xml"/> |
| 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-debian8-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-debian8-ocil.xml"/> | 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-debian8-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-debian8-ocil.xml"/> |
| 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-debian8-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-debian8-cpe-oval.xml"/> | 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-debian8-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-debian8-cpe-oval.xml"/> |
| 23 | ····</ds:checks> | 23 | ····</ds:checks> |
| 24 | ··</ds:data-stream> | 24 | ··</ds:data-stream> |
| 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-debian8-oval.xml"·timestamp="2020-07-1 | 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-debian8-oval.xml"·timestamp="2020-07-12T18:46:42"> |
| 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 27 | ······<ns0:generator> | 27 | ······<ns0:generator> |
| 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 30 | ········<ns2:schema_version>5.11</ns2:schema_version> | 30 | ········<ns2:schema_version>5.11</ns2:schema_version> |
| 31 | ········<ns2:timestamp>2020-07-12T0 | 31 | ········<ns2:timestamp>2020-07-12T04:17:30</ns2:timestamp> |
| 32 | ······</ns0:generator> | 32 | ······</ns0:generator> |
| 33 | ······<ns0:definitions> | 33 | ······<ns0:definitions> |
| 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1"> | 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1"> |
| 35 | ··········<ns0:metadata> | 35 | ··········<ns0:metadata> |
| 36 | ············<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title> | 36 | ············<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title> |
| 37 | ············<ns0:affected·family="unix"> | 37 | ············<ns0:affected·family="unix"> |
| 38 | ··············<ns0:platform>Debian·8</ns0:platform> | 38 | ··············<ns0:platform>Debian·8</ns0:platform> |
| Offset 5573, 57 lines modified | Offset 5573, 57 lines modified | ||
| 5573 | ········<ns0:external_variable·comment="used·for·remediation·only"·datatype="string"·id="oval:ssg-rsyslog_remote_loghost_address:var:1"·version="1"/> | 5573 | ········<ns0:external_variable·comment="used·for·remediation·only"·datatype="string"·id="oval:ssg-rsyslog_remote_loghost_address:var:1"·version="1"/> |
| 5574 | ········<ns0:external_variable·comment="May·be·defined·by·Profiles·to·explicitly·say·if·sshd·is·required·or·not"·datatype="int"·id="oval:ssg-sshd_required:var:1"·version="1"/> | 5574 | ········<ns0:external_variable·comment="May·be·defined·by·Profiles·to·explicitly·say·if·sshd·is·required·or·not"·datatype="int"·id="oval:ssg-sshd_required:var:1"·version="1"/> |
| 5575 | ········<ns0:external_variable·comment="timeout·value"·datatype="int"·id="oval:ssg-sshd_idle_timeout_value:var:1"·version="1"/> | 5575 | ········<ns0:external_variable·comment="timeout·value"·datatype="int"·id="oval:ssg-sshd_idle_timeout_value:var:1"·version="1"/> |
| 5576 | ········<ns0:external_variable·comment="maxauthtries·value"·datatype="int"·id="oval:ssg-sshd_max_auth_tries_value:var:1"·version="1"/> | 5576 | ········<ns0:external_variable·comment="maxauthtries·value"·datatype="int"·id="oval:ssg-sshd_max_auth_tries_value:var:1"·version="1"/> |
| 5577 | ······</ns0:variables> | 5577 | ······</ns0:variables> |
| 5578 | ····</ns0:oval_definitions> | 5578 | ····</ns0:oval_definitions> |
| 5579 | ··</ds:component> | 5579 | ··</ds:component> |
| 5580 | ··<ds:component·id="scap_org.open-scap_comp_ssg-debian8-ocil.xml"·timestamp="2020-07-1 | 5580 | ··<ds:component·id="scap_org.open-scap_comp_ssg-debian8-ocil.xml"·timestamp="2020-07-12T18:46:40"> |
| 5581 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> | 5581 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> |
| 5582 | ······<ns0:generator> | 5582 | ······<ns0:generator> |
| 5583 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 5583 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 5584 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 5584 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 5585 | ········<ns0:schema_version>2.0</ns0:schema_version> | 5585 | ········<ns0:schema_version>2.0</ns0:schema_version> |
| 5586 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 5586 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 5587 | ······</ns0:generator> | 5587 | ······</ns0:generator> |
| 5588 | ······<ns0:questionnaires> | 5588 | ······<ns0:questionnaires> |
| 5589 | ········<ns0:questionnaire·id="ocil:ssg-service_auditd_enabled_ocil:questionnaire:1"> | ||
| 5590 | ··········<ns0:title>Enable·the·auditd·service</ns0:title> | ||
| 5591 | ··········<ns0:actions> | ||
| 5592 | ············<ns0:test_action_ref>ocil:ssg-service_auditd_enabled_action:testaction:1</ns0:test_action_ref> | ||
| 5593 | ··········</ns0:actions> | ||
| 5594 | ········</ns0:questionnaire> | ||
| 5595 | ········<ns0:questionnaire·id="ocil:ssg-service_ntp_enabled_ocil:questionnaire:1"> | 5589 | ········<ns0:questionnaire·id="ocil:ssg-service_ntp_enabled_ocil:questionnaire:1"> |
| 5596 | ··········<ns0:title>Enable·the·ntpd·service</ns0:title> | 5590 | ··········<ns0:title>Enable·the·ntpd·service</ns0:title> |
| 5597 | ··········<ns0:actions> | 5591 | ··········<ns0:actions> |
| 5598 | ············<ns0:test_action_ref>ocil:ssg-service_ntp_enabled_action:testaction:1</ns0:test_action_ref> | 5592 | ············<ns0:test_action_ref>ocil:ssg-service_ntp_enabled_action:testaction:1</ns0:test_action_ref> |
| 5599 | ··········</ns0:actions> | 5593 | ··········</ns0:actions> |
| 5600 | ········</ns0:questionnaire> | 5594 | ········</ns0:questionnaire> |
| 5595 | ········<ns0:questionnaire·id="ocil:ssg-service_auditd_enabled_ocil:questionnaire:1"> | ||
| 5596 | ··········<ns0:title>Enable·the·auditd·service</ns0:title> | ||
| 5597 | ··········<ns0:actions> | ||
| 5598 | ············<ns0:test_action_ref>ocil:ssg-service_auditd_enabled_action:testaction:1</ns0:test_action_ref> | ||
| 5599 | ··········</ns0:actions> | ||
| 5600 | ········</ns0:questionnaire> | ||
| 5601 | ········<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> | 5601 | ········<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> |
| 5602 | ··········<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> | 5602 | ··········<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> |
| 5603 | ··········<ns0:actions> | 5603 | ··········<ns0:actions> |
| 5604 | ············<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> | 5604 | ············<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> |
| 5605 | ··········</ns0:actions> | 5605 | ··········</ns0:actions> |
| 5606 | ········</ns0:questionnaire> | 5606 | ········</ns0:questionnaire> |
| 5607 | ········<ns0:questionnaire·id="ocil:ssg-sshd_ | 5607 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1"> |
| 5608 | ··········<ns0:title> | 5608 | ··········<ns0:title>Set·SSH·Client·Alive·Count</ns0:title> |
| 5609 | ··········<ns0:actions> | 5609 | ··········<ns0:actions> |
| 5610 | ············<ns0:test_action_ref>ocil:ssg-sshd_ | 5610 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref> |
| 5611 | ··········</ns0:actions> | 5611 | ··········</ns0:actions> |
| 5612 | ········</ns0:questionnaire> | 5612 | ········</ns0:questionnaire> |
| 5613 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> | 5613 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> |
| 5614 | ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> | 5614 | ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> |
| 5615 | ··········<ns0:actions> | 5615 | ··········<ns0:actions> |
| 5616 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> | 5616 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> |
| 5617 | ··········</ns0:actions> | 5617 | ··········</ns0:actions> |
| 5618 | ········</ns0:questionnaire> | 5618 | ········</ns0:questionnaire> |
| 5619 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_ | 5619 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1"> |
| 5620 | ··········<ns0:title> | 5620 | ··········<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title> |
| 5621 | ··········<ns0:actions> | 5621 | ··········<ns0:actions> |
| 5622 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_ | 5622 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref> |
| 5623 | ··········</ns0:actions> | 5623 | ··········</ns0:actions> |
| 5624 | ········</ns0:questionnaire> | 5624 | ········</ns0:questionnaire> |
| 5625 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> | 5625 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> |
| 5626 | ··········<ns0:title>Disable·SSH·Root·Login</ns0:title> | 5626 | ··········<ns0:title>Disable·SSH·Root·Login</ns0:title> |
| 5627 | ··········<ns0:actions> | 5627 | ··········<ns0:actions> |
| 5628 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> | 5628 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> |
| 5629 | ··········</ns0:actions> | 5629 | ··········</ns0:actions> |
| Offset 5648, 26 lines modified | Offset 5648, 26 lines modified | ||
| 5648 | ········</ns0:questionnaire> | 5648 | ········</ns0:questionnaire> |
| 5649 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1"> | 5649 | ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1"> |
| 5650 | ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title> | 5650 | ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title> |
| 5651 | ··········<ns0:actions> | 5651 | ··········<ns0:actions> |
| 5652 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref> | 5652 | ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref> |
| 5653 | ··········</ns0:actions> | 5653 | ··········</ns0:actions> |
| 5654 | ········</ns0:questionnaire> | 5654 | ········</ns0:questionnaire> |
| 5655 | ········<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> | ||
| 5656 | ··········<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> | ||
| 5657 | ··········<ns0:actions> | ||
| 5658 | ············<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> | ||
| 5659 | ··········</ns0:actions> | ||
| 5660 | ········</ns0:questionnaire> | ||
| 5661 | ········<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1"> | 5655 | ········<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1"> |
| 5662 | ··········<ns0:title>Enable·syslog-ng·Service</ns0:title> | 5656 | ··········<ns0:title>Enable·syslog-ng·Service</ns0:title> |
| 5663 | ··········<ns0:actions> | 5657 | ··········<ns0:actions> |
| 5664 | ············<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref> | 5658 | ············<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref> |
| 5665 | ··········</ns0:actions> | 5659 | ··········</ns0:actions> |
| 5666 | ········</ns0:questionnaire> | 5660 | ········</ns0:questionnaire> |
| 5661 | ········<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> | ||
| 5662 | ··········<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> | ||
| 5663 | ··········<ns0:actions> | ||
| 5664 | ············<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> | ||
| 5665 | ··········</ns0:actions> | ||
| 5666 | ········</ns0:questionnaire> | ||
| 5667 | ········<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1"> | 5667 | ········<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1"> |
| 5668 | ··········<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title> | 5668 | ··········<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title> |
| 5669 | ··········<ns0:actions> | 5669 | ··········<ns0:actions> |
| 5670 | ············<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref> | 5670 | ············<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref> |
| 5671 | ··········</ns0:actions> | 5671 | ··········</ns0:actions> |
| 5672 | ········</ns0:questionnaire> | 5672 | ········</ns0:questionnaire> |
| 5673 | ········<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1"> | 5673 | ········<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1"> |
| Offset 5788, 23 lines modified | Offset 5788, 23 lines modified | ||
| 5788 | ··········<ns0:title>Enable·Randomized·Layout·of·Virtual·Address·Space</ns0:title> | 5788 | ··········<ns0:title>Enable·Randomized·Layout·of·Virtual·Address·Space</ns0:title> |
| 5789 | ··········<ns0:actions> | 5789 | ··········<ns0:actions> |
| 5790 | ············<ns0:test_action_ref>ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1</ns0:test_action_ref> | 5790 | ············<ns0:test_action_ref>ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1</ns0:test_action_ref> |
| 5791 | ··········</ns0:actions> | 5791 | ··········</ns0:actions> |
| 5792 | ········</ns0:questionnaire> | 5792 | ········</ns0:questionnaire> |
| 5793 | ······</ns0:questionnaires> | 5793 | ······</ns0:questionnaires> |
| 5794 | ······<ns0:test_actions> | 5794 | ······<ns0:test_actions> |
| 5795 | ········<ns0:boolean_question_test_action·id="ocil:ssg-service_ | 5795 | ········<ns0:boolean_question_test_action·id="ocil:ssg-service_ntp_enabled_action:testaction:1"·question_ref="ocil:ssg-service_ntp_enabled_question:question:1"> |
| Max diff block lines reached; 147757/157210 bytes (93.99%) of diff not shown. | |||
| Offset 3, 48 lines modified | Offset 3, 48 lines modified | ||
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 4 | ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 5 | ····<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 5 | ····<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 6 | ····<ns0:schema_version>2.0</ns0:schema_version> | 6 | ····<ns0:schema_version>2.0</ns0:schema_version> |
| 7 | ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 7 | ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:questionnaires> | 9 | ··<ns0:questionnaires> |
| 10 | ····<ns0:questionnaire·id="ocil:ssg-service_auditd_enabled_ocil:questionnaire:1"> | ||
| 11 | ······<ns0:title>Enable·the·auditd·service</ns0:title> | ||
| 12 | ······<ns0:actions> | ||
| 13 | ········<ns0:test_action_ref>ocil:ssg-service_auditd_enabled_action:testaction:1</ns0:test_action_ref> | ||
| 14 | ······</ns0:actions> | ||
| 15 | ····</ns0:questionnaire> | ||
| 16 | ····<ns0:questionnaire·id="ocil:ssg-service_ntp_enabled_ocil:questionnaire:1"> | 10 | ····<ns0:questionnaire·id="ocil:ssg-service_ntp_enabled_ocil:questionnaire:1"> |
| 17 | ······<ns0:title>Enable·the·ntpd·service</ns0:title> | 11 | ······<ns0:title>Enable·the·ntpd·service</ns0:title> |
| 18 | ······<ns0:actions> | 12 | ······<ns0:actions> |
| 19 | ········<ns0:test_action_ref>ocil:ssg-service_ntp_enabled_action:testaction:1</ns0:test_action_ref> | 13 | ········<ns0:test_action_ref>ocil:ssg-service_ntp_enabled_action:testaction:1</ns0:test_action_ref> |
| 20 | ······</ns0:actions> | 14 | ······</ns0:actions> |
| 21 | ····</ns0:questionnaire> | 15 | ····</ns0:questionnaire> |
| 16 | ····<ns0:questionnaire·id="ocil:ssg-service_auditd_enabled_ocil:questionnaire:1"> | ||
| 17 | ······<ns0:title>Enable·the·auditd·service</ns0:title> | ||
| 18 | ······<ns0:actions> | ||
| 19 | ········<ns0:test_action_ref>ocil:ssg-service_auditd_enabled_action:testaction:1</ns0:test_action_ref> | ||
| 20 | ······</ns0:actions> | ||
| 21 | ····</ns0:questionnaire> | ||
| 22 | ····<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> | 22 | ····<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"> |
| 23 | ······<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> | 23 | ······<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title> |
| 24 | ······<ns0:actions> | 24 | ······<ns0:actions> |
| 25 | ········<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> | 25 | ········<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref> |
| 26 | ······</ns0:actions> | 26 | ······</ns0:actions> |
| 27 | ····</ns0:questionnaire> | 27 | ····</ns0:questionnaire> |
| 28 | ····<ns0:questionnaire·id="ocil:ssg-sshd_ | 28 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1"> |
| 29 | ······<ns0:title> | 29 | ······<ns0:title>Set·SSH·Client·Alive·Count</ns0:title> |
| 30 | ······<ns0:actions> | 30 | ······<ns0:actions> |
| 31 | ········<ns0:test_action_ref>ocil:ssg-sshd_ | 31 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref> |
| 32 | ······</ns0:actions> | 32 | ······</ns0:actions> |
| 33 | ····</ns0:questionnaire> | 33 | ····</ns0:questionnaire> |
| 34 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> | 34 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> |
| 35 | ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> | 35 | ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> |
| 36 | ······<ns0:actions> | 36 | ······<ns0:actions> |
| 37 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> | 37 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> |
| 38 | ······</ns0:actions> | 38 | ······</ns0:actions> |
| 39 | ····</ns0:questionnaire> | 39 | ····</ns0:questionnaire> |
| 40 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_ | 40 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1"> |
| 41 | ······<ns0:title> | 41 | ······<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title> |
| 42 | ······<ns0:actions> | 42 | ······<ns0:actions> |
| 43 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_ | 43 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref> |
| 44 | ······</ns0:actions> | 44 | ······</ns0:actions> |
| 45 | ····</ns0:questionnaire> | 45 | ····</ns0:questionnaire> |
| 46 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> | 46 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"> |
| 47 | ······<ns0:title>Disable·SSH·Root·Login</ns0:title> | 47 | ······<ns0:title>Disable·SSH·Root·Login</ns0:title> |
| 48 | ······<ns0:actions> | 48 | ······<ns0:actions> |
| 49 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> | 49 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref> |
| 50 | ······</ns0:actions> | 50 | ······</ns0:actions> |
| Offset 69, 26 lines modified | Offset 69, 26 lines modified | ||
| 69 | ····</ns0:questionnaire> | 69 | ····</ns0:questionnaire> |
| 70 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1"> | 70 | ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1"> |
| 71 | ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title> | 71 | ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title> |
| 72 | ······<ns0:actions> | 72 | ······<ns0:actions> |
| 73 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref> | 73 | ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref> |
| 74 | ······</ns0:actions> | 74 | ······</ns0:actions> |
| 75 | ····</ns0:questionnaire> | 75 | ····</ns0:questionnaire> |
| 76 | ····<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> | ||
| 77 | ······<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> | ||
| 78 | ······<ns0:actions> | ||
| 79 | ········<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> | ||
| 80 | ······</ns0:actions> | ||
| 81 | ····</ns0:questionnaire> | ||
| 82 | ····<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1"> | 76 | ····<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1"> |
| 83 | ······<ns0:title>Enable·syslog-ng·Service</ns0:title> | 77 | ······<ns0:title>Enable·syslog-ng·Service</ns0:title> |
| 84 | ······<ns0:actions> | 78 | ······<ns0:actions> |
| 85 | ········<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref> | 79 | ········<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref> |
| 86 | ······</ns0:actions> | 80 | ······</ns0:actions> |
| 87 | ····</ns0:questionnaire> | 81 | ····</ns0:questionnaire> |
| 82 | ····<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> | ||
| 83 | ······<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> | ||
| 84 | ······<ns0:actions> | ||
| 85 | ········<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> | ||
| 86 | ······</ns0:actions> | ||
| 87 | ····</ns0:questionnaire> | ||
| 88 | ····<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1"> | 88 | ····<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1"> |
| 89 | ······<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title> | 89 | ······<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title> |
| 90 | ······<ns0:actions> | 90 | ······<ns0:actions> |
| 91 | ········<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref> | 91 | ········<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref> |
| 92 | ······</ns0:actions> | 92 | ······</ns0:actions> |
| 93 | ····</ns0:questionnaire> | 93 | ····</ns0:questionnaire> |
| 94 | ····<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1"> | 94 | ····<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1"> |
| Offset 209, 23 lines modified | Offset 209, 23 lines modified | ||
| 209 | ······<ns0:title>Enable·Randomized·Layout·of·Virtual·Address·Space</ns0:title> | 209 | ······<ns0:title>Enable·Randomized·Layout·of·Virtual·Address·Space</ns0:title> |
| 210 | ······<ns0:actions> | 210 | ······<ns0:actions> |
| 211 | ········<ns0:test_action_ref>ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1</ns0:test_action_ref> | 211 | ········<ns0:test_action_ref>ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1</ns0:test_action_ref> |
| 212 | ······</ns0:actions> | 212 | ······</ns0:actions> |
| 213 | ····</ns0:questionnaire> | 213 | ····</ns0:questionnaire> |
| 214 | ··</ns0:questionnaires> | 214 | ··</ns0:questionnaires> |
| 215 | ··<ns0:test_actions> | 215 | ··<ns0:test_actions> |
| 216 | ····<ns0:boolean_question_test_action·id="ocil:ssg-service_ | 216 | ····<ns0:boolean_question_test_action·id="ocil:ssg-service_ntp_enabled_action:testaction:1"·question_ref="ocil:ssg-service_ntp_enabled_question:question:1"> |
| 217 | ······<ns0:when_true> | 217 | ······<ns0:when_true> |
| 218 | ········<ns0:result>PASS</ns0:result> | 218 | ········<ns0:result>PASS</ns0:result> |
| 219 | ······</ns0:when_true> | 219 | ······</ns0:when_true> |
| 220 | ······<ns0:when_false> | 220 | ······<ns0:when_false> |
| 221 | ········<ns0:result>FAIL</ns0:result> | 221 | ········<ns0:result>FAIL</ns0:result> |
| 222 | ······</ns0:when_false> | 222 | ······</ns0:when_false> |
| 223 | ····</ns0:boolean_question_test_action> | 223 | ····</ns0:boolean_question_test_action> |
| 224 | ····<ns0:boolean_question_test_action·id="ocil:ssg-service_ | 224 | ····<ns0:boolean_question_test_action·id="ocil:ssg-service_auditd_enabled_action:testaction:1"·question_ref="ocil:ssg-service_auditd_enabled_question:question:1"> |
| 225 | ······<ns0:when_true> | 225 | ······<ns0:when_true> |
| 226 | ········<ns0:result>PASS</ns0:result> | 226 | ········<ns0:result>PASS</ns0:result> |
| 227 | ······</ns0:when_true> | 227 | ······</ns0:when_true> |
| 228 | ······<ns0:when_false> | 228 | ······<ns0:when_false> |
| 229 | ········<ns0:result>FAIL</ns0:result> | 229 | ········<ns0:result>FAIL</ns0:result> |
| 230 | ······</ns0:when_false> | 230 | ······</ns0:when_false> |
| 231 | ····</ns0:boolean_question_test_action> | 231 | ····</ns0:boolean_question_test_action> |
| Offset 233, 15 lines modified | Offset 233, 15 lines modified | ||
| 233 | ······<ns0:when_true> | 233 | ······<ns0:when_true> |
| 234 | ········<ns0:result>PASS</ns0:result> | 234 | ········<ns0:result>PASS</ns0:result> |
| 235 | ······</ns0:when_true> | 235 | ······</ns0:when_true> |
| 236 | ······<ns0:when_false> | 236 | ······<ns0:when_false> |
| 237 | ········<ns0:result>FAIL</ns0:result> | 237 | ········<ns0:result>FAIL</ns0:result> |
| 238 | ······</ns0:when_false> | 238 | ······</ns0:when_false> |
| 239 | ····</ns0:boolean_question_test_action> | 239 | ····</ns0:boolean_question_test_action> |
| 240 | ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_ | 240 | ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_set_keepalive_action:testaction:1"·question_ref="ocil:ssg-sshd_set_keepalive_question:question:1"> |
| 241 | ······<ns0:when_true> | 241 | ······<ns0:when_true> |
| 242 | ········<ns0:result>PASS</ns0:result> | 242 | ········<ns0:result>PASS</ns0:result> |
| 243 | ······</ns0:when_true> | 243 | ······</ns0:when_true> |
| 244 | ······<ns0:when_false> | 244 | ······<ns0:when_false> |
| 245 | ········<ns0:result>FAIL</ns0:result> | 245 | ········<ns0:result>FAIL</ns0:result> |
| 246 | ······</ns0:when_false> | 246 | ······</ns0:when_false> |
| 247 | ····</ns0:boolean_question_test_action> | 247 | ····</ns0:boolean_question_test_action> |
| Max diff block lines reached; 8374/15683 bytes (53.40%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>2020-07-12T0 | 7 | ····<ns2:timestamp>2020-07-12T04:17:30</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1"> | 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title> | 12 | ········<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:platform>Debian·8</ns0:platform> | 14 | ··········<ns0:platform>Debian·8</ns0:platform> |
| Offset 160, 67 lines modified | Offset 160, 14 lines modified | ||
| 160 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> | 160 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> |
| 161 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> | 161 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> |
| 162 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·<jcerny@redhat.com></dc:contributor> | 162 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·<jcerny@redhat.com></dc:contributor> |
| 163 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·<msrubar@redhat.com></dc:contributor> | 163 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·<msrubar@redhat.com></dc:contributor> |
| 164 | ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> | 164 | ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> |
| 165 | ··</metadata> | 165 | ··</metadata> |
| 166 | ··<model·system="urn:xccdf:scoring:default"/> | 166 | ··<model·system="urn:xccdf:scoring:default"/> |
| 167 | ··<Profile·id="anssi_np_nt28_restrictive"> | ||
| 168 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Restrictive·Level</title> | ||
| 169 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·exposed·to·unauthenticated·flows·or·multiple·sources.</description> | ||
| 170 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> | ||
| 171 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> | ||
| 172 | ····<select·idref="package_telnetd_removed"·selected="true"/> | ||
| 173 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> | ||
| 174 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> | ||
| 175 | ····<select·idref="package_nis_removed"·selected="true"/> | ||
| 176 | ····<select·idref="package_rsyslog_installed"·selected="true"/> | ||
| 177 | ····<select·idref="service_rsyslog_enabled"·selected="true"/> | ||
| 178 | ····<select·idref="package_syslogng_installed"·selected="true"/> | ||
| 179 | ····<select·idref="service_syslogng_enabled"·selected="true"/> | ||
| 180 | ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/> | ||
| 181 | ····<select·idref="apt_sources_list_official"·selected="true"/> | ||
| 182 | ····<select·idref="file_permissions_etc_shadow"·selected="true"/> | ||
| 183 | ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> | ||
| 184 | ····<select·idref="file_permissions_etc_passwd"·selected="true"/> | ||
| 185 | ····<select·idref="file_permissions_etc_group"·selected="true"/> | ||
| 186 | ····<select·idref="package_ntp_installed"·selected="true"/> | ||
| 187 | ····<select·idref="package_ntpdate_removed"·selected="true"/> | ||
| 188 | ····<select·idref="sshd_set_idle_timeout"·selected="true"/> | ||
| 189 | ····<select·idref="sshd_disable_root_login"·selected="true"/> | ||
| 190 | ····<select·idref="sshd_disable_empty_passwords"·selected="true"/> | ||
| 191 | ····<select·idref="sshd_allow_only_protocol2"·selected="true"/> | ||
| 192 | ····<select·idref="sshd_set_keepalive"·selected="true"/> | ||
| 193 | ····<select·idref="rsyslog_files_ownership"·selected="true"/> | ||
| 194 | ····<select·idref="rsyslog_files_groupownership"·selected="true"/> | ||
| 195 | ····<select·idref="rsyslog_files_permissions"·selected="true"/> | ||
| 196 | ····<select·idref="rsyslog_remote_loghost"·selected="false"/> | ||
| 197 | ····<select·idref="ensure_logrotate_activated"·selected="true"/> | ||
| 198 | ····<select·idref="file_permissions_systemmap"·selected="true"/> | ||
| 199 | ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/> | ||
| 200 | ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/> | ||
| 201 | ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/> | ||
| 202 | ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> | ||
| 203 | ····<select·idref="partition_for_tmp"·selected="true"/> | ||
| 204 | ····<select·idref="partition_for_var"·selected="true"/> | ||
| 205 | ····<select·idref="partition_for_var_log"·selected="true"/> | ||
| 206 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> | ||
| 207 | ····<select·idref="partition_for_home"·selected="true"/> | ||
| 208 | ····<select·idref="package_auditd_installed"·selected="true"/> | ||
| 209 | ····<select·idref="package_cron_installed"·selected="true"/> | ||
| 210 | ····<select·idref="service_auditd_enabled"·selected="true"/> | ||
| 211 | ····<select·idref="service_ntp_enabled"·selected="true"/> | ||
| 212 | ····<select·idref="remediation_functions"·selected="false"/> | ||
| 213 | ····<select·idref="software"·selected="false"/> | ||
| 214 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | ||
| 215 | ····<select·idref="accounts"·selected="false"/> | ||
| 216 | ····<select·idref="accounts-restrictions"·selected="false"/> | ||
| 217 | ····<select·idref="hw-install"·selected="false"/> | ||
| 218 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> | ||
| 219 | ··</Profile> | ||
| 220 | ··<Profile·id="anssi_np_nt28_average"> | 167 | ··<Profile·id="anssi_np_nt28_average"> |
| 221 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</title> | 168 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</title> |
| 222 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·already·protected·by·multiple·higher·level·security·stacks.</description> | 169 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·already·protected·by·multiple·higher·level·security·stacks.</description> |
| 223 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> | 170 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> |
| 224 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> | 171 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> |
| 225 | ····<select·idref="package_telnetd_removed"·selected="true"/> | 172 | ····<select·idref="package_telnetd_removed"·selected="true"/> |
| 226 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> | 173 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> |
| Offset 255, 24 lines modified | Offset 202, 24 lines modified | ||
| 255 | ····<select·idref="ensure_logrotate_activated"·selected="true"/> | 202 | ····<select·idref="ensure_logrotate_activated"·selected="true"/> |
| 256 | ····<select·idref="file_permissions_systemmap"·selected="true"/> | 203 | ····<select·idref="file_permissions_systemmap"·selected="true"/> |
| 257 | ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/> | 204 | ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/> |
| 258 | ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/> | 205 | ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/> |
| 259 | ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/> | 206 | ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/> |
| 260 | ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> | 207 | ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> |
| 261 | ····<select·idref="remediation_functions"·selected="false"/> | 208 | ····<select·idref="remediation_functions"·selected="false"/> |
| 262 | ····<select·idref="software"·selected="false"/> | ||
| 263 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 209 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 264 | ····<select·idref="accounts"·selected="false"/> | 210 | ····<select·idref="accounts"·selected="false"/> |
| 265 | ····<select·idref="accounts-restrictions"·selected="false"/> | 211 | ····<select·idref="accounts-restrictions"·selected="false"/> |
| 266 | ····<select·idref="hw-install"·selected="false"/> | 212 | ····<select·idref="hw-install"·selected="false"/> |
| 213 | ····<select·idref="software"·selected="false"/> | ||
| 267 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> | 214 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> |
| 268 | ··</Profile> | 215 | ··</Profile> |
| 269 | ··<Profile·id="anssi_np_nt28_ | 216 | ··<Profile·id="anssi_np_nt28_restrictive"> |
| 270 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28· | 217 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Restrictive·Level</title> |
| 271 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations· | 218 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·exposed·to·unauthenticated·flows·or·multiple·sources.</description> |
| 272 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> | 219 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> |
| 273 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> | 220 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> |
| 274 | ····<select·idref="package_telnetd_removed"·selected="true"/> | 221 | ····<select·idref="package_telnetd_removed"·selected="true"/> |
| 275 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> | 222 | ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> |
| 276 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> | 223 | ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> |
| 277 | ····<select·idref="package_nis_removed"·selected="true"/> | 224 | ····<select·idref="package_nis_removed"·selected="true"/> |
| 278 | ····<select·idref="package_rsyslog_installed"·selected="true"/> | 225 | ····<select·idref="package_rsyslog_installed"·selected="true"/> |
| Offset 307, 20 lines modified | Offset 254, 20 lines modified | ||
| 307 | ····<select·idref="partition_for_var_log"·selected="true"/> | 254 | ····<select·idref="partition_for_var_log"·selected="true"/> |
| 308 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> | 255 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> |
| 309 | ····<select·idref="partition_for_home"·selected="true"/> | 256 | ····<select·idref="partition_for_home"·selected="true"/> |
| 310 | ····<select·idref="package_auditd_installed"·selected="true"/> | 257 | ····<select·idref="package_auditd_installed"·selected="true"/> |
| 311 | ····<select·idref="package_cron_installed"·selected="true"/> | 258 | ····<select·idref="package_cron_installed"·selected="true"/> |
| 312 | ····<select·idref="service_auditd_enabled"·selected="true"/> | 259 | ····<select·idref="service_auditd_enabled"·selected="true"/> |
| 313 | ····<select·idref="service_ntp_enabled"·selected="true"/> | 260 | ····<select·idref="service_ntp_enabled"·selected="true"/> |
| 314 | ····<select·idref="grub2_enable_iommu_force"·selected="true"/> | ||
| 315 | ····<select·idref="remediation_functions"·selected="false"/> | 261 | ····<select·idref="remediation_functions"·selected="false"/> |
| 316 | ····<select·idref="software"·selected="false"/> | ||
| 317 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 262 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 318 | ····<select·idref="accounts"·selected="false"/> | 263 | ····<select·idref="accounts"·selected="false"/> |
| 319 | ····<select·idref="accounts-restrictions"·selected="false"/> | 264 | ····<select·idref="accounts-restrictions"·selected="false"/> |
| 265 | ····<select·idref="hw-install"·selected="false"/> | ||
| 266 | ····<select·idref="software"·selected="false"/> | ||
| 320 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> | 267 | ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> |
| 321 | ··</Profile> | 268 | ··</Profile> |
| 322 | ··<Profile·id="anssi_np_nt28_minimal"> | 269 | ··<Profile·id="anssi_np_nt28_minimal"> |
| 323 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Minimal·Level</title> | 270 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Minimal·Level</title> |
| 324 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·to·be·applied·systematically.</description> | 271 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·to·be·applied·systematically.</description> |
| 325 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> | 272 | ····<select·idref="sudo_remove_nopasswd"·selected="true"/> |
| 326 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> | 273 | ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> |
| Offset 338, 28 lines modified | Offset 285, 81 lines modified | ||
| 338 | ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> | 285 | ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> |
| 339 | ····<select·idref="file_permissions_etc_passwd"·selected="true"/> | 286 | ····<select·idref="file_permissions_etc_passwd"·selected="true"/> |
| 340 | ····<select·idref="file_permissions_etc_group"·selected="true"/> | 287 | ····<select·idref="file_permissions_etc_group"·selected="true"/> |
| 341 | ····<select·idref="remediation_functions"·selected="false"/> | 288 | ····<select·idref="remediation_functions"·selected="false"/> |
| 342 | ····<select·idref="basics"·selected="false"/> | 289 | ····<select·idref="basics"·selected="false"/> |
| 343 | ····<select·idref="ssh"·selected="false"/> | 290 | ····<select·idref="ssh"·selected="false"/> |
| 344 | ····<select·idref="ssh_server"·selected="false"/> | 291 | ····<select·idref="ssh_server"·selected="false"/> |
| 345 | ····<select·idref="software"·selected="false"/> | ||
| 346 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 292 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 347 | ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/> | 293 | ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/> |
| Max diff block lines reached; 119305/128573 bytes (92.79%) of diff not shown. | |||
| Offset 1, 3 lines modified | Offset 1, 3 lines modified | ||
| 1 | -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary | 1 | -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary |
| 2 | -rw-r--r--···0········0········0·····57 | 2 | -rw-r--r--···0········0········0·····5704·2018-07-26·14:58:28.000000·control.tar.xz |
| 3 | -rw-r--r--···0········0········0··52 | 3 | -rw-r--r--···0········0········0··5246156·2018-07-26·14:58:28.000000·data.tar.xz |
| Offset 1, 13 lines modified | Offset 1, 13 lines modified | ||
| 1 | Package:·ssg-nondebian | 1 | Package:·ssg-nondebian |
| 2 | Source:·scap-security-guide | 2 | Source:·scap-security-guide |
| 3 | Version:·0.1.39-2 | 3 | Version:·0.1.39-2 |
| 4 | Architecture:·all | 4 | Architecture:·all |
| 5 | Maintainer:·Debian·Security·Tools·<team+pkg-security@tracker.debian.org> | 5 | Maintainer:·Debian·Security·Tools·<team+pkg-security@tracker.debian.org> |
| 6 | Installed-Size:·266 | 6 | Installed-Size:·266316 |
| 7 | Depends:·ssg-base | 7 | Depends:·ssg-base |
| 8 | Section:·admin | 8 | Section:·admin |
| 9 | Priority:·optional | 9 | Priority:·optional |
| 10 | Multi-Arch:·foreign | 10 | Multi-Arch:·foreign |
| 11 | Homepage:·https://www.open-scap.org/security-policies/scap-security-guide | 11 | Homepage:·https://www.open-scap.org/security-policies/scap-security-guide |
| 12 | Description:·SCAP·Guides·and·benchmarks·targeting·other·GNU/Linux·OS | 12 | Description:·SCAP·Guides·and·benchmarks·targeting·other·GNU/Linux·OS |
| 13 | ·This·package·contains·all·the·SCAP·guides,·benchmarks·and·remediation | 13 | ·This·package·contains·all·the·SCAP·guides,·benchmarks·and·remediation |
| Offset 2, 29 lines modified | Offset 2, 29 lines modified | ||
| 2 | drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/ | 2 | drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/ |
| 3 | drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/ | 3 | drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/ |
| 4 | drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/doc/ | 4 | drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/doc/ |
| 5 | drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ | 5 | drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ |
| 6 | -rw-r--r--···0·root·········(0)·root·········(0)·····1190·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/changelog.Debian.gz | 6 | -rw-r--r--···0·root·········(0)·root·········(0)·····1190·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/changelog.Debian.gz |
| 7 | -rw-r--r--···0·root·········(0)·root·········(0)·····4350·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/changelog.gz | 7 | -rw-r--r--···0·root·········(0)·root·········(0)·····4350·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/changelog.gz |
| 8 | -rw-r--r--···0·root·········(0)·root·········(0)·····3703·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/copyright | 8 | -rw-r--r--···0·root·········(0)·root·········(0)·····3703·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/copyright |
| 9 | -rw-r--r--···0·root·········(0)·root·········(0)··134 | 9 | -rw-r--r--···0·root·········(0)·root·········(0)··1348026·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-C2S.html |
| 10 | -rw-r--r--···0·root·········(0)·root·········(0)··191 | 10 | -rw-r--r--···0·root·········(0)·root·········(0)··1915581·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-CS2.html |
| 11 | -rw-r--r--···0·root·········(0)·root·········(0)··153 | 11 | -rw-r--r--···0·root·········(0)·root·········(0)··1536565·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-CSCF-RHEL6-MLS.html |
| 12 | -rw-r--r--···0·root·········(0)·root·········(0)···500737·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-default.html | 12 | -rw-r--r--···0·root·········(0)·root·········(0)···500737·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-default.html |
| 13 | -rw-r--r--···0·root·········(0)·root·········(0)··156 | 13 | -rw-r--r--···0·root·········(0)·root·········(0)··1569255·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-desktop.html |
| 14 | -rw-r--r--···0·root·········(0)·root·········(0)··1582 | 14 | -rw-r--r--···0·root·········(0)·root·········(0)··1582750·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-fisma-medium-rhel6-server.html |
| 15 | -rw-r--r--···0·root·········(0)·root·········(0)··147 | 15 | -rw-r--r--···0·root·········(0)·root·········(0)··1473725·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-ftp-server.html |
| 16 | -rw-r--r--···0·root·········(0)·root·········(0)·····8309·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-index.html | 16 | -rw-r--r--···0·root·········(0)·root·········(0)·····8309·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-index.html |
| 17 | -rw-r--r--···0·root·········(0)·root·········(0)··1842 | 17 | -rw-r--r--···0·root·········(0)·root·········(0)··1842836·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-nist-CL-IL-AL.html |
| 18 | -rw-r--r--···0·root·········(0)·root·········(0)···997 | 18 | -rw-r--r--···0·root·········(0)·root·········(0)···997840·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-pci-dss.html |
| 19 | -rw-r--r--···0·root·········(0)·root·········(0)···67 | 19 | -rw-r--r--···0·root·········(0)·root·········(0)···676241·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-rht-ccp.html |
| 20 | -rw-r--r--···0·root·········(0)·root·········(0)··145 | 20 | -rw-r--r--···0·root·········(0)·root·········(0)··1457499·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-server.html |
| 21 | -rw-r--r--···0·root·········(0)·root·········(0)··143 | 21 | -rw-r--r--···0·root·········(0)·root·········(0)··1439154·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-standard.html |
| 22 | -rw-r--r--···0·root·········(0)·root·········(0)··1705 | 22 | -rw-r--r--···0·root·········(0)·root·········(0)··1705982·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-stig-rhel6-disa.html |
| 23 | -rw-r--r--···0·root·········(0)·root·········(0)··163 | 23 | -rw-r--r--···0·root·········(0)·root·········(0)··1636052·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-usgcb-rhel6-server.html |
| 24 | -rw-r--r--···0·root·········(0)·root·········(0)··2080943·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-C2S.html | 24 | -rw-r--r--···0·root·········(0)·root·········(0)··2080943·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-C2S.html |
| 25 | -rw-r--r--···0·root·········(0)·root·········(0)··1256874·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-cjis.html | 25 | -rw-r--r--···0·root·········(0)·root·········(0)··1256874·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-cjis.html |
| 26 | -rw-r--r--···0·root·········(0)·root·········(0)···541764·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-default.html | 26 | -rw-r--r--···0·root·········(0)·root·········(0)···541764·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-default.html |
| 27 | -rw-r--r--···0·root·········(0)·root·········(0)··1944352·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-hipaa.html | 27 | -rw-r--r--···0·root·········(0)·root·········(0)··1944352·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-hipaa.html |
| 28 | -rw-r--r--···0·root·········(0)·root·········(0)·····6980·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-index.html | 28 | -rw-r--r--···0·root·········(0)·root·········(0)·····6980·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-index.html |
| 29 | -rw-r--r--···0·root·········(0)·root·········(0)··3034308·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-nist-800-171-cui.html | 29 | -rw-r--r--···0·root·········(0)·root·········(0)··3034308·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-nist-800-171-cui.html |
| 30 | -rw-r--r--···0·root·········(0)·root·········(0)··3034987·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-ospp.html | 30 | -rw-r--r--···0·root·········(0)·root·········(0)··3034987·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-ospp.html |
| Offset 32, 58 lines modified | Offset 32, 58 lines modified | ||
| 32 | -rw-r--r--···0·root·········(0)·root·········(0)···642649·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-rht-ccp.html | 32 | -rw-r--r--···0·root·········(0)·root·········(0)···642649·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-rht-ccp.html |
| 33 | -rw-r--r--···0·root·········(0)·root·········(0)···910410·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-standard.html | 33 | -rw-r--r--···0·root·········(0)·root·········(0)···910410·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-standard.html |
| 34 | -rw-r--r--···0·root·········(0)·root·········(0)··2326692·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-stig-rhel7-disa.html | 34 | -rw-r--r--···0·root·········(0)·root·········(0)··2326692·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-stig-rhel7-disa.html |
| 35 | -rw-r--r--···0·root·········(0)·root·········(0)···541125·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel-osp7-guide-default.html | 35 | -rw-r--r--···0·root·········(0)·root·········(0)···541125·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel-osp7-guide-default.html |
| 36 | -rw-r--r--···0·root·········(0)·root·········(0)·····2536·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel-osp7-guide-index.html | 36 | -rw-r--r--···0·root·········(0)·root·········(0)·····2536·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel-osp7-guide-index.html |
| 37 | -rw-r--r--···0·root·········(0)·root·········(0)···306930·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel-osp7-guide-stig-openstack.html | 37 | -rw-r--r--···0·root·········(0)·root·········(0)···306930·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel-osp7-guide-stig-openstack.html |
| 38 | -rw-r--r--···0·root·········(0)·root·········(0)···501634·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-PCIDSS-RHEL-6-guide-default.html | 38 | -rw-r--r--···0·root·········(0)·root·········(0)···501634·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-PCIDSS-RHEL-6-guide-default.html |
| 39 | -rw-r--r--···0·root·········(0)·root·········(0)··125 | 39 | -rw-r--r--···0·root·········(0)·root·········(0)··1256111·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-PCIDSS-RHEL-6-guide-pci-dss_centric.html |
| 40 | -rw-r--r--···0·root·········(0)·root·········(0)··1449 | 40 | -rw-r--r--···0·root·········(0)·root·········(0)··1449941·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-C2S.html |
| 41 | -rw-r--r--···0·root·········(0)·root·········(0)··208 | 41 | -rw-r--r--···0·root·········(0)·root·········(0)··2083484·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-CS2.html |
| 42 | -rw-r--r--···0·root·········(0)·root·········(0)··165 | 42 | -rw-r--r--···0·root·········(0)·root·········(0)··1653673·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-CSCF-RHEL6-MLS.html |
| 43 | -rw-r--r--···0·root·········(0)·root·········(0)···499080·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-default.html | 43 | -rw-r--r--···0·root·········(0)·root·········(0)···499080·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-default.html |
| 44 | -rw-r--r--···0·root·········(0)·root·········(0)··168 | 44 | -rw-r--r--···0·root·········(0)·root·········(0)··1684320·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-desktop.html |
| 45 | -rw-r--r--···0·root·········(0)·root·········(0)··1698 | 45 | -rw-r--r--···0·root·········(0)·root·········(0)··1698774·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-fisma-medium-rhel6-server.html |
| 46 | -rw-r--r--···0·root·········(0)·root·········(0)··158 | 46 | -rw-r--r--···0·root·········(0)·root·········(0)··1582180·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-ftp-server.html |
| 47 | -rw-r--r--···0·root·········(0)·root·········(0)·····8241·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-index.html | 47 | -rw-r--r--···0·root·········(0)·root·········(0)·····8241·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-index.html |
| 48 | -rw-r--r--···0·root·········(0)·root·········(0)··199 | 48 | -rw-r--r--···0·root·········(0)·root·········(0)··1991261·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-nist-CL-IL-AL.html |
| 49 | -rw-r--r--···0·root·········(0)·root·········(0)··10 | 49 | -rw-r--r--···0·root·········(0)·root·········(0)··1050081·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-pci-dss.html |
| 50 | -rw-r--r--···0·root·········(0)·root·········(0)···728 | 50 | -rw-r--r--···0·root·········(0)·root·········(0)···728834·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-rht-ccp.html |
| 51 | -rw-r--r--···0·root·········(0)·root·········(0)··1562 | 51 | -rw-r--r--···0·root·········(0)·root·········(0)··1562832·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-server.html |
| 52 | -rw-r--r--···0·root·········(0)·root·········(0)··154 | 52 | -rw-r--r--···0·root·········(0)·root·········(0)··1542171·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-standard.html |
| 53 | -rw-r--r--···0·root·········(0)·root·········(0)··184 | 53 | -rw-r--r--···0·root·········(0)·root·········(0)··1846597·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-stig-rhel6-disa.html |
| 54 | -rw-r--r--···0·root·········(0)·root·········(0)··1757 | 54 | -rw-r--r--···0·root·········(0)·root·········(0)··1757917·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-usgcb-rhel6-server.html |
| 55 | -rw-r--r--···0·root·········(0)·root·········(0)···501634·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-PCIDSS-RHEL-7-guide-default.html | 55 | -rw-r--r--···0·root·········(0)·root·········(0)···501634·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-PCIDSS-RHEL-7-guide-default.html |
| 56 | -rw-r--r--···0·root·········(0)·root·········(0)··1429672·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-PCIDSS-RHEL-7-guide-pci-dss_centric.html | 56 | -rw-r--r--···0·root·········(0)·root·········(0)··1429672·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-PCIDSS-RHEL-7-guide-pci-dss_centric.html |
| 57 | -rw-r--r--···0·root·········(0)·root·········(0)··2191116·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-C2S.html | 57 | -rw-r--r--···0·root·········(0)·root·········(0)··2191116·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-C2S.html |
| 58 | -rw-r--r--···0·root·········(0)·root·········(0)··1310403·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-cjis.html | 58 | -rw-r--r--···0·root·········(0)·root·········(0)··1310403·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-cjis.html |
| 59 | -rw-r--r--···0·root·········(0)·root·········(0)···540107·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-default.html | 59 | -rw-r--r--···0·root·········(0)·root·········(0)···540107·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-default.html |
| 60 | -rw-r--r--···0·root·········(0)·root·········(0)··2024942·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-hipaa.html | 60 | -rw-r--r--···0·root·········(0)·root·········(0)··2024942·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-hipaa.html |
| 61 | -rw-r--r--···0·root·········(0)·root·········(0)·····6928·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-index.html | 61 | -rw-r--r--···0·root·········(0)·root·········(0)·····6928·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-index.html |
| 62 | -rw-r--r--···0·root·········(0)·root·········(0)··3230645·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-nist-800-171-cui.html | 62 | -rw-r--r--···0·root·········(0)·root·········(0)··3230645·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-nist-800-171-cui.html |
| 63 | -rw-r--r--···0·root·········(0)·root·········(0)··3231324·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-ospp.html | 63 | -rw-r--r--···0·root·········(0)·root·········(0)··3231324·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-ospp.html |
| 64 | -rw-r--r--···0·root·········(0)·root·········(0)··1237827·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-pci-dss.html | 64 | -rw-r--r--···0·root·········(0)·root·········(0)··1237827·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-pci-dss.html |
| 65 | -rw-r--r--···0·root·········(0)·root·········(0)···678706·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-rht-ccp.html | 65 | -rw-r--r--···0·root·········(0)·root·········(0)···678706·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-rht-ccp.html |
| 66 | -rw-r--r--···0·root·········(0)·root·········(0)···935906·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-standard.html | 66 | -rw-r--r--···0·root·········(0)·root·········(0)···935906·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-standard.html |
| 67 | -rw-r--r--···0·root·········(0)·root·········(0)··2465665·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-stig-rhel7-disa.html | 67 | -rw-r--r--···0·root·········(0)·root·········(0)··2465665·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-stig-rhel7-disa.html |
| 68 | -rw-r--r--···0·root·········(0)·root·········(0)··134 | 68 | -rw-r--r--···0·root·········(0)·root·········(0)··1348537·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-C2S.html |
| 69 | -rw-r--r--···0·root·········(0)·root·········(0)··191 | 69 | -rw-r--r--···0·root·········(0)·root·········(0)··1916092·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-CS2.html |
| 70 | -rw-r--r--···0·root·········(0)·root·········(0)··153 | 70 | -rw-r--r--···0·root·········(0)·root·········(0)··1537076·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-CSCF-RHEL6-MLS.html |
| 71 | -rw-r--r--···0·root·········(0)·root·········(0)···501248·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-default.html | 71 | -rw-r--r--···0·root·········(0)·root·········(0)···501248·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-default.html |
| 72 | -rw-r--r--···0·root·········(0)·root·········(0)··1569 | 72 | -rw-r--r--···0·root·········(0)·root·········(0)··1569766·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-desktop.html |
| 73 | -rw-r--r--···0·root·········(0)·root·········(0)··158 | 73 | -rw-r--r--···0·root·········(0)·root·········(0)··1583261·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-fisma-medium-rhel6-server.html |
| 74 | -rw-r--r--···0·root·········(0)·root·········(0)··147 | 74 | -rw-r--r--···0·root·········(0)·root·········(0)··1474236·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-ftp-server.html |
| 75 | -rw-r--r--···0·root·········(0)·root·········(0)·····8173·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-index.html | 75 | -rw-r--r--···0·root·········(0)·root·········(0)·····8173·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-index.html |
| 76 | -rw-r--r--···0·root·········(0)·root·········(0)··184 | 76 | -rw-r--r--···0·root·········(0)·root·········(0)··1843347·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-nist-CL-IL-AL.html |
| 77 | -rw-r--r--···0·root·········(0)·root·········(0)···99 | 77 | -rw-r--r--···0·root·········(0)·root·········(0)···998351·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-pci-dss.html |
| 78 | -rw-r--r--···0·root·········(0)·root·········(0)···676 | 78 | -rw-r--r--···0·root·········(0)·root·········(0)···676752·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-rht-ccp.html |
| 79 | -rw-r--r--···0·root·········(0)·root·········(0)··145 | 79 | -rw-r--r--···0·root·········(0)·root·········(0)··1458010·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-server.html |
| 80 | -rw-r--r--···0·root·········(0)·root·········(0)··143 | 80 | -rw-r--r--···0·root·········(0)·root·········(0)··1439665·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-standard.html |
| 81 | -rw-r--r--···0·root·········(0)·root·········(0)··170 | 81 | -rw-r--r--···0·root·········(0)·root·········(0)··1706493·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-stig-rhel6-disa.html |
| 82 | -rw-r--r--···0·root·········(0)·root·········(0)··163 | 82 | -rw-r--r--···0·root·········(0)·root·········(0)··1636563·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-usgcb-rhel6-server.html |
| 83 | -rw-r--r--···0·root·········(0)·root·········(0)··2081454·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-C2S.html | 83 | -rw-r--r--···0·root·········(0)·root·········(0)··2081454·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-C2S.html |
| 84 | -rw-r--r--···0·root·········(0)·root·········(0)··1257385·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-cjis.html | 84 | -rw-r--r--···0·root·········(0)·root·········(0)··1257385·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-cjis.html |
| 85 | -rw-r--r--···0·root·········(0)·root·········(0)···542275·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-default.html | 85 | -rw-r--r--···0·root·········(0)·root·········(0)···542275·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-default.html |
| 86 | -rw-r--r--···0·root·········(0)·root·········(0)··1944863·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-hipaa.html | 86 | -rw-r--r--···0·root·········(0)·root·········(0)··1944863·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-hipaa.html |
| 87 | -rw-r--r--···0·root·········(0)·root·········(0)·····6876·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-index.html | 87 | -rw-r--r--···0·root·········(0)·root·········(0)·····6876·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-index.html |
| 88 | -rw-r--r--···0·root·········(0)·root·········(0)··3034819·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-nist-800-171-cui.html | 88 | -rw-r--r--···0·root·········(0)·root·········(0)··3034819·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-nist-800-171-cui.html |
| 89 | -rw-r--r--···0·root·········(0)·root·········(0)··3035498·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-ospp.html | 89 | -rw-r--r--···0·root·········(0)·root·········(0)··3035498·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-ospp.html |
| Offset 119, 140 lines modified | Offset 119, 140 lines modified | ||
| 119 | -rw-r--r--···0·root·········(0)·root·········(0)··2223735·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/table-rhel7-srgmap.html | 119 | -rw-r--r--···0·root·········(0)·root·········(0)··2223735·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/table-rhel7-srgmap.html |
| 120 | -rw-r--r--···0·root·········(0)·root·········(0)···277886·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/table-rhel7-stig-testinfo.html | 120 | -rw-r--r--···0·root·········(0)·root·········(0)···277886·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/table-rhel7-stig-testinfo.html |
| 121 | -rw-r--r--···0·root·········(0)·root·········(0)···223440·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/table-rhel7-stig.html | 121 | -rw-r--r--···0·root·········(0)·root·········(0)···223440·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/table-rhel7-stig.html |
| 122 | drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/doc-base/ | 122 | drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/doc-base/ |
| 123 | -rw-r--r--···0·root·········(0)·root·········(0)······498·2018-07-26·14:58:28.000000·./usr/share/doc-base/ssg-nondebian | 123 | -rw-r--r--···0·root·········(0)·root·········(0)······498·2018-07-26·14:58:28.000000·./usr/share/doc-base/ssg-nondebian |
| 124 | drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ | 124 | drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ |
| 125 | drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ | 125 | drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ |
| 126 | -rw-r--r--···0·root·········(0)·root·········(0)····9 | 126 | -rw-r--r--···0·root·········(0)·root·········(0)····96113·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-C2S.yml |
| 127 | -rw-r--r--···0·root·········(0)·root·········(0)···1 | 127 | -rw-r--r--···0·root·········(0)·root·········(0)···170797·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-CS2.yml |
| 128 | -rw-r--r--···0·root·········(0)·root·········(0)···13 | 128 | -rw-r--r--···0·root·········(0)·root·········(0)···132581·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-CSCF-RHEL6-MLS.yml |
| 129 | -rw-r--r--···0·root·········(0)·root·········(0)···14 | 129 | -rw-r--r--···0·root·········(0)·root·········(0)···141410·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-desktop.yml |
| 130 | -rw-r--r--···0·root·········(0)·root·········(0)···15 | 130 | -rw-r--r--···0·root·········(0)·root·········(0)···152774·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-fisma-medium-rhel6-server.yml |
| 131 | -rw-r--r--···0·root·········(0)·root·········(0)···13 | 131 | -rw-r--r--···0·root·········(0)·root·········(0)···132645·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-ftp-server.yml |
| 132 | -rw-r--r--···0·root·········(0)·root·········(0)···17 | 132 | -rw-r--r--···0·root·········(0)·root·········(0)···173059·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-nist-CL-IL-AL.yml |
| 133 | -rw-r--r--···0·root·········(0)·root·········(0)····9205 | 133 | -rw-r--r--···0·root·········(0)·root·········(0)····92505·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-pci-dss.yml |
| 134 | -rw-r--r--···0·root·········(0)·root·········(0)····4 | 134 | -rw-r--r--···0·root·········(0)·root·········(0)····47100·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-rht-ccp.yml |
| 135 | -rw-r--r--···0·root·········(0)·root·········(0)···13 | 135 | -rw-r--r--···0·root·········(0)·root·········(0)···132310·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-server.yml |
| 136 | -rw-r--r--···0·root·········(0)·root·········(0)···13 | 136 | -rw-r--r--···0·root·········(0)·root·········(0)···132081·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-standard.yml |
| 137 | -rw-r--r--···0·root·········(0)·root·········(0)···15 | 137 | -rw-r--r--···0·root·········(0)·root·········(0)···152712·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-stig-rhel6-disa.yml |
| 138 | -rw-r--r--···0·root·········(0)·root·········(0)···15 | 138 | -rw-r--r--···0·root·········(0)·root·········(0)···152508·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-usgcb-rhel6-server.yml |
| 139 | -rw-r--r--···0·root·········(0)·root·········(0)···209133·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-C2S.yml | 139 | -rw-r--r--···0·root·········(0)·root·········(0)···209133·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-C2S.yml |
| 140 | -rw-r--r--···0·root·········(0)·root·········(0)···112377·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-cjis.yml | 140 | -rw-r--r--···0·root·········(0)·root·········(0)···112377·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-cjis.yml |
| 141 | -rw-r--r--···0·root·········(0)·root·········(0)···190441·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-hipaa.yml | 141 | -rw-r--r--···0·root·········(0)·root·········(0)···190441·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-hipaa.yml |
| 142 | -rw-r--r--···0·root·········(0)·root·········(0)···320643·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-nist-800-171-cui.yml | 142 | -rw-r--r--···0·root·········(0)·root·········(0)···320643·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-nist-800-171-cui.yml |
| 143 | -rw-r--r--···0·root·········(0)·root·········(0)···321377·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-ospp.yml | 143 | -rw-r--r--···0·root·········(0)·root·········(0)···321377·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-ospp.yml |
| 144 | -rw-r--r--···0·root·········(0)·root·········(0)···104337·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-pci-dss.yml | 144 | -rw-r--r--···0·root·········(0)·root·········(0)···104337·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-pci-dss.yml |
| 145 | -rw-r--r--···0·root·········(0)·root·········(0)····43757·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-rht-ccp.yml | 145 | -rw-r--r--···0·root·········(0)·root·········(0)····43757·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-rht-ccp.yml |
| 146 | -rw-r--r--···0·root·········(0)·root·········(0)····82665·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-standard.yml | 146 | -rw-r--r--···0·root·········(0)·root·········(0)····82665·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-standard.yml |
| 147 | -rw-r--r--···0·root·········(0)·root·········(0)···232273·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-stig-rhel7-disa.yml | 147 | -rw-r--r--···0·root·········(0)·root·········(0)···232273·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-stig-rhel7-disa.yml |
| 148 | -rw-r--r--···0·root·········(0)·root·········(0)·····1177·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel-osp7-role-stig-openstack.yml | 148 | -rw-r--r--···0·root·········(0)·root·········(0)·····1177·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel-osp7-role-stig-openstack.yml |
| 149 | -rw-r--r--···0·root·········(0)·root·········(0)····9 | 149 | -rw-r--r--···0·root·········(0)·root·········(0)····96113·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-C2S.yml |
| 150 | -rw-r--r--···0·root·········(0)·root·········(0)···1 | 150 | -rw-r--r--···0·root·········(0)·root·········(0)···170797·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-CS2.yml |
| 151 | -rw-r--r--···0·root·········(0)·root·········(0)···13 | 151 | -rw-r--r--···0·root·········(0)·root·········(0)···132581·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-CSCF-RHEL6-MLS.yml |
| 152 | -rw-r--r--···0·root·········(0)·root·········(0)···14 | 152 | -rw-r--r--···0·root·········(0)·root·········(0)···141410·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-desktop.yml |
| 153 | -rw-r--r--···0·root·········(0)·root·········(0)···15 | 153 | -rw-r--r--···0·root·········(0)·root·········(0)···152774·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-fisma-medium-rhel6-server.yml |
| 154 | -rw-r--r--···0·root·········(0)·root·········(0)···13 | 154 | -rw-r--r--···0·root·········(0)·root·········(0)···132645·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-ftp-server.yml |
| 155 | -rw-r--r--···0·root·········(0)·root·········(0)···17 | 155 | -rw-r--r--···0·root·········(0)·root·········(0)···173059·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-nist-CL-IL-AL.yml |
| 156 | -rw-r--r--···0·root·········(0)·root·········(0)····9205 | 156 | -rw-r--r--···0·root·········(0)·root·········(0)····92505·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-pci-dss.yml |
| Max diff block lines reached; 27956/57407 bytes (48.70%) of diff not shown. | |||
| Offset 65, 45 lines modified | Offset 65, 43 lines modified | ||
| 65 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 65 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 66 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 66 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 67 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 67 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 68 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 68 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 69 | quality,·reliability,·or·any·other·characteristic. | 69 | quality,·reliability,·or·any·other·characteristic. |
| 70 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 70 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 71 | ····························(as·of·2018-07-26) | 71 | ····························(as·of·2018-07-26) |
| 72 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 72 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xcc[·...·truncated·by·diffoscope;·len:·1198,·SHA:·bdda777e798c14415249d64418047c1cc9cd8c85417860e53ddf05c3b92b2b1b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·188·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 74 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 74 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 75 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 75 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 76 | ones·can·be·safely·disabled. | 76 | ones·can·be·safely·disabled. |
| 77 | <br><br> | 77 | <br><br> |
| 78 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 78 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 79 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 79 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 80 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·45·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 80 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·45·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 81 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 81 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 82 | 82 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 83 | 83 | that·passwords·and·other·data·transmitted·during·the·session·can·be | |
| 84 | 84 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 85 | 85 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 86 | 86 | <br><br> | |
| 87 | 87 | However,·there·are·some·FTP·server·configurations·which·may | |
| 88 | 88 | be·appropriate·for·some·environments,·particularly·those·which | |
| 89 | 89 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 90 | de | 90 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible |
| 91 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_s | 91 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 92 | 92 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29111"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package | |
| 93 | a | 93 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 94 | sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_samba_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_samba_removed"·id="guide-tree-leaf-idm29012"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_samba_removed">Uninstall·samba·Package | ||
| 95 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_samba_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | ||
| 96 | ············ | 94 | ············ |
| 97 | ········The·<code>s | 95 | ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command: |
| 98 | ········<pre>$·sudo·yum·erase·s | 96 | ········<pre>$·sudo·yum·erase·vsftpd</pre> |
| 99 | ··········</p><span·class="label·label-primary">Rationale:</span><p> | 97 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its |
| 100 | 98 | accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 101 | 99 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | |
| 102 | ············· | 100 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29119">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29119"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 103 | # | 101 | # |
| 104 | #·Example·Call(s): | 102 | #·Example·Call(s): |
| 105 | # | 103 | # |
| 106 | #·····package_remove·telnet-server | 104 | #·····package_remove·telnet-server |
| 107 | # | 105 | # |
| 108 | function·package_remove·{ | 106 | function·package_remove·{ |
| Offset 132, 59 lines modified | Offset 130, 60 lines modified | ||
| 132 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 130 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 133 | ··echo·"Aborting." | 131 | ··echo·"Aborting." |
| 134 | ··exit·1 | 132 | ··exit·1 |
| 135 | fi | 133 | fi |
| 136 | } | 134 | } |
| 137 | package_remove·s | 135 | package_remove·vsftpd |
| 138 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 136 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29121">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29121"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·vsftpd·is·removed |
| 139 | ··package: | 137 | ··package: |
| 140 | ····name="{{item}}" | 138 | ····name="{{item}}" |
| 141 | ····state=absent | 139 | ····state=absent |
| 142 | ··with_items: | 140 | ··with_items: |
| 143 | ····-·s | 141 | ····-·vsftpd |
| 144 | ··tags: | 142 | ··tags: |
| 145 | ····-·package_s | 143 | ····-·package_vsftpd_removed |
| 146 | ····-·unknown_severity | 144 | ····-·unknown_severity |
| 147 | ····-·disable_strategy | 145 | ····-·disable_strategy |
| 148 | ····-·low_complexity | 146 | ····-·low_complexity |
| 149 | ····-·low_disruption | 147 | ····-·low_disruption |
| 150 | ····-·CCE-2 | 148 | ····-·CCE-26687-4 |
| 151 | 149 | ····-·NIST-800-53-CM-7 | |
| 150 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29122">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29122"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_vsftpd | ||
| 152 | class·remove_s | 151 | class·remove_vsftpd·{ |
| 153 | ··package·{·'s | 152 | ··package·{·'vsftpd': |
| 154 | ····ensure·=>·'purged', | 153 | ····ensure·=>·'purged', |
| 155 | ··} | 154 | ··} |
| 156 | } | 155 | } |
| 157 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 156 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 158 | package·--remove=s | 157 | package·--remove=vsftpd |
| 159 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server | 158 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server |
| 160 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to | 159 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to |
| 161 | content·via·the·HTTP·protocol.·Web·servers·represent·a·significant | 160 | content·via·the·HTTP·protocol.·Web·servers·represent·a·significant |
| 162 | security·risk·because: | 161 | security·risk·because: |
| 163 | <br><br> | 162 | <br><br> |
| 164 | <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long | 163 | <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long |
| 165 | history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive | 164 | history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive |
| 166 | monitoring</li></ul> | 165 | monitoring</li></ul> |
| 167 | <br><br> | 166 | <br><br> |
| 168 | The·system's·default·web·server·software·is·Apache·2·and·is | 167 | The·system's·default·web·server·software·is·Apache·2·and·is |
| 169 | provided·in·the·RPM·package·<code>httpd</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_httpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_httpd">Disable·Apache·if·Possible | 168 | provided·in·the·RPM·package·<code>httpd</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_httpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_httpd">Disable·Apache·if·Possible |
| 170 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_httpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Apache·was·installed·and·activated,·but·the·system | 169 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_httpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Apache·was·installed·and·activated,·but·the·system |
| 171 | does·not·need·to·act·as·a·web·server,·then·it·should·be·disabled | 170 | does·not·need·to·act·as·a·web·server,·then·it·should·be·disabled |
| 172 | and·removed·from·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_httpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_httpd_removed"·id="guide-tree-leaf-idm291 | 171 | and·removed·from·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_httpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_httpd_removed"·id="guide-tree-leaf-idm29172"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_httpd_removed">Uninstall·httpd·Package |
| 173 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_httpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 172 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_httpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 174 | ············ | 173 | ············ |
| 175 | ········The·<code>httpd</code>·package·can·be·removed·with·the·following·command: | 174 | ········The·<code>httpd</code>·package·can·be·removed·with·the·following·command: |
| 176 | ········<pre>$·sudo·yum·erase·httpd</pre> | 175 | ········<pre>$·sudo·yum·erase·httpd</pre> |
| 177 | ··········</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·no·need·to·make·the·web·server·software·available, | 176 | ··········</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·no·need·to·make·the·web·server·software·available, |
| 178 | removing·it·provides·a·safeguard·against·its·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 177 | removing·it·provides·a·safeguard·against·its·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 179 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 178 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 180 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm291 | 179 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29179">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29179"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 181 | # | 180 | # |
| 182 | #·Example·Call(s): | 181 | #·Example·Call(s): |
| 183 | # | 182 | # |
| 184 | #·····package_remove·telnet-server | 183 | #·····package_remove·telnet-server |
| 185 | # | 184 | # |
| 186 | function·package_remove·{ | 185 | function·package_remove·{ |
| Offset 214, 88 lines modified | Offset 213, 54 lines modified | ||
| 214 | ··echo·"Aborting." | 213 | ··echo·"Aborting." |
| 215 | ··exit·1 | 214 | ··exit·1 |
| 216 | fi | 215 | fi |
| 217 | } | 216 | } |
| 218 | package_remove·httpd | 217 | package_remove·httpd |
| 219 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm291 | 218 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29181">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29181"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·httpd·is·removed |
| 220 | ··package: | 219 | ··package: |
| 221 | ····name="{{item}}" | 220 | ····name="{{item}}" |
| 222 | ····state=absent | 221 | ····state=absent |
| 223 | ··with_items: | 222 | ··with_items: |
| 224 | ····-·httpd | 223 | ····-·httpd |
| 225 | ··tags: | 224 | ··tags: |
| 226 | ····-·package_httpd_removed | 225 | ····-·package_httpd_removed |
| 227 | ····-·unknown_severity | 226 | ····-·unknown_severity |
| 228 | ····-·disable_strategy | 227 | ····-·disable_strategy |
| 229 | ····-·low_complexity | 228 | ····-·low_complexity |
| 230 | ····-·low_disruption | 229 | ····-·low_disruption |
| 231 | ····-·CCE-27133-8 | 230 | ····-·CCE-27133-8 |
| Max diff block lines reached; 1491404/1518933 bytes (98.19%) of diff not shown. | |||
| Offset 56, 45 lines modified | Offset 56, 62 lines modified | ||
| 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Example·Server·Profile</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CS2</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Example·Server·Profile</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CS2</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xcc[·...·truncated·by·diffoscope;·len:·1198,·SHA:·bdda777e798c14415249d64418047c1cc9cd8c85417860e53ddf05c3b92b2b1b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·313·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 71 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·124·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 71 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·124·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 72 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 72 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 73 | 73 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 74 | 74 | that·passwords·and·other·data·transmitted·during·the·session·can·be | |
| 75 | 75 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 76 | 76 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 77 | 77 | <br><br> | |
| 78 | 78 | However,·there·are·some·FTP·server·configurations·which·may | |
| 79 | 79 | be·appropriate·for·some·environments,·particularly·those·which | |
| 80 | 80 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 81 | de | 81 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary |
| 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is |
| 83 | 83 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or | |
| 84 | a | 84 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29042"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions |
| 85 | 85 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> | |
| 86 | 86 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | |
| 87 | <pre>xferlog_enable=YES | ||
| 88 | xferlog_std_format=NO | ||
| 89 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to | ||
| 90 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log | ||
| 91 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 92 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 93 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29063"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users | ||
| 94 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 95 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 96 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 97 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 98 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible | ||
| 99 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all | ||
| 100 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29096"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service | ||
| 101 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | ||
| 87 | ············ | 102 | ············ |
| 88 | ········The·<code>s | 103 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: |
| 89 | ········<pre>$·sudo·chkconfig·s | 104 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> |
| 90 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running· | 105 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue |
| 91 | 106 | of·attack,·and·should·be·disabled·if·not·needed. | |
| 107 | Furthermore,·the·FTP·protocol·is·unencrypted·and·creates | ||
| 108 | a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 92 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 109 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 93 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 110 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 94 | # | 111 | # |
| 95 | #·Example·Call(s): | 112 | #·Example·Call(s): |
| 96 | # | 113 | # |
| 97 | #·····service_command·enable·bluetooth | 114 | #·····service_command·enable·bluetooth |
| 98 | #·····service_command·disable·bluetooth.service | 115 | #·····service_command·disable·bluetooth.service |
| 99 | # | 116 | # |
| 100 | #·····Using·xinetd: | 117 | #·····Using·xinetd: |
| Offset 161, 135 lines modified | Offset 178, 123 lines modified | ||
| 161 | ··else | 178 | ··else |
| 162 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 179 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 163 | ··fi | 180 | ··fi |
| 164 | fi | 181 | fi |
| 165 | } | 182 | } |
| 166 | service_command·disable·s | 183 | service_command·disable·vsftpd |
| 167 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 184 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29106">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29106"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·vsftpd |
| 168 | ··service: | 185 | ··service: |
| 169 | ····name="{{item}}" | 186 | ····name="{{item}}" |
| 170 | ····enabled="no" | 187 | ····enabled="no" |
| 171 | ····state="stopped" | 188 | ····state="stopped" |
| 172 | ··register:·service_result | 189 | ··register:·service_result |
| 173 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 190 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 174 | ··with_items: | 191 | ··with_items: |
| 175 | ····-·s | 192 | ····-·vsftpd |
| 176 | ··tags: | 193 | ··tags: |
| 177 | ····-·service_s | 194 | ····-·service_vsftpd_disabled |
| 178 | ····-·unknown_severity | 195 | ····-·unknown_severity |
| 179 | ····-·disable_strategy | 196 | ····-·disable_strategy |
| 180 | ····-·low_complexity | 197 | ····-·low_complexity |
| 181 | ····-·low_disruption | 198 | ····-·low_disruption |
| 182 | ····-·CCE-2 | 199 | ····-·CCE-26948-0 |
| 183 | 200 | ····-·NIST-800-53-CM-7 | |
| 184 | · | 201 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29111"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package |
| 185 | 202 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | |
| 186 | 203 | ············ | |
| 187 | 204 | ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command: | |
| 188 | 205 | ········<pre>$·sudo·yum·erase·vsftpd</pre> | |
| 189 | an | 206 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its |
| 190 | 207 | accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 191 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_smb_server_disable_root"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_smb_server_disable_root"·id="guide-tree-leaf-idm29068"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_smb_server_disable_root">Disable·Root·Access·to·SMB·Shares | ||
| 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_smb_server_disable_root">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Administrators·should·not·use·administrator·accounts·to·access | ||
| 193 | Samba·file·and·printer·shares.·Disable·the·root·user·and·the·wheel | ||
| 194 | administrator·group: | ||
| 195 | <pre>[<i>share</i>] | ||
| 196 | ··invalid·users·=·root·@wheel</pre> | ||
| 197 | If·administrator·accounts·cannot·be·disabled,·ensure·that·local·system | ||
| 198 | passwords·and·Samba·service·passwords·do·not·match.</p><span·class="label·label-primary">Rationale:</span><p>Typically,·administrator·access·is·required·when·Samba·must·create·user·and | ||
| 199 | system·accounts·and·shares.·Domain·member·servers·and·standalone·servers·may | ||
| 200 | not·need·administrator·access·at·all.·If·that·is·the·case,·add·the·invalid | ||
| 201 | users·parameter·to·<code>[global]</code>·instead.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 202 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29075"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient | ||
| 203 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | ||
| 204 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | ||
| 205 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | ||
| 206 | <pre>client·signing·=·mandatory</pre> | ||
| 207 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | ||
| 208 | signing·ensures·they·can | ||
| 209 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | ||
| 210 | man-in-the-middle·attacks·which·modify·SMB·packets·in | ||
| 211 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 212 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 208 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 213 | ············<a·href="http://iase.disa.mil/stigs/ | 209 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29119">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29119"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 214 | # | 210 | # |
| 215 | # | 211 | #·Example·Call(s): |
| 216 | # | 212 | # |
| 213 | #·····package_remove·telnet-server | ||
| 214 | # | ||
| 215 | function·package_remove·{ | ||
| 217 | 216 | #·Load·function·arguments·into·local·variables | |
| 217 | local·package="$1" | ||
| Max diff block lines reached; 2227557/2257749 bytes (98.66%) of diff not shown. | |||
| Offset 61, 268 lines modified | Offset 61, 146 lines modified | ||
| 61 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 61 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 62 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 62 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 63 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 63 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 64 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 64 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 65 | quality,·reliability,·or·any·other·characteristic. | 65 | quality,·reliability,·or·any·other·characteristic. |
| 66 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CSCF·RHEL6·MLS·Core·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 66 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CSCF·RHEL6·MLS·Core·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 67 | ····························(as·of·2018-07-26) | 67 | ····························(as·of·2018-07-26) |
| 68 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 68 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SS[·...·truncated·by·diffoscope;·len:·769,·SHA:·db505ea275ff2d5c2ba13f068156b97f7fb51fc9aa062d91c74450db7783e2d3·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·215·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 70 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 70 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 71 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 71 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 72 | ones·can·be·safely·disabled. | 72 | ones·can·be·safely·disabled. |
| 73 | <br><br> | 73 | <br><br> |
| 74 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 74 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 75 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 75 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 76 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·62·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 76 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·62·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 77 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 77 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 78 | 78 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 79 | se | 79 | that·passwords·and·other·data·transmitted·during·the·session·can·be |
| 80 | 80 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 81 | 81 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 82 | history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive | ||
| 83 | monitoring</li></ul> | ||
| 84 | <br><br> | ||
| 85 | The·system's·default·web·server·software·is·Apache·2·and·is | ||
| 86 | provided·in·the·RPM·package·<code>httpd</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_securing_httpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_securing_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_securing_httpd">Secure·Apache·Configuration | ||
| 87 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_securing_httpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>httpd</code>·configuration·file·is | ||
| 88 | <code>/etc/httpd/conf/httpd.conf</code>.·Apply·the·recommendations·in·the·remainder | ||
| 89 | of·this·section·to·this·file.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_securing_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage">Restrict·Web·Server·Information·Leakage | ||
| 90 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>ServerTokens</code>·and·<code>ServerSignature</code>·directives·determine·how | ||
| 91 | much·information·the·web·server·discloses·about·the·configuration·of·the | ||
| 92 | system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_servertokens_prod"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_servertokens_prod"·id="guide-tree-leaf-idm29179"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_servertokens_prod">Set·httpd·ServerTokens·Directive·to·Prod | ||
| 93 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_servertokens_prod">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p><code>ServerTokens·Prod</code>·restricts·information·in·page·headers,·returning·only·the·word·"Apache." | ||
| 94 | <br><br> | 82 | <br><br> |
| 95 | 83 | However,·there·are·some·FTP·server·configurations·which·may | |
| 96 | 84 | be·appropriate·for·some·environments,·particularly·those·which | |
| 97 | 85 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 98 | 86 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible | |
| 99 | ············ | 87 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 100 | 88 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29096"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service | |
| 101 | 89 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | |
| 102 | ············ | 90 | ············ |
| 103 | ········ | 91 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: |
| 104 | 92 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> | |
| 105 | 93 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue | |
| 106 | 94 | of·attack,·and·should·be·disabled·if·not·needed. | |
| 107 | 95 | Furthermore,·the·FTP·protocol·is·unencrypted·and·creates | |
| 108 | c | 96 | a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 109 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29245">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29245"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code> | ||
| 110 | -·name:·Find·/etc/httpd/conf/*·file(s) | ||
| 111 | ··find: | ||
| 112 | ····paths:·"{{·'/etc/httpd/conf/*'·|·dirname·}}" | ||
| 113 | ····patterns:·"{{·'/etc/httpd/conf/*'·|·basename·}}" | ||
| 114 | ··register:·files_found | ||
| 115 | ··tags: | ||
| 116 | ····-·file_permissions_httpd_server_conf_files | ||
| 117 | ····-·unknown_severity | ||
| 118 | ····-·configure_strategy | ||
| 119 | ····-·low_complexity | ||
| 120 | ····-·low_disruption | ||
| 121 | ····-·CCE-27316-9 | ||
| 122 | ····-·NIST-800-53-CM-7 | ||
| 123 | -·name:·Set·permissions | ||
| 124 | ··file: | ||
| 125 | ····path:·"{{·item.path·}}" | ||
| 126 | ····mode:·0640 | ||
| 127 | ··with_items: | ||
| 128 | ····-·"{{·files_found.files·}}" | ||
| 129 | ··tags: | ||
| 130 | ····-·file_permissions_httpd_server_conf_files | ||
| 131 | ····-·unknown_severity | ||
| 132 | ····-·configure_strategy | ||
| 133 | ····-·low_complexity | ||
| 134 | ····-·low_disruption | ||
| 135 | ····-·CCE-27316-9 | ||
| 136 | ····-·NIST-800-53-CM-7 | ||
| 137 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·id="guide-tree-leaf-idm29248"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">Set·Permissions·on·the·/var/log/httpd/·Directory | ||
| 138 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Ensure·that·the·permissions·on·the·web·server·log·directory·is·set·to·700: | ||
| 139 | <pre>$·sudo·chmod·700·/var/log/httpd/</pre> | ||
| 140 | This·is·its·default·setting.</p><span·class="label·label-primary">Rationale:</span><p>Access·to·the·web·server's·log·files·may·allow·an·unauthorized·user·or·attacker | ||
| 141 | to·access·information·about·the·web·server·or·alter·the·server's·log·files.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 142 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 97 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 143 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div>< | 98 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 144 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network. | ||
| 145 | Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious | ||
| 146 | targets·of·network·attack. | ||
| 147 | Ensure·that·systems·are·not·running·MTAs·unnecessarily, | ||
| 148 | and·configure·needed·MTAs·as·defensively·as·possible. | ||
| 149 | <br><br> | ||
| 150 | Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the | ||
| 151 | network.·Users·should·instead·use·mail·client·programs·to·retrieve·email | ||
| 152 | from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3. | ||
| 153 | However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email, | ||
| 154 | for·instance·so·that·cron·jobs·can·report·output·to·an·administrator. | ||
| 155 | Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from | ||
| 156 | the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), | ||
| 157 | but·the·system·still·cannot·receive·mail·directly·over·a·network. | ||
| 158 | <br><br> | ||
| 159 | The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software | ||
| 160 | (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred. | ||
| 161 | Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by | ||
| 162 | SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions. | ||
| 163 | More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients | ||
| 164 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only | ||
| 165 | e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·id="guide-tree-leaf-idm29520"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">Disable·Postfix·Network·Listening | ||
| 166 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·file·<code>/etc/postfix/main.cf</code>·to·ensure·that·only·the·following | ||
| 167 | <code>inet_interfaces</code>·line·appears: | ||
| 168 | <pre>inet_interfaces·=·localhost</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·<code>postfix</code>·accepts·mail·messages | ||
| 169 | (such·as·cron·job·reports)·from·the·local·system·only, | ||
| 170 | and·not·from·the·network,·which·protects·it·from·network·attack.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 171 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 172 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50423r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_sendmail_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_sendmail_removed"·id="guide-tree-leaf-idm29612"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_sendmail_removed">Uninstall·Sendmail·Package | ||
| 173 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_sendmail_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Sendmail·is·not·the·default·mail·transfer·agent·and·is | ||
| 174 | not·installed·by·default. | ||
| 175 | ········The·<code>sendmail</code>·package·can·be·removed·with·the·following·command: | ||
| 176 | ········<pre>$·sudo·yum·erase·sendmail</pre></p><span·class="label·label-primary">Rationale:</span><p>The·sendmail·software·was·not·developed·with·security·in·mind·and | ||
| 177 | its·design·prevents·it·from·being·effectively·contained·by·SELinux.··Postfix | ||
| 178 | should·be·used·instead.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 179 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 180 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50472r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29621">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29621"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 181 | # | 99 | # |
| 182 | #·Example·Call(s): | 100 | #·Example·Call(s): |
| 183 | # | 101 | # |
| 184 | #····· | 102 | #·····service_command·enable·bluetooth |
| 103 | #·····service_command·disable·bluetooth.service | ||
| Max diff block lines reached; 1505603/1536600 bytes (97.98%) of diff not shown. | |||
| Offset 56, 89 lines modified | Offset 56, 44 lines modified | ||
| 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sssd">System·Security·Services·Daemon</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li[·...·truncated·by·diffoscope;·len:·1394,·SHA:·9a1bfb5c7765341b73597905fe9f3f980e67a77f0272acdc04afd633558c2516·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 74 | 74 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 75 | 75 | that·passwords·and·other·data·transmitted·during·the·session·can·be | |
| 76 | 76 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 77 | 77 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 78 | 78 | <br><br> | |
| 79 | 79 | However,·there·are·some·FTP·server·configurations·which·may | |
| 80 | 80 | be·appropriate·for·some·environments,·particularly·those·which | |
| 81 | 81 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 82 | de | 82 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary |
| 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is |
| 84 | 84 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or | |
| 85 | a | 85 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_restrict_users"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_ftp_restrict_users">Restrict·the·Set·of·Users·Allowed·to·Access·FTP |
| 86 | 86 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_restrict_users">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·describes·how·to·disable·non-anonymous·(password-based)·FTP·logins,·or,·if·it·is·not·possible·to | |
| 87 | 87 | do·this·entirely·due·to·legacy·applications,·how·to·restrict·insecure·FTP·login·to·only·those·users·who·have·an | |
| 88 | <co | 88 | identified·need·for·this·access.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary |
| 89 | <c | 89 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_use_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·your·use-case·requires·FTP·service,·install·and |
| 90 | 90 | set-up·vsftpd·to·provide·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible | |
| 91 | s | 91 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 92 | and·al | 92 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server |
| 93 | printers.·It·is·recommended·that·these·settings·be·changed·or·that | ||
| 94 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb_disable_printing"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb_disable_printing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_smb_disable_printing">Restrict·Printer·Sharing | ||
| 95 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb_disable_printing">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>By·default,·Samba·utilizes·the·CUPS·printing·service·to·enable | ||
| 96 | printer·sharing·with·Microsoft·Windows·workstations.·If·there·are·no·printers | ||
| 97 | on·the·local·system,·or·if·printer·sharing·with·Microsoft·Windows·is·not | ||
| 98 | required,·disable·the·printer·sharing·capability·by·commenting·out·the | ||
| 99 | following·lines,·found·in·<code>/etc/samba/smb.conf</code>: | ||
| 100 | <pre>[global] | ||
| 101 | ··load·printers·=·yes | ||
| 102 | ··cups·options·=·raw | ||
| 103 | [printers] | ||
| 104 | ··comment·=·All·Printers | ||
| 105 | ··path·=·/usr/spool/samba | ||
| 106 | ··browseable·=·no | ||
| 107 | ··guest·ok·=·no | ||
| 108 | ··writable·=·no | ||
| 109 | ··printable·=·yes</pre> | ||
| 110 | There·may·be·other·options·present,·but·these·are·the·only·options·enabled·and | ||
| 111 | uncommented·by·default.·Removing·the·<code>[printers]</code>·share·should·be·enough | ||
| 112 | for·most·users.··If·the·Samba·printer·sharing·capability·is·needed,·consider | ||
| 113 | disabling·the·Samba·network·browsing·capability·or·restricting·access·to·a | ||
| 114 | particular·set·of·users·or·network·addresses.·Set·the·<code>valid·users</code> | ||
| 115 | parameter·to·a·small·subset·of·users·or·restrict·it·to·a·particular·group·of | ||
| 116 | users·with·the·shorthand·<code>@</code>.·Separate·each·user·or·group·of·users·with | ||
| 117 | a·space.·For·example,·under·the·<code>[printers]</code>·share: | ||
| 118 | <pre>[printers] | ||
| 119 | ··valid·users·=·user·@printerusers</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb_disable_printing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb_restrict_file_sharing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing">Restrict·SMB·File·Sharing·to·Configured·Networks | ||
| 120 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb_restrict_file_sharing">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Only·users·with·local·user·accounts·will·be·able·to·log·in·to | ||
| 121 | Samba·shares·by·default.·Shares·can·be·limited·to·particular·users·or·network | ||
| 122 | addresses.·Use·the·<code>hosts·allow</code>·and·<code>hosts·deny</code>·directives | ||
| 123 | accordingly,·and·consider·setting·the·valid·users·directive·to·a·limited·subset | ||
| 124 | of·users·or·to·a·group·of·users.·Separate·each·address,·user,·or·user·group | ||
| 125 | with·a·space·as·follows·for·a·particular·<i>share</i>·or·global: | ||
| 126 | <pre>[<i>share</i>] | ||
| 127 | ··hosts·allow·=·192.168.1.·127.0.0.1 | ||
| 128 | ··valid·users·=·userone·usertwo·@usergroup</pre> | ||
| 129 | It·is·also·possible·to·limit·read·and·write·access·to·particular·users·with·the | ||
| 130 | read·list·and·write·list·options,·though·the·permissions·set·by·the·system | ||
| 131 | itself·will·override·these·settings.·Set·the·read·only·attribute·for·each·share | ||
| 132 | to·ensure·that·global·settings·will·not·accidentally·override·the·individual | ||
| 133 | share·settings.·Then,·as·with·the·valid·users·directive,·separate·each·user·or | ||
| 134 | group·of·users·with·a·space: | ||
| 135 | <pre>[<i>share</i>] | ||
| 136 | ··read·only·=·yes | ||
| 137 | ··write·list·=·userone·usertwo·@usergroup</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb_restrict_file_sharing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server | ||
| 138 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to | 93 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to |
| 139 | content·via·the·HTTP·protocol.·Web·servers·represent·a·significant | 94 | content·via·the·HTTP·protocol.·Web·servers·represent·a·significant |
| 140 | security·risk·because: | 95 | security·risk·because: |
| 141 | <br><br> | 96 | <br><br> |
| 142 | <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long | 97 | <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long |
| 143 | history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive | 98 | history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive |
| 144 | monitoring</li></ul> | 99 | monitoring</li></ul> |
| Offset 351, 165 lines modified | Offset 306, 179 lines modified | ||
| 351 | <pre>#LoadModule·ext_filter_module·modules/mod_ext_filter.so</pre></li><li>User-specified·Cache·Control·and·Expiration | 306 | <pre>#LoadModule·ext_filter_module·modules/mod_ext_filter.so</pre></li><li>User-specified·Cache·Control·and·Expiration |
| 352 | <pre>#LoadModule·expires_module·modules/mod_expires.so</pre></li><li>Compression·Output·Filter·(provides·content·compression·prior·to·client·delivery) | 307 | <pre>#LoadModule·expires_module·modules/mod_expires.so</pre></li><li>Compression·Output·Filter·(provides·content·compression·prior·to·client·delivery) |
| 353 | <pre>#LoadModule·deflate_module·modules/mod_deflate.so</pre></li><li>HTTP·Response/Request·Header·Customization | 308 | <pre>#LoadModule·deflate_module·modules/mod_deflate.so</pre></li><li>HTTP·Response/Request·Header·Customization |
| 354 | <pre>#LoadModule·headers_module·modules/mod_headers.so</pre></li><li>User·activity·monitoring·via·cookies | 309 | <pre>#LoadModule·headers_module·modules/mod_headers.so</pre></li><li>User·activity·monitoring·via·cookies |
| 355 | <pre>#LoadModule·usertrack_module·modules/mod_usertrack.so</pre></li><li>Dynamically·configured·mass·virtual·hosting | 310 | <pre>#LoadModule·usertrack_module·modules/mod_usertrack.so</pre></li><li>Dynamically·configured·mass·virtual·hosting |
| 356 | <pre>#LoadModule·vhost_alias_module·modules/mod_vhost_alias.so</pre></li></ul> | 311 | <pre>#LoadModule·vhost_alias_module·modules/mod_vhost_alias.so</pre></li></ul> |
| 357 | Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | 312 | Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk |
| 358 | by·limiting·the·capabilities·allowed·by·the·web·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_optional_components"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 313 | by·limiting·the·capabilities·allowed·by·the·web·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_optional_components"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dns">DNS·Server |
| 359 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 314 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Most·organizations·have·an·operational·need·to·run·at |
| 360 | 315 | least·one·nameserver.·However,·there·are·many·common·attacks | |
| 361 | 316 | involving·DNS·server·software,·and·this·server·software·should | |
| 362 | 317 | be·disabled·on·any·system | |
| 363 | and·con | 318 | on·which·it·is·not·needed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_isolation"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_isolation">Isolate·DNS·from·Other·Services |
| 364 | < | 319 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_isolation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·mechanisms·for·preventing·the·DNS·server |
| 365 | 320 | from·interfering·with·other·services.·This·is·done·both·to·protect·the | |
| 366 | ne | 321 | remainder·of·the·network·should·a·nameserver·be·compromised,·and·to·make·direct |
| 367 | fro | 322 | attacks·on·nameservers·more·difficult.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_chroot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_chroot">Run·DNS·Software·in·a·chroot·Jail |
| 368 | 323 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_chroot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Install·the·<code>bind-chroot</code>·package: | |
| 369 | 324 | <pre>$·sudo·yum·install·bind-chroot</pre> | |
| 370 | 325 | Place·a·valid·named.conf·file·inside·the·chroot·jail: | |
| 371 | 326 | <pre>$·sudo·cp·/etc/named.conf·/var/named/chroot/etc/named.conf | |
| 372 | 327 | $·sudo·chown·root:root·/var/named/chroot/etc/named.conf | |
| 373 | 328 | $·sudo·chmod·644·/var/named/chroot/etc/named.conf</pre> | |
| 374 | 329 | Create·and·populate·an·appropriate·zone·directory·within·the·jail,·based·on·the | |
| 375 | 330 | options·directive.·If·your·<code>named.conf</code>·includes: | |
| 376 | 331 | <pre>options·{ | |
| 377 | 332 | directory·"/path/to/DIRNAME·"; | |
| 378 | 333 | ... | |
| 379 | 334 | }</pre> | |
| 380 | 335 | then·copy·that·directory·and·its·contents·from·the·original·zone·directory: | |
| 381 | 336 | <pre>$·sudo·cp·-r·/path/to/DIRNAME·/var/named/chroot/DIRNAME</pre> | |
| 382 | 337 | Add·or·correct·the·following·line·within·<code>/etc/sysconfig/named</code>: | |
| 383 | 338 | <pre>ROOTDIR=/var/named/chroot</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_dedicated"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_dedicated">Run·DNS·Software·on·Dedicated·Servers | |
| 384 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 339 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_dedicated">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Since·DNS·is |
| 385 | 340 | a·high-risk·service·which·must·frequently·be·made·available·to·the·entire | |
| 386 | 341 | Internet,·it·is·strongly·recommended·that·no·other·services·be·offered·by | |
| 387 | 342 | machines·which·act·as·organizational·DNS·servers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_protection"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_protection"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_protection">Protect·DNS·Data·from·Tampering·or·Attack | |
| Max diff block lines reached; 198673/261263 bytes (76.04%) of diff not shown. | |||
| Offset 57, 45 lines modified | Offset 57, 45 lines modified | ||
| 57 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 57 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 61 | quality,·reliability,·or·any·other·characteristic. | 61 | quality,·reliability,·or·any·other·characteristic. |
| 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Desktop·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_desktop</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Desktop·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_desktop</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 63 | ····························(as·of·2018-07-26) | 63 | ····························(as·of·2018-07-26) |
| 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·1034,·SHA:·1b10be6148833f42610be20bd7d90e370d8d04968a079fa39af8874411e4f268·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·206·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·63·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·63·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 74 | 74 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 75 | 75 | that·passwords·and·other·data·transmitted·during·the·session·can·be | |
| 76 | 76 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 77 | 77 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 78 | 78 | <br><br> | |
| 79 | 79 | However,·there·are·some·FTP·server·configurations·which·may | |
| 80 | 80 | be·appropriate·for·some·environments,·particularly·those·which | |
| 81 | 81 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 82 | de | 82 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible |
| 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_s | 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 84 | 84 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29096"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service | |
| 85 | a | 85 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 86 | sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_smb_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_smb_disabled"·id="guide-tree-leaf-idm28998"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_smb_disabled">Disable·Samba | ||
| 87 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_smb_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | ||
| 88 | ············ | 86 | ············ |
| 89 | ········The·<code>s | 87 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: |
| 90 | ········<pre>$·sudo·chkconfig·s | 88 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> |
| 91 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running· | 89 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue |
| 92 | 90 | of·attack,·and·should·be·disabled·if·not·needed. | |
| 91 | Furthermore,·the·FTP·protocol·is·unencrypted·and·creates | ||
| 92 | a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 93 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 93 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 94 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 94 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 95 | # | 95 | # |
| 96 | #·Example·Call(s): | 96 | #·Example·Call(s): |
| 97 | # | 97 | # |
| 98 | #·····service_command·enable·bluetooth | 98 | #·····service_command·enable·bluetooth |
| 99 | #·····service_command·disable·bluetooth.service | 99 | #·····service_command·disable·bluetooth.service |
| 100 | # | 100 | # |
| 101 | #·····Using·xinetd: | 101 | #·····Using·xinetd: |
| Offset 162, 124 lines modified | Offset 162, 123 lines modified | ||
| 162 | ··else | 162 | ··else |
| 163 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 163 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 164 | ··fi | 164 | ··fi |
| 165 | fi | 165 | fi |
| 166 | } | 166 | } |
| 167 | service_command·disable·s | 167 | service_command·disable·vsftpd |
| 168 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 168 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29106">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29106"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·vsftpd |
| 169 | ··service: | 169 | ··service: |
| 170 | ····name="{{item}}" | 170 | ····name="{{item}}" |
| 171 | ····enabled="no" | 171 | ····enabled="no" |
| 172 | ····state="stopped" | 172 | ····state="stopped" |
| 173 | ··register:·service_result | 173 | ··register:·service_result |
| 174 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 174 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 175 | ··with_items: | 175 | ··with_items: |
| 176 | ····-·s | 176 | ····-·vsftpd |
| 177 | ··tags: | 177 | ··tags: |
| 178 | ····-·service_s | 178 | ····-·service_vsftpd_disabled |
| 179 | ····-·unknown_severity | 179 | ····-·unknown_severity |
| 180 | ····-·disable_strategy | 180 | ····-·disable_strategy |
| 181 | ····-·low_complexity | 181 | ····-·low_complexity |
| 182 | ····-·low_disruption | 182 | ····-·low_disruption |
| 183 | ····-·CCE-2 | 183 | ····-·CCE-26948-0 |
| 184 | 184 | ····-·NIST-800-53-CM-7 | |
| 185 | · | 185 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29111"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package |
| 186 | 186 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | |
| 187 | 187 | ············ | |
| 188 | 188 | ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command: | |
| 189 | 189 | ········<pre>$·sudo·yum·erase·vsftpd</pre> | |
| 190 | an | 190 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its |
| 191 | 191 | accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 192 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29075"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient | ||
| 193 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | ||
| 194 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | ||
| 195 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | ||
| 196 | <pre>client·signing·=·mandatory</pre> | ||
| 197 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | ||
| 198 | signing·ensures·they·can | ||
| 199 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | ||
| 200 | man-in-the-middle·attacks·which·modify·SMB·packets·in | ||
| 201 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 202 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 192 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 203 | ············<a·href="http://iase.disa.mil/stigs/ | 193 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29119">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29119"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 204 | # | 194 | # |
| 205 | # | 195 | #·Example·Call(s): |
| 206 | # | 196 | # |
| 197 | #·····package_remove·telnet-server | ||
| 198 | # | ||
| 199 | function·package_remove·{ | ||
| 207 | 200 | #·Load·function·arguments·into·local·variables | |
| 201 | local·package="$1" | ||
| 208 | 202 | #·Check·sanity·of·the·input | |
| 209 | 203 | if·[·$#·-ne·"1"·] | |
| 210 | 204 | then | |
| 205 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 206 | ··echo·"Aborting." | ||
| 207 | ··exit·1 | ||
| 208 | fi | ||
| 209 | if·which·dnf·;·then | ||
| 210 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 211 | ····dnf·remove·-y·"$package" | ||
| 212 | ··fi | ||
| 213 | elif·which·yum·;·then | ||
| 214 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 215 | ····yum·remove·-y·"$package" | ||
| 216 | ··fi | ||
| 217 | elif·which·apt-get·;·then | ||
| 218 | ··apt-get·remove·-y·"$package" | ||
| 211 | else | 219 | else |
| 212 | 220 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 221 | ··echo·"Aborting." | ||
| 222 | ··exit·1 | ||
| 213 | fi | 223 | fi |
| 214 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29087">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29087"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists | ||
| 215 | ··stat: | ||
| Max diff block lines reached; 1564541/1590328 bytes (98.38%) of diff not shown. | |||
| Offset 56, 15 lines modified | Offset 56, 15 lines modified | ||
| 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FISMA·Medium·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_fisma-medium-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FISMA·Medium·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_fisma-medium-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_o | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="[·...·truncated·by·diffoscope;·len:·81,·SHA:·4c0efd7fd5ff299a2185037a736930f562109fd8f8ac833d06c44618aa2adc79·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·211·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 91, 15 lines modified | Offset 91, 15 lines modified | ||
| 91 | <br><br> | 91 | <br><br> |
| 92 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 92 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 93 | servers,·and·the·remainder·obtaining·time·information·from·those | 93 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 94 | internal·servers. | 94 | internal·servers. |
| 95 | <br><br> | 95 | <br><br> |
| 96 | More·information·on·how·to·configure·the·NTP·server·software, | 96 | More·information·on·how·to·configure·the·NTP·server·software, |
| 97 | including·configuration·of·cryptographic·authentication·for | 97 | including·configuration·of·cryptographic·authentication·for |
| 98 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm298 | 98 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29833"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 100 | ·········· | 100 | ·········· |
| 101 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 101 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 102 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 102 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 103 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 103 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 104 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 104 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 105 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 105 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 108, 15 lines modified | Offset 108, 15 lines modified | ||
| 108 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate | 108 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate |
| 109 | logs·and·auditing·possible·security·breaches.·· | 109 | logs·and·auditing·possible·security·breaches.·· |
| 110 | <br><br> | 110 | <br><br> |
| 111 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 111 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 112 | deprecated.··Additional·information·on·this·is·available·at· | 112 | deprecated.··Additional·information·on·this·is·available·at· |
| 113 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 113 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 114 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 114 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 115 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 115 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29850">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29850"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 116 | # | 116 | # |
| 117 | #·Example·Call(s): | 117 | #·Example·Call(s): |
| 118 | # | 118 | # |
| 119 | #·····service_command·enable·bluetooth | 119 | #·····service_command·enable·bluetooth |
| 120 | #·····service_command·disable·bluetooth.service | 120 | #·····service_command·disable·bluetooth.service |
| 121 | # | 121 | # |
| 122 | #·····Using·xinetd: | 122 | #·····Using·xinetd: |
| Offset 184, 15 lines modified | Offset 184, 15 lines modified | ||
| 184 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 184 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 185 | ··fi | 185 | ··fi |
| 186 | fi | 186 | fi |
| 187 | } | 187 | } |
| 188 | service_command·enable·ntpd | 188 | service_command·enable·ntpd |
| 189 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 189 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29852">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29852"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 190 | ··service: | 190 | ··service: |
| 191 | ····name="{{item}}" | 191 | ····name="{{item}}" |
| 192 | ····enabled="yes" | 192 | ····enabled="yes" |
| 193 | ····state="started" | 193 | ····state="started" |
| 194 | ··with_items: | 194 | ··with_items: |
| 195 | ····-·ntpd | 195 | ····-·ntpd |
| 196 | ··tags: | 196 | ··tags: |
| Offset 201, 35 lines modified | Offset 201, 248 lines modified | ||
| 201 | ····-·enable_strategy | 201 | ····-·enable_strategy |
| 202 | ····-·low_complexity | 202 | ····-·low_complexity |
| 203 | ····-·low_disruption | 203 | ····-·low_disruption |
| 204 | ····-·CCE-27093-4 | 204 | ····-·CCE-27093-4 |
| 205 | ····-·NIST-800-53-AU-8(1) | 205 | ····-·NIST-800-53-AU-8(1) |
| 206 | ····-·PCI-DSS-Req-10.4 | 206 | ····-·PCI-DSS-Req-10.4 |
| 207 | ····-·DISA-STIG-RHEL-06-000247 | 207 | ····-·DISA-STIG-RHEL-06-000247 |
| 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29 | 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29857"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers |
| 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization | 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization |
| 210 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | 210 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the |
| 211 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | 211 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for |
| 212 | <em>ntpserver</em>: | 212 | <em>ntpserver</em>: |
| 213 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | 213 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of |
| 214 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | 214 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes |
| 215 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | 215 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for |
| 216 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 216 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 217 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 217 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 218 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29 | 218 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29869"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 219 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit | 219 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit |
| 220 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, | 220 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, |
| 221 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 221 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 222 | <pre>server·<i>ntpserver</i></pre> | 222 | <pre>server·<i>ntpserver</i></pre> |
| 223 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 223 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 224 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible | 224 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible |
| 225 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with | 225 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with |
| 226 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 226 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 227 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 227 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 228 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_o | 228 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons |
| 229 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | ||
| 230 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | ||
| 231 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | ||
| 232 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | ||
| 233 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_crond_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_crond_enabled"·id="guide-tree-leaf-idm30082"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_crond_enabled">Enable·cron·Service | ||
| 234 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_crond_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>crond</code>·service·is·used·to·execute·commands·at | ||
| 235 | preconfigured·times.·It·is·required·by·almost·all·systems·to·perform·necessary | ||
| 236 | maintenance·tasks,·such·as·notifying·root·of·system·activity. | ||
| 237 | ········The·<code>crond</code>·service·can·be·enabled·with·the·following·command: | ||
| 238 | ········<pre>$·sudo·chkconfig·--level·2345·crond·on</pre></p><span·class="label·label-primary">Rationale:</span><p>Due·to·its·usage·for·maintenance·and·security-supporting·tasks, | ||
| 239 | enabling·the·cron·daemon·is·essential.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 240 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 241 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50406r2_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm30092">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30092"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 242 | # | ||
| 243 | #·Example·Call(s): | ||
| 244 | # | ||
| 245 | #·····service_command·enable·bluetooth | ||
| 246 | #·····service_command·disable·bluetooth.service | ||
| 247 | # | ||
| 248 | #·····Using·xinetd: | ||
| 249 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 250 | # | ||
| 251 | function·service_command·{ | ||
| 252 | #·Load·function·arguments·into·local·variables | ||
| 253 | local·service_state=$1 | ||
| 254 | local·service=$2 | ||
| 255 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 256 | #·Check·sanity·of·the·input | ||
| 257 | if·[·$#·-lt·"2"·] | ||
| 258 | then | ||
| 259 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 260 | ··echo | ||
| Max diff block lines reached; 1517700/1549513 bytes (97.95%) of diff not shown. | |||
| Offset 56, 23 lines modified | Offset 56, 140 lines modified | ||
| 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FTP·Server·Profile·(vsftpd)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_ftp-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FTP·Server·Profile·(vsftpd)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_ftp-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="[·...·truncated·by·diffoscope;·len:·734,·SHA:·25c03cfca8c8e7566953764cd9421d66561e88aec462809a5f7eec462db2bd40·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·192·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 71 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·51·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 71 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·51·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 72 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to | ||
| 73 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | ||
| 74 | that·passwords·and·other·data·transmitted·during·the·session·can·be | ||
| 75 | captured·and·that·the·session·is·vulnerable·to·hijacking. | ||
| 76 | Therefore,·running·the·FTP·server·software·is·not·recommended. | ||
| 77 | <br><br> | ||
| 78 | However,·there·are·some·FTP·server·configurations·which·may | ||
| 79 | be·appropriate·for·some·environments,·particularly·those·which | ||
| 80 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | ||
| 81 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary | ||
| 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is | ||
| 83 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or | ||
| 84 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_restrict_users"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_ftp_restrict_users">Restrict·the·Set·of·Users·Allowed·to·Access·FTP | ||
| 85 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_restrict_users">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·describes·how·to·disable·non-anonymous·(password-based)·FTP·logins,·or,·if·it·is·not·possible·to | ||
| 86 | do·this·entirely·due·to·legacy·applications,·how·to·restrict·insecure·FTP·login·to·only·those·users·who·have·an | ||
| 87 | identified·need·for·this·access.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·id="guide-tree-leaf-idm29002"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">Restrict·Access·to·Anonymous·Users·if·Possible | ||
| 88 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than | ||
| 89 | using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option: | ||
| 90 | <pre>local_enable=NO</pre> | ||
| 91 | If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure | ||
| 92 | these·logins·as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>The·use·of·non-anonymous·FTP·logins·is·strongly·discouraged.·Since·SSH·clients·and·servers·are·widely·available,·and·since·SSH·provides·support·for·a·transfer·mode·which·resembles·FTP·in·user·interface,·there·is·no·good·reason·to·allow·password-based·FTP·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 93 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 94 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_home_partition"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_home_partition"·id="guide-tree-leaf-idm29038"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_home_partition">Place·the·FTP·Home·Directory·on·its·Own·Partition | ||
| 95 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_home_partition">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>By·default,·the·anonymous·FTP·root·is·the·home·directory·of·the·FTP·user·account.·The·df·command·can | ||
| 96 | be·used·to·verify·that·this·directory·is·on·its·own·partition.</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·a·mission-critical·reason·for·anonymous·users·to·upload·files,·precautions·must·be·taken·to·prevent | ||
| 97 | these·users·from·filling·a·disk·used·by·other·services.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 98 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29042"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions | ||
| 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> | ||
| 100 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | ||
| 101 | <pre>xferlog_enable=YES | ||
| 102 | xferlog_std_format=NO | ||
| 103 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to | ||
| 104 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log | ||
| 105 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 106 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 107 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_disable_uploads"·id="guide-tree-leaf-idm29056"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads">Disable·FTP·Uploads·if·Possible | ||
| 108 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_disable_uploads">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·upload·files·via·FTP?·If·not, | ||
| 109 | edit·the·vsftpd·configuration·file·to·add·or·correct·the·following·configuration·options: | ||
| 110 | <pre>write_enable=NO</pre> | ||
| 111 | If·FTP·uploads·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure·these·transactions | ||
| 112 | as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>Anonymous·FTP·can·be·a·convenient·way·to·make·files·available·for·universal·download.·However,·it·is·less | ||
| 113 | common·to·have·a·need·to·allow·unauthenticated·users·to·place·files·on·the·FTP·server.·If·this·must·be·done,·it | ||
| 114 | is·necessary·to·ensure·that·files·cannot·be·uploaded·and·downloaded·from·the·same·directory.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 115 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29063"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users | ||
| 116 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 117 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 118 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 119 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 120 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary | ||
| 121 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_use_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·your·use-case·requires·FTP·service,·install·and | ||
| 122 | set-up·vsftpd·to·provide·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed">Install·vsftpd·Package | ||
| 123 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·this·system·must·operate·as·an·FTP·server,·install·the·<code>vsftpd</code>·package·via·the·standard·channels. | ||
| 124 | <pre>$·sudo·yum·install·vsftpd</pre></p><span·class="label·label-primary">Rationale:</span><p>After·Red·Hat·Enterprise·Linux·2.1,·Red·Hat·switched·from·distributing·wu-ftpd·with·Red·Hat·Enterprise·Linux·to·distributing·vsftpd.·For·security | ||
| 125 | and·for·consistency·with·future·Red·Hat·releases,·the·use·of·vsftpd·is·recommended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 126 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 127 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29086">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29086"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 128 | # | ||
| 129 | #·Example·Call(s): | ||
| 130 | # | ||
| 131 | #·····package_install·aide | ||
| 132 | # | ||
| 133 | function·package_install·{ | ||
| 134 | #·Load·function·arguments·into·local·variables | ||
| 135 | local·package="$1" | ||
| 136 | #·Check·sanity·of·the·input | ||
| 137 | if·[·$#·-ne·"1"·] | ||
| 138 | then | ||
| 139 | ··echo·"Usage:·package_install·'package_name'" | ||
| 140 | ··echo·"Aborting." | ||
| 141 | ··exit·1 | ||
| 142 | fi | ||
| 143 | if·which·dnf·;·then | ||
| 144 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 145 | ····dnf·install·-y·"$package" | ||
| 146 | ··fi | ||
| 147 | elif·which·yum·;·then | ||
| 148 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 149 | ····yum·install·-y·"$package" | ||
| 150 | ··fi | ||
| 151 | elif·which·apt-get·;·then | ||
| 152 | ··apt-get·install·-y·"$package" | ||
| 153 | else | ||
| 154 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 155 | ··echo·"Aborting." | ||
| 156 | ··exit·1 | ||
| 157 | fi | ||
| 158 | } | ||
| 159 | package_install·vsftpd | ||
| 160 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29088">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29088"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·vsftpd·is·installed | ||
| 161 | ··package: | ||
| 162 | ····name="{{item}}" | ||
| 163 | ····state=present | ||
| 164 | ··with_items: | ||
| 165 | ····-·vsftpd | ||
| 166 | ··tags: | ||
| 167 | ····-·package_vsftpd_installed | ||
| 168 | ····-·unknown_severity | ||
| 169 | ····-·enable_strategy | ||
| 170 | ····-·low_complexity | ||
| 171 | ····-·low_disruption | ||
| 172 | ····-·CCE-27187-4 | ||
| 173 | ····-·NIST-800-53-CM-7 | ||
| 174 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29089">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29089"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_vsftpd | ||
| 175 | class·install_vsftpd·{ | ||
| 176 | ··package·{·'vsftpd': | ||
| Max diff block lines reached; 1399001/1424881 bytes (98.18%) of diff not shown. | |||
| Offset 61, 125 lines modified | Offset 61, 125 lines modified | ||
| 61 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 61 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 62 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 62 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 63 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 63 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 64 | quality,·reliability,·or·any·other·characteristic. | 64 | quality,·reliability,·or·any·other·characteristic. |
| 65 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CNSSI·1253·Low/Low/Low·Control·Baseline·for·Red·Hat· | 65 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CNSSI·1253·Low/Low/Low·Control·Baseline·for·Red·Hat· |
| 66 | Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_nist-CL-IL-AL</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 66 | Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_nist-CL-IL-AL</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 67 | ····························(as·of·2018-07-26) | 67 | ····························(as·of·2018-07-26) |
| 68 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 68 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org[·...·truncated·by·diffoscope;·len:·879,·SHA:·a9e3098c4894efb85e37b60670bbc0450483217500119b1f1ca43a0e1222a6a3·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·270·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 70 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 70 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 71 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 71 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 72 | ones·can·be·safely·disabled. | 72 | ones·can·be·safely·disabled. |
| 73 | <br><br> | 73 | <br><br> |
| 74 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 74 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 75 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 75 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 76 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·76·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 76 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·76·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 77 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 77 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 78 | 78 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 79 | 79 | that·passwords·and·other·data·transmitted·during·the·session·can·be | |
| 80 | 80 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 81 | 81 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 82 | 82 | <br><br> | |
| 83 | 83 | However,·there·are·some·FTP·server·configurations·which·may | |
| 84 | 84 | be·appropriate·for·some·environments,·particularly·those·which | |
| 85 | 85 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 86 | de | 86 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible |
| 87 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 87 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 88 | <c | 88 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29111"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package |
| 89 | <c | 89 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 90 | 90 | ············ | |
| 91 | 91 | ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command: | |
| 92 | 92 | ········<pre>$·sudo·yum·erase·vsftpd</pre> | |
| 93 | p | 93 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its |
| 94 | a | 94 | accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 95 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | ||
| 96 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | ||
| 97 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | ||
| 98 | <pre>client·signing·=·mandatory</pre> | ||
| 99 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | ||
| 100 | signing·ensures·they·can | ||
| 101 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | ||
| 102 | man-in-the-middle·attacks·which·modify·SMB·packets·in | ||
| 103 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 104 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 95 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 105 | ············<a·href="http://iase.disa.mil/stigs/ | 96 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29119">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29119"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 106 | # | 97 | # |
| 107 | # | 98 | #·Example·Call(s): |
| 108 | # | 99 | # |
| 100 | #·····package_remove·telnet-server | ||
| 101 | # | ||
| 102 | function·package_remove·{ | ||
| 109 | 103 | #·Load·function·arguments·into·local·variables | |
| 104 | local·package="$1" | ||
| 110 | 105 | #·Check·sanity·of·the·input | |
| 111 | 106 | if·[·$#·-ne·"1"·] | |
| 112 | 107 | then | |
| 108 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 109 | ··echo·"Aborting." | ||
| 110 | ··exit·1 | ||
| 111 | fi | ||
| 112 | if·which·dnf·;·then | ||
| 113 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 114 | ····dnf·remove·-y·"$package" | ||
| 115 | ··fi | ||
| 116 | elif·which·yum·;·then | ||
| 117 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 118 | ····yum·remove·-y·"$package" | ||
| 119 | ··fi | ||
| 120 | elif·which·apt-get·;·then | ||
| 121 | ··apt-get·remove·-y·"$package" | ||
| 113 | else | 122 | else |
| 114 | 123 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 124 | ··echo·"Aborting." | ||
| 125 | ··exit·1 | ||
| 115 | fi | 126 | fi |
| 116 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29087">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29087"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists | ||
| 117 | ··stat: | ||
| 118 | ····path:·/etc/samba/smb.conf | ||
| 119 | ··register:·st_smb | ||
| 120 | ··tags: | ||
| 121 | ····-·require_smb_client_signing | ||
| 122 | ····-·unknown_severity | ||
| 123 | ····-·configure_strategy | ||
| 124 | ····-·low_complexity | ||
| 125 | ····-·medium_disruption | ||
| 126 | ····-·CCE-26328-5 | ||
| 127 | ····-·DISA-STIG-RHEL-06-000272 | ||
| 128 | 127 | } | |
| 129 | ··lineinfile: | ||
| 130 | 128 | package_remove·vsftpd | |
| 131 | ····line | 129 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29121">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29121"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·vsftpd·is·removed |
| 132 | ·· | 130 | ··package: |
| 133 | ···· | 131 | ····name="{{item}}" |
| 134 | ·· | 132 | ····state=absent |
| 133 | ··with_items: | ||
| 134 | ····-·vsftpd | ||
| 135 | ··tags: | 135 | ··tags: |
| 136 | ····-· | 136 | ····-·package_vsftpd_removed |
| 137 | ····-·unknown_severity | 137 | ····-·unknown_severity |
| 138 | ····-· | 138 | ····-·disable_strategy |
| 139 | ····-·low_complexity | 139 | ····-·low_complexity |
| 140 | ····-· | 140 | ····-·low_disruption |
| 141 | ····-·CCE-26 | 141 | ····-·CCE-26687-4 |
| 142 | ····-· | 142 | ····-·NIST-800-53-CM-7 |
| 143 | </code></pre></div>< | 143 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29122">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29122"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_vsftpd |
| 144 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba | ||
| 145 | 144 | class·remove_vsftpd·{ | |
| 146 | 145 | ··package·{·'vsftpd': | |
| 147 | 146 | ····ensure·=>·'purged', | |
| 148 | 147 | ··} | |
| 149 | 148 | } | |
| 150 | client·sho | 149 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 151 | pack | 150 | package·--remove=vsftpd |
| 152 | 151 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server | |
| 153 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 154 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server | ||
| 155 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to | 152 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to |
| 156 | content·via·the·HTTP·protocol.·Web·servers·represent·a·significant | 153 | content·via·the·HTTP·protocol.·Web·servers·represent·a·significant |
| 157 | security·risk·because: | 154 | security·risk·because: |
| 158 | <br><br> | 155 | <br><br> |
| 159 | <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long | 156 | <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long |
| 160 | history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive | 157 | history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive |
| 161 | monitoring</li></ul> | 158 | monitoring</li></ul> |
| Max diff block lines reached; 1979883/2003624 bytes (98.82%) of diff not shown. | |||
| Offset 56, 15 lines modified | Offset 56, 15 lines modified | ||
| 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>PCI-DSS·v3·Control·Baseline·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>PCI-DSS·v3·Control·Baseline·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 91, 15 lines modified | Offset 91, 15 lines modified | ||
| 91 | <br><br> | 91 | <br><br> |
| 92 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 92 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 93 | servers,·and·the·remainder·obtaining·time·information·from·those | 93 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 94 | internal·servers. | 94 | internal·servers. |
| 95 | <br><br> | 95 | <br><br> |
| 96 | More·information·on·how·to·configure·the·NTP·server·software, | 96 | More·information·on·how·to·configure·the·NTP·server·software, |
| 97 | including·configuration·of·cryptographic·authentication·for | 97 | including·configuration·of·cryptographic·authentication·for |
| 98 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm298 | 98 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29833"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 100 | ·········· | 100 | ·········· |
| 101 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 101 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 102 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 102 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 103 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 103 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 104 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 104 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 105 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 105 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 108, 15 lines modified | Offset 108, 15 lines modified | ||
| 108 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate | 108 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate |
| 109 | logs·and·auditing·possible·security·breaches.·· | 109 | logs·and·auditing·possible·security·breaches.·· |
| 110 | <br><br> | 110 | <br><br> |
| 111 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 111 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 112 | deprecated.··Additional·information·on·this·is·available·at· | 112 | deprecated.··Additional·information·on·this·is·available·at· |
| 113 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 113 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 114 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 114 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 115 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 115 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29850">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29850"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 116 | # | 116 | # |
| 117 | #·Example·Call(s): | 117 | #·Example·Call(s): |
| 118 | # | 118 | # |
| 119 | #·····service_command·enable·bluetooth | 119 | #·····service_command·enable·bluetooth |
| 120 | #·····service_command·disable·bluetooth.service | 120 | #·····service_command·disable·bluetooth.service |
| 121 | # | 121 | # |
| 122 | #·····Using·xinetd: | 122 | #·····Using·xinetd: |
| Offset 184, 15 lines modified | Offset 184, 15 lines modified | ||
| 184 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 184 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 185 | ··fi | 185 | ··fi |
| 186 | fi | 186 | fi |
| 187 | } | 187 | } |
| 188 | service_command·enable·ntpd | 188 | service_command·enable·ntpd |
| 189 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 189 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29852">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29852"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 190 | ··service: | 190 | ··service: |
| 191 | ····name="{{item}}" | 191 | ····name="{{item}}" |
| 192 | ····enabled="yes" | 192 | ····enabled="yes" |
| 193 | ····state="started" | 193 | ····state="started" |
| 194 | ··with_items: | 194 | ··with_items: |
| 195 | ····-·ntpd | 195 | ····-·ntpd |
| 196 | ··tags: | 196 | ··tags: |
| Offset 201, 25 lines modified | Offset 201, 25 lines modified | ||
| 201 | ····-·enable_strategy | 201 | ····-·enable_strategy |
| 202 | ····-·low_complexity | 202 | ····-·low_complexity |
| 203 | ····-·low_disruption | 203 | ····-·low_disruption |
| 204 | ····-·CCE-27093-4 | 204 | ····-·CCE-27093-4 |
| 205 | ····-·NIST-800-53-AU-8(1) | 205 | ····-·NIST-800-53-AU-8(1) |
| 206 | ····-·PCI-DSS-Req-10.4 | 206 | ····-·PCI-DSS-Req-10.4 |
| 207 | ····-·DISA-STIG-RHEL-06-000247 | 207 | ····-·DISA-STIG-RHEL-06-000247 |
| 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29 | 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29857"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers |
| 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization | 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization |
| 210 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | 210 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the |
| 211 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | 211 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for |
| 212 | <em>ntpserver</em>: | 212 | <em>ntpserver</em>: |
| 213 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | 213 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of |
| 214 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | 214 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes |
| 215 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | 215 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for |
| 216 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 216 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 217 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 217 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 218 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29 | 218 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29869"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 219 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit | 219 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit |
| 220 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, | 220 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, |
| 221 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 221 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 222 | <pre>server·<i>ntpserver</i></pre> | 222 | <pre>server·<i>ntpserver</i></pre> |
| 223 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 223 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 224 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible | 224 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible |
| 225 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with | 225 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with |
| Offset 234, 15 lines modified | Offset 234, 15 lines modified | ||
| 234 | detailed·documentation·is·available·from·its·website, | 234 | detailed·documentation·is·available·from·its·website, |
| 235 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·is·called·<code>sshd</code>·and | 235 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·is·called·<code>sshd</code>·and |
| 236 | provided·by·the·RPM·package·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary | 236 | provided·by·the·RPM·package·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary |
| 237 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 237 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 238 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 238 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 239 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 239 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 240 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 240 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 241 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm31 | 241 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm31839"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 242 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout | 242 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout |
| 243 | interval. | 243 | interval. |
| 244 | After·this·interval·has·passed,·the·idle·user·will·be | 244 | After·this·interval·has·passed,·the·idle·user·will·be |
| 245 | automatically·logged·out. | 245 | automatically·logged·out. |
| 246 | <br><br> | 246 | <br><br> |
| 247 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 247 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 248 | follows: | 248 | follows: |
| Offset 253, 23 lines modified | Offset 253, 23 lines modified | ||
| 253 | If·a·shorter·timeout·has·already·been·set·for·the·login | 253 | If·a·shorter·timeout·has·already·been·set·for·the·login |
| 254 | shell,·that·value·will·preempt·any·SSH | 254 | shell,·that·value·will·preempt·any·SSH |
| 255 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 255 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 256 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out | 256 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out |
| 257 | guards·against·compromises·one·system·leading·trivially | 257 | guards·against·compromises·one·system·leading·trivially |
| 258 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 258 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 259 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 259 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 260 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000879</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50409r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm31 | 260 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000879</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50409r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm31860">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm31860"><pre><code> |
| 261 | sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>" | 261 | sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>" |
| 262 | grep·-q·^ClientAliveInterval·/etc/ssh/sshd_config·&&·\ | 262 | grep·-q·^ClientAliveInterval·/etc/ssh/sshd_config·&&·\ |
| 263 | ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config | 263 | ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config |
| 264 | if·!·[·$?·-eq·0·];·then | 264 | if·!·[·$?·-eq·0·];·then |
| 265 | ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config | 265 | ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config |
| 266 | fi | 266 | fi |
| 267 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm31 | 267 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm31862">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm31862"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·XCCDF·Value·sshd_idle_timeout_value·#·promote·to·variable |
| 268 | ··set_fact: | 268 | ··set_fact: |
| 269 | ····sshd_idle_timeout_value:·<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr> | 269 | ····sshd_idle_timeout_value:·<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr> |
| 270 | ··tags: | 270 | ··tags: |
| 271 | ····-·always | 271 | ····-·always |
| Max diff block lines reached; 764719/788466 bytes (96.99%) of diff not shown. | |||
| Offset 56, 23 lines modified | Offset 56, 135 lines modified | ||
| 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Red·Hat·Corporate·Profile·for·Certified·Cloud·Providers·(RH·CCP)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Red·Hat·Corporate·Profile·for·Certified·Cloud·Providers·(RH·CCP)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_o | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 71 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·29·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_o | 71 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·29·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons |
| 72 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | ||
| 73 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | ||
| 74 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | ||
| 75 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | ||
| 76 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm30099"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_atd_disabled">Disable·At·Service·(atd) | ||
| 77 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to | ||
| 78 | schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed | ||
| 79 | execution·in·a·manner·similar·to·cron,·except·that·it·is·not | ||
| 80 | recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via | ||
| 81 | <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time. | ||
| 82 | ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command: | ||
| 83 | ········<pre>$·sudo·chkconfig·atd·off</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry | ||
| 84 | out·activities·outside·of·a·normal·login·session,·which·could·complicate | ||
| 85 | accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or | ||
| 86 | <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 87 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 88 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50442r3_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm30117">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30117"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 89 | # | ||
| 90 | #·Example·Call(s): | ||
| 91 | # | ||
| 92 | #·····service_command·enable·bluetooth | ||
| 93 | #·····service_command·disable·bluetooth.service | ||
| 94 | # | ||
| 95 | #·····Using·xinetd: | ||
| 96 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 97 | # | ||
| 98 | function·service_command·{ | ||
| 99 | #·Load·function·arguments·into·local·variables | ||
| 100 | local·service_state=$1 | ||
| 101 | local·service=$2 | ||
| 102 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 103 | #·Check·sanity·of·the·input | ||
| 104 | if·[·$#·-lt·"2"·] | ||
| 105 | then | ||
| 106 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 107 | ··echo | ||
| 108 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 109 | ··echo·"as·the·last·argument"·· | ||
| 110 | ··echo·"Aborting." | ||
| 111 | ··exit·1 | ||
| 112 | fi | ||
| 113 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 114 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 115 | ··service_util="/usr/bin/systemctl" | ||
| 116 | else | ||
| 117 | ··service_util="/sbin/service" | ||
| 118 | ··chkconfig_util="/sbin/chkconfig" | ||
| 119 | fi | ||
| 120 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 121 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 122 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 123 | ··service_state="enable" | ||
| 124 | ··service_operation="start" | ||
| 125 | ··chkconfig_state="on" | ||
| 126 | else | ||
| 127 | ··service_state="disable" | ||
| 128 | ··service_operation="stop" | ||
| 129 | ··chkconfig_state="off" | ||
| 130 | fi | ||
| 131 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 132 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 133 | ··$service_util·$service·$service_operation | ||
| 134 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 135 | else | ||
| 136 | ··$service_util·$service_operation·$service | ||
| 137 | ··$service_util·$service_state·$service | ||
| 138 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 139 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 140 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 141 | ··$service_util·reset-failed·$service | ||
| 142 | fi | ||
| 143 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 144 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 145 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 146 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 147 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 148 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 149 | ··else | ||
| 150 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 151 | ··fi | ||
| 152 | fi | ||
| 153 | } | ||
| 154 | service_command·disable·atd | ||
| 155 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm30119">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30119"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·atd | ||
| 156 | ··service: | ||
| 157 | ····name="{{item}}" | ||
| 158 | ····enabled="no" | ||
| 159 | ····state="stopped" | ||
| 160 | ··register:·service_result | ||
| 161 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 162 | ··with_items: | ||
| 163 | ····-·atd | ||
| 164 | ··tags: | ||
| 165 | ····-·service_atd_disabled | ||
| 166 | ····-·unknown_severity | ||
| 167 | ····-·disable_strategy | ||
| 168 | ····-·low_complexity | ||
| 169 | ····-·low_disruption | ||
| 170 | ····-·CCE-27249-2 | ||
| 171 | ····-·NIST-800-53-CM-7 | ||
| 172 | ····-·DISA-STIG-RHEL-06-000262 | ||
| Max diff block lines reached; 582581/597516 bytes (97.50%) of diff not shown. | |||
| Offset 57, 15 lines modified | Offset 57, 15 lines modified | ||
| 57 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 57 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 61 | quality,·reliability,·or·any·other·characteristic. | 61 | quality,·reliability,·or·any·other·characteristic. |
| 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Server·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Server·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 63 | ····························(as·of·2018-07-26) | 63 | ····························(as·of·2018-07-26) |
| 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgpr[·...·truncated·by·diffoscope;·len:·550,·SHA:·57496307fa97d1728004b56852784b91d9d3fe09769ff2b07f1473882fcbec47·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·186·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 83, 39 lines modified | Offset 83, 39 lines modified | ||
| 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in | 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in |
| 84 | <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a | 84 | <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a |
| 85 | <code>[global]</code>·configuration·section·and·a·series·of·user | 85 | <code>[global]</code>·configuration·section·and·a·series·of·user |
| 86 | created·share·definition·sections·meant·to·describe·file·or·print | 86 | created·share·definition·sections·meant·to·describe·file·or·print |
| 87 | shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode | 87 | shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode |
| 88 | and·allow·client·systems·to·access·local·home·directories·and | 88 | and·allow·client·systems·to·access·local·home·directories·and |
| 89 | printers.·It·is·recommended·that·these·settings·be·changed·or·that | 89 | printers.·It·is·recommended·that·these·settings·be·changed·or·that |
| 90 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29 | 90 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29692"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient |
| 91 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | 91 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use |
| 92 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | 92 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section |
| 93 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | 93 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: |
| 94 | <pre>client·signing·=·mandatory</pre> | 94 | <pre>client·signing·=·mandatory</pre> |
| 95 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | 95 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet |
| 96 | signing·ensures·they·can | 96 | signing·ensures·they·can |
| 97 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | 97 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent |
| 98 | man-in-the-middle·attacks·which·modify·SMB·packets·in | 98 | man-in-the-middle·attacks·which·modify·SMB·packets·in |
| 99 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 99 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 100 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 100 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 101 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 101 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29703">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29703"><pre><code>###################################################################### |
| 102 | #By·Luke·"Brisk-OH"·Brisk | 102 | #By·Luke·"Brisk-OH"·Brisk |
| 103 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com | 103 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com |
| 104 | ###################################################################### | 104 | ###################################################################### |
| 105 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) | 105 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) |
| 106 | if·[·"$CLIENTSIGNING"·-eq·0·];··then | 106 | if·[·"$CLIENTSIGNING"·-eq·0·];··then |
| 107 | » #·Add·to·global·section | 107 | » #·Add·to·global·section |
| 108 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf | 108 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 109 | else | 109 | else |
| 110 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf | 110 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 111 | fi | 111 | fi |
| 112 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 112 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29704">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29704"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists |
| 113 | ··stat: | 113 | ··stat: |
| 114 | ····path:·/etc/samba/smb.conf | 114 | ····path:·/etc/samba/smb.conf |
| 115 | ··register:·st_smb | 115 | ··register:·st_smb |
| 116 | ··tags: | 116 | ··tags: |
| 117 | ····-·require_smb_client_signing | 117 | ····-·require_smb_client_signing |
| 118 | ····-·unknown_severity | 118 | ····-·unknown_severity |
| 119 | ····-·configure_strategy | 119 | ····-·configure_strategy |
| Offset 135, 84 lines modified | Offset 135, 26 lines modified | ||
| 135 | ····-·require_smb_client_signing | 135 | ····-·require_smb_client_signing |
| 136 | ····-·unknown_severity | 136 | ····-·unknown_severity |
| 137 | ····-·configure_strategy | 137 | ····-·configure_strategy |
| 138 | ····-·low_complexity | 138 | ····-·low_complexity |
| 139 | ····-·medium_disruption | 139 | ····-·medium_disruption |
| 140 | ····-·CCE-26328-5 | 140 | ····-·CCE-26328-5 |
| 141 | ····-·DISA-STIG-RHEL-06-000272 | 141 | ····-·DISA-STIG-RHEL-06-000272 |
| 142 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm2909 | 142 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29709"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs |
| 143 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba | 143 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba |
| 144 | shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares | 144 | shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares |
| 145 | in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either | 145 | in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either |
| 146 | <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used. | 146 | <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used. |
| 147 | <br><br> | 147 | <br><br> |
| 148 | See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba | 148 | See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba |
| 149 | client·should·only·communicate·with·servers·who·can·support·SMB | 149 | client·should·only·communicate·with·servers·who·can·support·SMB |
| 150 | packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle | 150 | packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle |
| 151 | attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 151 | attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 152 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 152 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 153 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 153 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 154 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network. | ||
| 155 | Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious | ||
| 156 | targets·of·network·attack. | ||
| 157 | Ensure·that·systems·are·not·running·MTAs·unnecessarily, | ||
| 158 | and·configure·needed·MTAs·as·defensively·as·possible. | ||
| 159 | <br><br> | ||
| 160 | Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the | ||
| 161 | network.·Users·should·instead·use·mail·client·programs·to·retrieve·email | ||
| 162 | from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3. | ||
| 163 | However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email, | ||
| 164 | for·instance·so·that·cron·jobs·can·report·output·to·an·administrator. | ||
| 165 | Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from | ||
| 166 | the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), | ||
| 167 | but·the·system·still·cannot·receive·mail·directly·over·a·network. | ||
| 168 | <br><br> | ||
| 169 | The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software | ||
| 170 | (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred. | ||
| 171 | Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by | ||
| 172 | SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions. | ||
| 173 | More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients | ||
| 174 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only | ||
| 175 | e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·id="guide-tree-leaf-idm29520"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">Disable·Postfix·Network·Listening | ||
| 176 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·file·<code>/etc/postfix/main.cf</code>·to·ensure·that·only·the·following | ||
| 177 | <code>inet_interfaces</code>·line·appears: | ||
| 178 | <pre>inet_interfaces·=·localhost</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·<code>postfix</code>·accepts·mail·messages | ||
| 179 | (such·as·cron·job·reports)·from·the·local·system·only, | ||
| 180 | and·not·from·the·network,·which·protects·it·from·network·attack.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 181 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 182 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50423r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP | ||
| 183 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 184 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 185 | parameters·from·a·server. | ||
| 186 | <br><br> | ||
| 187 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 188 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 189 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 190 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 191 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 192 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 193 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 194 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 195 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29749"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 196 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 197 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 198 | following·changes: | ||
| 199 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 200 | <pre>BOOTPROTO=none</pre> | ||
| 201 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 202 | values·based·on·your·site's·addressing·scheme: | ||
| 203 | <pre>NETMASK=255.255.255.0 | ||
| 204 | IPADDR=192.168.1.2 | ||
| 205 | GATEWAY=192.168.1.1</pre> | ||
| Max diff block lines reached; 1363993/1390438 bytes (98.10%) of diff not shown. | |||
| Offset 58, 15 lines modified | Offset 58, 15 lines modified | ||
| 58 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 58 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 59 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 59 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 60 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 60 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 61 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 61 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 62 | quality,·reliability,·or·any·other·characteristic. | 62 | quality,·reliability,·or·any·other·characteristic. |
| 63 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 63 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 64 | ····························(as·of·2018-07-26) | 64 | ····························(as·of·2018-07-26) |
| 65 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 65 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li>[·...·truncated·by·diffoscope;·len:·399,·SHA:·fbfb410e2703115c5bde514edad124bef19a840feb775eacf478f7e80a5206c7·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·182·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 66 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 66 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 67 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 67 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 68 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 68 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 69 | ones·can·be·safely·disabled. | 69 | ones·can·be·safely·disabled. |
| 70 | <br><br> | 70 | <br><br> |
| 71 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 71 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 72 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 72 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 84, 39 lines modified | Offset 84, 39 lines modified | ||
| 84 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in | 84 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in |
| 85 | <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a | 85 | <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a |
| 86 | <code>[global]</code>·configuration·section·and·a·series·of·user | 86 | <code>[global]</code>·configuration·section·and·a·series·of·user |
| 87 | created·share·definition·sections·meant·to·describe·file·or·print | 87 | created·share·definition·sections·meant·to·describe·file·or·print |
| 88 | shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode | 88 | shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode |
| 89 | and·allow·client·systems·to·access·local·home·directories·and | 89 | and·allow·client·systems·to·access·local·home·directories·and |
| 90 | printers.·It·is·recommended·that·these·settings·be·changed·or·that | 90 | printers.·It·is·recommended·that·these·settings·be·changed·or·that |
| 91 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29 | 91 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29692"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient |
| 92 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | 92 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use |
| 93 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | 93 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section |
| 94 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | 94 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: |
| 95 | <pre>client·signing·=·mandatory</pre> | 95 | <pre>client·signing·=·mandatory</pre> |
| 96 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | 96 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet |
| 97 | signing·ensures·they·can | 97 | signing·ensures·they·can |
| 98 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | 98 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent |
| 99 | man-in-the-middle·attacks·which·modify·SMB·packets·in | 99 | man-in-the-middle·attacks·which·modify·SMB·packets·in |
| 100 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 100 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 101 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 101 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 102 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 102 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29703">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29703"><pre><code>###################################################################### |
| 103 | #By·Luke·"Brisk-OH"·Brisk | 103 | #By·Luke·"Brisk-OH"·Brisk |
| 104 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com | 104 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com |
| 105 | ###################################################################### | 105 | ###################################################################### |
| 106 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) | 106 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) |
| 107 | if·[·"$CLIENTSIGNING"·-eq·0·];··then | 107 | if·[·"$CLIENTSIGNING"·-eq·0·];··then |
| 108 | » #·Add·to·global·section | 108 | » #·Add·to·global·section |
| 109 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf | 109 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 110 | else | 110 | else |
| 111 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf | 111 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 112 | fi | 112 | fi |
| 113 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 113 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29704">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29704"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists |
| 114 | ··stat: | 114 | ··stat: |
| 115 | ····path:·/etc/samba/smb.conf | 115 | ····path:·/etc/samba/smb.conf |
| 116 | ··register:·st_smb | 116 | ··register:·st_smb |
| 117 | ··tags: | 117 | ··tags: |
| 118 | ····-·require_smb_client_signing | 118 | ····-·require_smb_client_signing |
| 119 | ····-·unknown_severity | 119 | ····-·unknown_severity |
| 120 | ····-·configure_strategy | 120 | ····-·configure_strategy |
| Offset 136, 55 lines modified | Offset 136, 26 lines modified | ||
| 136 | ····-·require_smb_client_signing | 136 | ····-·require_smb_client_signing |
| 137 | ····-·unknown_severity | 137 | ····-·unknown_severity |
| 138 | ····-·configure_strategy | 138 | ····-·configure_strategy |
| 139 | ····-·low_complexity | 139 | ····-·low_complexity |
| 140 | ····-·medium_disruption | 140 | ····-·medium_disruption |
| 141 | ····-·CCE-26328-5 | 141 | ····-·CCE-26328-5 |
| 142 | ····-·DISA-STIG-RHEL-06-000272 | 142 | ····-·DISA-STIG-RHEL-06-000272 |
| 143 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm2909 | 143 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29709"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs |
| 144 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba | 144 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba |
| 145 | shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares | 145 | shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares |
| 146 | in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either | 146 | in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either |
| 147 | <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used. | 147 | <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used. |
| 148 | <br><br> | 148 | <br><br> |
| 149 | See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba | 149 | See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba |
| 150 | client·should·only·communicate·with·servers·who·can·support·SMB | 150 | client·should·only·communicate·with·servers·who·can·support·SMB |
| 151 | packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle | 151 | packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle |
| 152 | attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 152 | attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 153 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 153 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 154 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 154 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 155 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network. | ||
| 156 | Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious | ||
| 157 | targets·of·network·attack. | ||
| 158 | Ensure·that·systems·are·not·running·MTAs·unnecessarily, | ||
| 159 | and·configure·needed·MTAs·as·defensively·as·possible. | ||
| 160 | <br><br> | ||
| 161 | Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the | ||
| 162 | network.·Users·should·instead·use·mail·client·programs·to·retrieve·email | ||
| 163 | from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3. | ||
| 164 | However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email, | ||
| 165 | for·instance·so·that·cron·jobs·can·report·output·to·an·administrator. | ||
| 166 | Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from | ||
| 167 | the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), | ||
| 168 | but·the·system·still·cannot·receive·mail·directly·over·a·network. | ||
| 169 | <br><br> | ||
| 170 | The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software | ||
| 171 | (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred. | ||
| 172 | Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by | ||
| 173 | SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions. | ||
| 174 | More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients | ||
| 175 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only | ||
| 176 | e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·id="guide-tree-leaf-idm29520"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">Disable·Postfix·Network·Listening | ||
| 177 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·file·<code>/etc/postfix/main.cf</code>·to·ensure·that·only·the·following | ||
| 178 | <code>inet_interfaces</code>·line·appears: | ||
| 179 | <pre>inet_interfaces·=·localhost</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·<code>postfix</code>·accepts·mail·messages | ||
| 180 | (such·as·cron·job·reports)·from·the·local·system·only, | ||
| 181 | and·not·from·the·network,·which·protects·it·from·network·attack.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 182 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 183 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50423r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol | ||
| 184 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system | 155 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 185 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | 156 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so |
| 186 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time | 157 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 187 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | 158 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among |
| 188 | a·network·of·systems,·and·that·their·time·is·consistent·with·the | 159 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 189 | outside·world. | 160 | outside·world. |
| 190 | <br><br> | 161 | <br><br> |
| Offset 203, 15 lines modified | Offset 174, 15 lines modified | ||
| 203 | <br><br> | 174 | <br><br> |
| 204 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 175 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 205 | servers,·and·the·remainder·obtaining·time·information·from·those | 176 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 206 | internal·servers. | 177 | internal·servers. |
| 207 | <br><br> | 178 | <br><br> |
| 208 | More·information·on·how·to·configure·the·NTP·server·software, | 179 | More·information·on·how·to·configure·the·NTP·server·software, |
| 209 | including·configuration·of·cryptographic·authentication·for | 180 | including·configuration·of·cryptographic·authentication·for |
| 210 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm298 | 181 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29833"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 211 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 182 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 212 | ·········· | 183 | ·········· |
| 213 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 184 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 214 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 185 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 215 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 186 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 216 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 187 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 217 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 188 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Max diff block lines reached; 1337116/1361560 bytes (98.20%) of diff not shown. | |||
| Offset 63, 23 lines modified | Offset 63, 50 lines modified | ||
| 63 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 63 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 64 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 64 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 65 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 65 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 66 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 66 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 67 | quality,·reliability,·or·any·other·characteristic. | 67 | quality,·reliability,·or·any·other·characteristic. |
| 68 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>DISA·STIG·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel6-disa</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 68 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>DISA·STIG·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel6-disa</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 69 | ····························(as·of·2018-07-26) | 69 | ····························(as·of·2018-07-26) |
| 70 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 70 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xc[·...·truncated·by·diffoscope;·len:·910,·SHA:·dfe52403ca27039c6fd60778f9cb46d9343b9cfec43f048aeacec9a362dd7410·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·250·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 71 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 71 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 72 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 72 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 73 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 73 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 74 | ones·can·be·safely·disabled. | 74 | ones·can·be·safely·disabled. |
| 75 | <br><br> | 75 | <br><br> |
| 76 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 76 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 77 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 77 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 78 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·57·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 78 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·57·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 79 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to | ||
| 80 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | ||
| 81 | that·passwords·and·other·data·transmitted·during·the·session·can·be | ||
| 82 | captured·and·that·the·session·is·vulnerable·to·hijacking. | ||
| 83 | Therefore,·running·the·FTP·server·software·is·not·recommended. | ||
| 84 | <br><br> | ||
| 85 | However,·there·are·some·FTP·server·configurations·which·may | ||
| 86 | be·appropriate·for·some·environments,·particularly·those·which | ||
| 87 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | ||
| 88 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary | ||
| 89 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is | ||
| 90 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or | ||
| 91 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29042"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions | ||
| 92 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> | ||
| 93 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | ||
| 94 | <pre>xferlog_enable=YES | ||
| 95 | xferlog_std_format=NO | ||
| 96 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to | ||
| 97 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log | ||
| 98 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 99 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 100 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29063"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users | ||
| 101 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 102 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 103 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 104 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 105 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server | ||
| 79 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows | 106 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows |
| 80 | Linux·systems·to·provide·file·and·print·sharing·to·Microsoft | 107 | Linux·systems·to·provide·file·and·print·sharing·to·Microsoft |
| 81 | Windows·systems.·There·are·two·software·packages·that·provide | 108 | Windows·systems.·There·are·two·software·packages·that·provide |
| 82 | Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of | 109 | Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of |
| 83 | command·line·tools·that·enable·a·client·system·to·access·Samba | 110 | command·line·tools·that·enable·a·client·system·to·access·Samba |
| 84 | shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba | 111 | shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba |
| 85 | service.·It·is·this·second·package·that·allows·a·Linux·system·to | 112 | service.·It·is·this·second·package·that·allows·a·Linux·system·to |
| Offset 89, 39 lines modified | Offset 116, 39 lines modified | ||
| 89 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in | 116 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in |
| 90 | <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a | 117 | <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a |
| 91 | <code>[global]</code>·configuration·section·and·a·series·of·user | 118 | <code>[global]</code>·configuration·section·and·a·series·of·user |
| 92 | created·share·definition·sections·meant·to·describe·file·or·print | 119 | created·share·definition·sections·meant·to·describe·file·or·print |
| 93 | shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode | 120 | shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode |
| 94 | and·allow·client·systems·to·access·local·home·directories·and | 121 | and·allow·client·systems·to·access·local·home·directories·and |
| 95 | printers.·It·is·recommended·that·these·settings·be·changed·or·that | 122 | printers.·It·is·recommended·that·these·settings·be·changed·or·that |
| 96 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29 | 123 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29692"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient |
| 97 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | 124 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use |
| 98 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | 125 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section |
| 99 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | 126 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: |
| 100 | <pre>client·signing·=·mandatory</pre> | 127 | <pre>client·signing·=·mandatory</pre> |
| 101 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | 128 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet |
| 102 | signing·ensures·they·can | 129 | signing·ensures·they·can |
| 103 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | 130 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent |
| 104 | man-in-the-middle·attacks·which·modify·SMB·packets·in | 131 | man-in-the-middle·attacks·which·modify·SMB·packets·in |
| 105 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 132 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 106 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 133 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 107 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 134 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29703">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29703"><pre><code>###################################################################### |
| 108 | #By·Luke·"Brisk-OH"·Brisk | 135 | #By·Luke·"Brisk-OH"·Brisk |
| 109 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com | 136 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com |
| 110 | ###################################################################### | 137 | ###################################################################### |
| 111 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) | 138 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) |
| 112 | if·[·"$CLIENTSIGNING"·-eq·0·];··then | 139 | if·[·"$CLIENTSIGNING"·-eq·0·];··then |
| 113 | » #·Add·to·global·section | 140 | » #·Add·to·global·section |
| 114 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf | 141 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 115 | else | 142 | else |
| 116 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf | 143 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 117 | fi | 144 | fi |
| 118 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 145 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29704">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29704"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists |
| 119 | ··stat: | 146 | ··stat: |
| 120 | ····path:·/etc/samba/smb.conf | 147 | ····path:·/etc/samba/smb.conf |
| 121 | ··register:·st_smb | 148 | ··register:·st_smb |
| 122 | ··tags: | 149 | ··tags: |
| 123 | ····-·require_smb_client_signing | 150 | ····-·require_smb_client_signing |
| 124 | ····-·unknown_severity | 151 | ····-·unknown_severity |
| 125 | ····-·configure_strategy | 152 | ····-·configure_strategy |
| Offset 141, 71 lines modified | Offset 168, 191 lines modified | ||
| 141 | ····-·require_smb_client_signing | 168 | ····-·require_smb_client_signing |
| 142 | ····-·unknown_severity | 169 | ····-·unknown_severity |
| 143 | ····-·configure_strategy | 170 | ····-·configure_strategy |
| 144 | ····-·low_complexity | 171 | ····-·low_complexity |
| 145 | ····-·medium_disruption | 172 | ····-·medium_disruption |
| 146 | ····-·CCE-26328-5 | 173 | ····-·CCE-26328-5 |
| 147 | ····-·DISA-STIG-RHEL-06-000272 | 174 | ····-·DISA-STIG-RHEL-06-000272 |
| 148 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm2909 | 175 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29709"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs |
| 149 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba | 176 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba |
| 150 | shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares | 177 | shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares |
| 151 | in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either | 178 | in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either |
| 152 | <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used. | 179 | <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used. |
| 153 | <br><br> | 180 | <br><br> |
| 154 | See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba | 181 | See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba |
| 155 | client·should·only·communicate·with·servers·who·can·support·SMB | 182 | client·should·only·communicate·with·servers·who·can·support·SMB |
| 156 | packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle | 183 | packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle |
| 157 | attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 184 | attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 158 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 185 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 159 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 186 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 160 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 187 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 161 | 188 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | |
| 162 | t | 189 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 163 | 190 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | |
| 164 | an | 191 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 192 | outside·world. | ||
| 165 | <br><br> | 193 | <br><br> |
| 166 | 194 | If·every·system·on·a·network·reliably·reports·the·same·time,·then·it·is·much | |
| 167 | 195 | easier·to·correlate·log·messages·in·case·of·an·attack.·In·addition,·a·number·of | |
| 168 | 196 | cryptographic·protocols·(such·as·Kerberos)·use·timestamps·to·prevent·certain | |
| 169 | 197 | types·of·attacks.·If·your·network·does·not·have·synchronized·time,·these | |
| 170 | 198 | protocols·may·be·unreliable·or·even·unusable. | |
| 171 | Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from | ||
| 172 | the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), | ||
| 173 | but·the·system·still·cannot·receive·mail·directly·over·a·network. | ||
| 174 | <br><br> | 199 | <br><br> |
| 175 | 200 | Depending·on·the·specifics·of·the·network,·global·time·accuracy·may·be·just·as | |
| Max diff block lines reached; 1809627/1843863 bytes (98.14%) of diff not shown. | |||
| Offset 57, 45 lines modified | Offset 57, 45 lines modified | ||
| 57 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 57 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 61 | quality,·reliability,·or·any·other·characteristic. | 61 | quality,·reliability,·or·any·other·characteristic. |
| 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>United·States·Government·Configuration·Baseline·(USGCB)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_usgcb-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>United·States·Government·Configuration·Baseline·(USGCB)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_usgcb-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 63 | ····························(as·of·2018-07-26) | 63 | ····························(as·of·2018-07-26) |
| 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·1135,·SHA:·21de240d343fbd223cf68c70c59d884c3ee65c2748e12911430648c71044dd8d·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·223·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·56·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·56·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 74 | 74 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 75 | 75 | that·passwords·and·other·data·transmitted·during·the·session·can·be | |
| 76 | 76 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 77 | 77 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 78 | 78 | <br><br> | |
| 79 | 79 | However,·there·are·some·FTP·server·configurations·which·may | |
| 80 | 80 | be·appropriate·for·some·environments,·particularly·those·which | |
| 81 | 81 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 82 | de | 82 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible |
| 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_s | 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 84 | 84 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29096"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service | |
| 85 | a | 85 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 86 | sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_smb_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_smb_disabled"·id="guide-tree-leaf-idm28998"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_smb_disabled">Disable·Samba | ||
| 87 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_smb_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | ||
| 88 | ············ | 86 | ············ |
| 89 | ········The·<code>s | 87 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: |
| 90 | ········<pre>$·sudo·chkconfig·s | 88 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> |
| 91 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running· | 89 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue |
| 92 | 90 | of·attack,·and·should·be·disabled·if·not·needed. | |
| 91 | Furthermore,·the·FTP·protocol·is·unencrypted·and·creates | ||
| 92 | a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 93 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 93 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 94 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 94 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 95 | # | 95 | # |
| 96 | #·Example·Call(s): | 96 | #·Example·Call(s): |
| 97 | # | 97 | # |
| 98 | #·····service_command·enable·bluetooth | 98 | #·····service_command·enable·bluetooth |
| 99 | #·····service_command·disable·bluetooth.service | 99 | #·····service_command·disable·bluetooth.service |
| 100 | # | 100 | # |
| 101 | #·····Using·xinetd: | 101 | #·····Using·xinetd: |
| Offset 162, 124 lines modified | Offset 162, 123 lines modified | ||
| 162 | ··else | 162 | ··else |
| 163 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 163 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 164 | ··fi | 164 | ··fi |
| 165 | fi | 165 | fi |
| 166 | } | 166 | } |
| 167 | service_command·disable·s | 167 | service_command·disable·vsftpd |
| 168 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 168 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29106">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29106"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·vsftpd |
| 169 | ··service: | 169 | ··service: |
| 170 | ····name="{{item}}" | 170 | ····name="{{item}}" |
| 171 | ····enabled="no" | 171 | ····enabled="no" |
| 172 | ····state="stopped" | 172 | ····state="stopped" |
| 173 | ··register:·service_result | 173 | ··register:·service_result |
| 174 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 174 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 175 | ··with_items: | 175 | ··with_items: |
| 176 | ····-·s | 176 | ····-·vsftpd |
| 177 | ··tags: | 177 | ··tags: |
| 178 | ····-·service_s | 178 | ····-·service_vsftpd_disabled |
| 179 | ····-·unknown_severity | 179 | ····-·unknown_severity |
| 180 | ····-·disable_strategy | 180 | ····-·disable_strategy |
| 181 | ····-·low_complexity | 181 | ····-·low_complexity |
| 182 | ····-·low_disruption | 182 | ····-·low_disruption |
| 183 | ····-·CCE-2 | 183 | ····-·CCE-26948-0 |
| 184 | 184 | ····-·NIST-800-53-CM-7 | |
| 185 | · | 185 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29111"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package |
| 186 | 186 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | |
| 187 | 187 | ············ | |
| 188 | 188 | ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command: | |
| 189 | 189 | ········<pre>$·sudo·yum·erase·vsftpd</pre> | |
| 190 | an | 190 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its |
| 191 | 191 | accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 192 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29075"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient | ||
| 193 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | ||
| 194 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | ||
| 195 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | ||
| 196 | <pre>client·signing·=·mandatory</pre> | ||
| 197 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | ||
| 198 | signing·ensures·they·can | ||
| 199 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | ||
| 200 | man-in-the-middle·attacks·which·modify·SMB·packets·in | ||
| 201 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 202 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 192 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 203 | ············<a·href="http://iase.disa.mil/stigs/ | 193 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29119">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29119"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 204 | # | 194 | # |
| 205 | # | 195 | #·Example·Call(s): |
| 206 | # | 196 | # |
| 197 | #·····package_remove·telnet-server | ||
| 198 | # | ||
| 199 | function·package_remove·{ | ||
| 207 | 200 | #·Load·function·arguments·into·local·variables | |
| 201 | local·package="$1" | ||
| 208 | 202 | #·Check·sanity·of·the·input | |
| 209 | 203 | if·[·$#·-ne·"1"·] | |
| 210 | 204 | then | |
| 205 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 206 | ··echo·"Aborting." | ||
| 207 | ··exit·1 | ||
| 208 | fi | ||
| 209 | if·which·dnf·;·then | ||
| 210 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 211 | ····dnf·remove·-y·"$package" | ||
| 212 | ··fi | ||
| 213 | elif·which·yum·;·then | ||
| 214 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 215 | ····yum·remove·-y·"$package" | ||
| 216 | ··fi | ||
| 217 | elif·which·apt-get·;·then | ||
| 218 | ··apt-get·remove·-y·"$package" | ||
| 211 | else | 219 | else |
| 212 | 220 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 221 | ··echo·"Aborting." | ||
| 222 | ··exit·1 | ||
| 213 | fi | 223 | fi |
| 214 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29087">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29087"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists | ||
| 215 | ··stat: | ||
| Max diff block lines reached; 1705539/1731578 bytes (98.50%) of diff not shown. | |||
| Offset 66, 15 lines modified | Offset 66, 15 lines modified | ||
| 66 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 66 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 67 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 67 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 68 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 68 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 69 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 69 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 70 | quality,·reliability,·or·any·other·characteristic. | 70 | quality,·reliability,·or·any·other·characteristic. |
| 71 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·7</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 71 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·7</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 72 | ····························(as·of·2018-07-26) | 72 | ····························(as·of·2018-07-26) |
| 73 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Serv | 73 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·39,·SHA:·71531d2cb5e45bf87276058ffe0a5eac9722a5944d366562dfd03b1cc8832d7f·...·]</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·0px"><small>contains·213·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 74 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 74 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 75 | the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 75 | the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 76 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which | 76 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which |
| 77 | ones·can·be·safely·disabled. | 77 | ones·can·be·safely·disabled. |
| 78 | <br><br> | 78 | <br><br> |
| 79 | Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 79 | Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 80 | system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 80 | system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 92, 24 lines modified | Offset 92, 24 lines modified | ||
| 92 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict | 92 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict |
| 93 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 93 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 94 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 94 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 95 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 95 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 96 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·14·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec | 96 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·14·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec |
| 97 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which | 97 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which |
| 98 | allow·cleartext·remote·access·and·have·an·insecure·trust | 98 | allow·cleartext·remote·access·and·have·an·insecure·trust |
| 99 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm3 | 99 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35994"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package |
| 100 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands | 100 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands |
| 101 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have | 101 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have |
| 102 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, | 102 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, |
| 103 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from | 103 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from |
| 104 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing | 104 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing |
| 105 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes | 105 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes |
| 106 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 106 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 107 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 107 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 108 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 108 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36017">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36017"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 109 | # | 109 | # |
| 110 | #·Example·Call(s): | 110 | #·Example·Call(s): |
| 111 | # | 111 | # |
| 112 | #·····package_remove·telnet-server | 112 | #·····package_remove·telnet-server |
| 113 | # | 113 | # |
| 114 | function·package_remove·{ | 114 | function·package_remove·{ |
| Offset 139, 62 lines modified | Offset 139, 62 lines modified | ||
| 139 | ··echo·"Aborting." | 139 | ··echo·"Aborting." |
| 140 | ··exit·1 | 140 | ··exit·1 |
| 141 | fi | 141 | fi |
| 142 | } | 142 | } |
| 143 | package_remove·rsh | 143 | package_remove·rsh |
| 144 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 144 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36019">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36019"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed |
| 145 | ··package: | 145 | ··package: |
| 146 | ····name="{{item}}" | 146 | ····name="{{item}}" |
| 147 | ····state=absent | 147 | ····state=absent |
| 148 | ··with_items: | 148 | ··with_items: |
| 149 | ····-·rsh | 149 | ····-·rsh |
| 150 | ··tags: | 150 | ··tags: |
| 151 | ····-·package_rsh_removed | 151 | ····-·package_rsh_removed |
| 152 | ····-·unknown_severity | 152 | ····-·unknown_severity |
| 153 | ····-·disable_strategy | 153 | ····-·disable_strategy |
| 154 | ····-·low_complexity | 154 | ····-·low_complexity |
| 155 | ····-·low_disruption | 155 | ····-·low_disruption |
| 156 | ····-·CCE-27274-0 | 156 | ····-·CCE-27274-0 |
| 157 | ····-·NIST-800-171-3.1.13 | 157 | ····-·NIST-800-171-3.1.13 |
| 158 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 158 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36020">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36020"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh |
| 159 | class·remove_rsh·{ | 159 | class·remove_rsh·{ |
| 160 | ··package·{·'rsh': | 160 | ··package·{·'rsh': |
| 161 | ····ensure·=>·'purged', | 161 | ····ensure·=>·'purged', |
| 162 | ··} | 162 | ··} |
| 163 | } | 163 | } |
| 164 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 164 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 165 | package·--remove=rsh | 165 | package·--remove=rsh |
| 166 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm360 | 166 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36026"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service |
| 167 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with | 167 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with |
| 168 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 168 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 169 | as·a·systemd·socket,·should·be·disabled. | 169 | as·a·systemd·socket,·should·be·disabled. |
| 170 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. | 170 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. |
| 171 | If·using·systemd,· | 171 | If·using·systemd,· |
| 172 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: | 172 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: |
| 173 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which | 173 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which |
| 174 | means·that·data·from·the·login·session,·including·passwords·and | 174 | means·that·data·from·the·login·session,·including·passwords·and |
| 175 | all·other·information·transmitted·during·the·session,·can·be | 175 | all·other·information·transmitted·during·the·session,·can·be |
| 176 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 176 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 177 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 177 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 178 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 178 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36050">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36050"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&&·\ |
| 179 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin | 179 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin |
| 180 | # | 180 | # |
| 181 | #·Disable·rlogin.socket·for·all·systemd·targets | 181 | #·Disable·rlogin.socket·for·all·systemd·targets |
| 182 | # | 182 | # |
| 183 | systemctl·disable·rlogin.socket | 183 | systemctl·disable·rlogin.socket |
| 184 | # | 184 | # |
| 185 | #·Stop·rlogin.socket·if·currently·running | 185 | #·Stop·rlogin.socket·if·currently·running |
| 186 | # | 186 | # |
| 187 | systemctl·stop·rlogin.socket | 187 | systemctl·stop·rlogin.socket |
| 188 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 188 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36051">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36051"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin |
| 189 | ··service: | 189 | ··service: |
| 190 | ····name="{{item}}" | 190 | ····name="{{item}}" |
| 191 | ····enabled="no" | 191 | ····enabled="no" |
| 192 | ····state="stopped" | 192 | ····state="stopped" |
| 193 | ··register:·service_result | 193 | ··register:·service_result |
| 194 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 194 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 195 | ··with_items: | 195 | ··with_items: |
| Offset 207, 39 lines modified | Offset 207, 39 lines modified | ||
| 207 | ····-·low_disruption | 207 | ····-·low_disruption |
| 208 | ····-·CCE-27336-7 | 208 | ····-·CCE-27336-7 |
| 209 | ····-·NIST-800-53-AC-17(8) | 209 | ····-·NIST-800-53-AC-17(8) |
| 210 | ····-·NIST-800-53-CM-7 | 210 | ····-·NIST-800-53-CM-7 |
| 211 | ····-·NIST-800-53-IA-5(1)(c) | 211 | ····-·NIST-800-53-IA-5(1)(c) |
| 212 | ····-·NIST-800-171-3.1.13 | 212 | ····-·NIST-800-171-3.1.13 |
| 213 | ····-·NIST-800-171-3.4.7 | 213 | ····-·NIST-800-171-3.4.7 |
| 214 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm360 | 214 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36056"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 215 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with | 215 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 216 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 216 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 217 | as·a·systemd·socket,·should·be·disabled. | 217 | as·a·systemd·socket,·should·be·disabled. |
| 218 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· | 218 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 219 | If·using·systemd,· | 219 | If·using·systemd,· |
| 220 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: | 220 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 221 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which | 221 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 222 | means·that·data·from·the·login·session,·including·passwords·and | 222 | means·that·data·from·the·login·session,·including·passwords·and |
| 223 | all·other·information·transmitted·during·the·session,·can·be | 223 | all·other·information·transmitted·during·the·session,·can·be |
| 224 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 224 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 225 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 225 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 226 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 226 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36080">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36080"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 227 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec | 227 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 228 | # | 228 | # |
| Max diff block lines reached; 1006940/1039960 bytes (96.82%) of diff not shown. | |||
| Offset 82, 26 lines modified | Offset 82, 26 lines modified | ||
| 82 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program· | 82 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program· |
| 83 | is·called·<code>sshd</code>·and·provided·by·the·RPM·package | 83 | is·called·<code>sshd</code>·and·provided·by·the·RPM·package |
| 84 | <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary | 84 | <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary |
| 85 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 85 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 86 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 86 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 87 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 87 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 88 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 88 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 89 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm39 | 89 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm39702"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords |
| 90 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·SSH·login·from·accounts·with | 90 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·SSH·login·from·accounts·with |
| 91 | empty·passwords,·add·or·correct·the·following·line·in·<code>/etc/ssh/sshd_config</code>: | 91 | empty·passwords,·add·or·correct·the·following·line·in·<code>/etc/ssh/sshd_config</code>: |
| 92 | <br> | 92 | <br> |
| 93 | <pre>PermitEmptyPasswords·no</pre> | 93 | <pre>PermitEmptyPasswords·no</pre> |
| 94 | <br> | 94 | <br> |
| 95 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration | 95 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration |
| 96 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that | 96 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that |
| 97 | remote·login·via·SSH·will·require·a·password,·even·in·the·event·of· | 97 | remote·login·via·SSH·will·require·a·password,·even·in·the·event·of· |
| 98 | misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 98 | misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 99 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 99 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 100 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86563r2_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.9</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm397 | 100 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86563r2_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.9</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm39727">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39727"><pre><code>#·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 101 | #·it·does·not·exist. | 101 | #·it·does·not·exist. |
| 102 | # | 102 | # |
| 103 | #·Expects·arguments: | 103 | #·Expects·arguments: |
| 104 | # | 104 | # |
| 105 | #·config_file:» » Configuration·file·that·will·be·modified | 105 | #·config_file:» » Configuration·file·that·will·be·modified |
| 106 | #·key:» » » Configuration·option·to·change | 106 | #·key:» » » Configuration·option·to·change |
| 107 | #·value:»»Value·of·the·configuration·option·to·change | 107 | #·value:»»Value·of·the·configuration·option·to·change |
| Offset 172, 15 lines modified | Offset 172, 15 lines modified | ||
| 172 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 172 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 173 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 173 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 174 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 174 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 175 | ··fi | 175 | ··fi |
| 176 | } | 176 | } |
| 177 | replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s' | 177 | replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s' |
| 178 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm397 | 178 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm39729">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39729"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Disable·SSH·Access·via·Empty·Passwords |
| 179 | ··lineinfile: | 179 | ··lineinfile: |
| 180 | ····create:·yes | 180 | ····create:·yes |
| 181 | ····dest:·/etc/ssh/sshd_config | 181 | ····dest:·/etc/ssh/sshd_config |
| 182 | ····regexp:·^PermitEmptyPasswords | 182 | ····regexp:·^PermitEmptyPasswords |
| 183 | ····line:·PermitEmptyPasswords·no | 183 | ····line:·PermitEmptyPasswords·no |
| 184 | ····validate:·sshd·-t·-f·%s | 184 | ····validate:·sshd·-t·-f·%s |
| 185 | ··tags: | 185 | ··tags: |
| Offset 193, 21 lines modified | Offset 193, 21 lines modified | ||
| 193 | ····-·NIST-800-53-AC-3 | 193 | ····-·NIST-800-53-AC-3 |
| 194 | ····-·NIST-800-53-AC-6 | 194 | ····-·NIST-800-53-AC-6 |
| 195 | ····-·NIST-800-53-CM-6(b) | 195 | ····-·NIST-800-53-CM-6(b) |
| 196 | ····-·NIST-800-171-3.1.1 | 196 | ····-·NIST-800-171-3.1.1 |
| 197 | ····-·NIST-800-171-3.1.5 | 197 | ····-·NIST-800-171-3.1.5 |
| 198 | ····-·CJIS-5.5.6 | 198 | ····-·CJIS-5.5.6 |
| 199 | ····-·DISA-STIG-RHEL-07-010300 | 199 | ····-·DISA-STIG-RHEL-07-010300 |
| 200 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm397 | 200 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm39735"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count |
| 201 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, | 201 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, |
| 202 | edit·<code>/etc/ssh/sshd_config</code>·as·follows: | 202 | edit·<code>/etc/ssh/sshd_config</code>·as·follows: |
| 203 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> | 203 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> |
| 204 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 204 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 205 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 205 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 206 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86865r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm397 | 206 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86865r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm39760">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39760"><pre><code>#·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 207 | #·it·does·not·exist. | 207 | #·it·does·not·exist. |
| 208 | # | 208 | # |
| 209 | #·Expects·arguments: | 209 | #·Expects·arguments: |
| 210 | # | 210 | # |
| 211 | #·config_file:» » Configuration·file·that·will·be·modified | 211 | #·config_file:» » Configuration·file·that·will·be·modified |
| 212 | #·key:» » » Configuration·option·to·change | 212 | #·key:» » » Configuration·option·to·change |
| 213 | #·value:»»Value·of·the·configuration·option·to·change | 213 | #·value:»»Value·of·the·configuration·option·to·change |
| Offset 278, 15 lines modified | Offset 278, 15 lines modified | ||
| 278 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 278 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 279 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 279 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 280 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 280 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 281 | ··fi | 281 | ··fi |
| 282 | } | 282 | } |
| 283 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' | 283 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' |
| 284 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm397 | 284 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm39762">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39762"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Set·SSH·Client·Alive·Count |
| 285 | ··lineinfile: | 285 | ··lineinfile: |
| 286 | ····create:·yes | 286 | ····create:·yes |
| 287 | ····dest:·/etc/ssh/sshd_config | 287 | ····dest:·/etc/ssh/sshd_config |
| 288 | ····regexp:·^ClientAliveCountMax | 288 | ····regexp:·^ClientAliveCountMax |
| 289 | ····line:·ClientAliveCountMax·0 | 289 | ····line:·ClientAliveCountMax·0 |
| 290 | ····validate:·sshd·-t·-f·%s | 290 | ····validate:·sshd·-t·-f·%s |
| 291 | ··#notify:·restart·sshd | 291 | ··#notify:·restart·sshd |
| Offset 299, 25 lines modified | Offset 299, 35 lines modified | ||
| 299 | ····-·CCE-27082-7 | 299 | ····-·CCE-27082-7 |
| 300 | ····-·NIST-800-53-AC-2(5) | 300 | ····-·NIST-800-53-AC-2(5) |
| 301 | ····-·NIST-800-53-SA-8 | 301 | ····-·NIST-800-53-SA-8 |
| 302 | ····-·NIST-800-53-AC-12 | 302 | ····-·NIST-800-53-AC-12 |
| 303 | ····-·NIST-800-171-3.1.11 | 303 | ····-·NIST-800-171-3.1.11 |
| 304 | ····-·CJIS-5.5.6 | 304 | ····-·CJIS-5.5.6 |
| 305 | ····-·DISA-STIG-RHEL-07-040340 | 305 | ····-·DISA-STIG-RHEL-07-040340 |
| 306 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_e | 306 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm39768"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 307 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_e | 307 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout |
| 308 | 308 | interval. | |
| 309 | 309 | After·this·interval·has·passed,·the·idle·user·will·be | |
| 310 | 310 | automatically·logged·out. | |
| 311 | 311 | <br><br> | |
| 312 | 312 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | |
| 313 | 313 | follows: | |
| 314 | 314 | <pre>ClientAliveInterval·<b>interval</b></pre> | |
| 315 | 315 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout | |
| 316 | 316 | of·10·minutes,·set·<b>interval</b>·to·600. | |
| 317 | <br><br> | ||
| 318 | If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will· | ||
| 319 | preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | ||
| 320 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of | ||
| 321 | opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session | ||
| 322 | enabled·on·the·console·or·console·port·that·has·been·let·unattended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 323 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 324 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm39793">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39793"><pre><code> | ||
| 325 | sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">1800</abbr>" | ||
| 326 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | ||
| 317 | #·it·does·not·exist. | 327 | #·it·does·not·exist. |
| 318 | # | 328 | # |
| 319 | #·Expects·arguments: | 329 | #·Expects·arguments: |
| 320 | # | 330 | # |
| 321 | #·config_file:» » Configuration·file·that·will·be·modified | 331 | #·config_file:» » Configuration·file·that·will·be·modified |
| 322 | #·key:» » » Configuration·option·to·change | 332 | #·key:» » » Configuration·option·to·change |
| 323 | #·value:»»Value·of·the·configuration·option·to·change | 333 | #·value:»»Value·of·the·configuration·option·to·change |
| Offset 387, 45 lines modified | Offset 397, 54 lines modified | ||
| 387 | ··else | 397 | ··else |
| 388 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 398 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 389 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 399 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 390 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 400 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 391 | ··fi | 401 | ··fi |
| 392 | } | 402 | } |
| 393 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 403 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s' |
| 394 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm39 | 404 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm39796">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39796"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·XCCDF·Value·sshd_idle_timeout_value·#·promote·to·variable |
| 405 | ··set_fact: | ||
| Max diff block lines reached; 456402/483650 bytes (94.37%) of diff not shown. | |||
| Offset 56, 27 lines modified | Offset 56, 24 lines modified | ||
| 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_openstack">OpenStack</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_routing">Network·Routing</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="[·...·truncated·by·diffoscope;·len:·1045,·SHA:·34a457b90e6dfc8c26555d3cb2e11b5b3c1823d634243e7c52f3554b7bfc3eae·...·]</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 71 | system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 71 | system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services |
| 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_docker">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·docker·service·is·necessary·to·create·containers,·which·are | ||
| 74 | ··self-sufficient·and·self-contained·applications·using·the·resource | ||
| 75 | ··isolation·features·of·the·kernel.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services | ||
| 76 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible | 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible |
| 77 | services·which·have·historically·caused·problems·for·system | 74 | services·which·have·historically·caused·problems·for·system |
| 78 | security,·and·for·which·disabling·or·severely·limiting·the·service | 75 | security,·and·for·which·disabling·or·severely·limiting·the·service |
| 79 | has·been·the·best·available·guidance·for·some·time.·As·a·result·of | 76 | has·been·the·best·available·guidance·for·some·time.·As·a·result·of |
| 80 | this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·7 | 77 | this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·7 |
| 81 | by·default. | 78 | by·default. |
| 82 | <br><br> | 79 | <br><br> |
| Offset 110, 15 lines modified | Offset 107, 51 lines modified | ||
| 110 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd | 107 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd |
| 111 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some | 108 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some |
| 112 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 109 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 113 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 110 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 114 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 111 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 115 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services | 112 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services |
| 116 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages | 113 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages |
| 117 | across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 114 | across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_imap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server |
| 115 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_imap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·provides·IMAP·and·POP3·services.·It·is·not | ||
| 116 | installed·by·default.·The·project·page·at·<a·href="http://www.dovecot.org">http://www.dovecot.org</a> | ||
| 117 | contains·more·detailed·information·about·Dovecot | ||
| 118 | configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configure_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configure_dovecot">Configure·Dovecot·if·Necessary | ||
| 119 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configure_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·will·operate·as·an·IMAP·or | ||
| 120 | POP3·server,·the·dovecot·software·should·be·configured·securely·by·following | ||
| 121 | the·recommendations·below.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">Enable·SSL·Support | ||
| 122 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>SSL·should·be·used·to·encrypt·network·traffic·between·the· | ||
| 123 | Dovecot·server·and·its·clients.·Users·must·authenticate·to·the·Dovecot· | ||
| 124 | server·in·order·to·read·their·mail,·and·passwords·should·never·be· | ||
| 125 | transmitted·in·clear·text.·In·addition,·protecting·mail·as·it·is· | ||
| 126 | downloaded·is·a·privacy·measure,·and·clients·may·use·SSL·certificates· | ||
| 127 | to·authenticate·the·server,·preventing·another·system·from·impersonating· | ||
| 128 | the·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">Allow·IMAP·Clients·to·Access·the·Server | ||
| 129 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·default·<code>firewalld</code>·configuration·does·not·allow·inbound | ||
| 130 | access·to·any·services.·This·modification·will·allow·remote·hosts·to | ||
| 131 | initiate·connections·to·the·IMAP·daemon,·while·keeping·all·other·ports | ||
| 132 | on·the·server·in·their·default·protected·state. | ||
| 133 | ········To·configure·<code>firewalld</code>·to·allow·access,·run·the·following·command(s): | ||
| 134 | ········<code>firewall-cmd·--permanent·--add-port=143/tcp</code>·and | ||
| 135 | ········</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">Support·Only·the·Necessary·Protocols | ||
| 136 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·supports·the·IMAP·and·POP3·protocols,·as·well·as· | ||
| 137 | SSL-protected·versions·of·those·protocols.·Configure·the·Dovecot·server· | ||
| 138 | to·support·only·the·protocols·needed·by·your·site.·Edit·<code>/etc/dovecot/dovecot.conf</code>.· | ||
| 139 | Add·or·correct·the·following·lines,·replacing·<code>PROTOCOL</code>·with· | ||
| 140 | only·the·subset·of·protocols·(<code>imap</code>,·<code>imaps</code>,· | ||
| 141 | <code>pop3</code>,·<code>pop3s</code>)·required: | ||
| 142 | <pre>protocols·=·PROTOCOL</pre> | ||
| 143 | If·possible,·require·SSL·protection·for·all·transactions.·The·SSL· | ||
| 144 | protocol·variants·listen·on·alternate·ports·(995·instead·of·110·for· | ||
| 145 | pop3s,·and·993·instead·of·143·for·imaps),·and·require·SSL-aware·clients.· | ||
| 146 | An·alternate·approach·is·to·listen·on·the·standard·port·and·require·the· | ||
| 147 | client·to·use·the·STARTTLS·command·before·authenticating.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dovecot">Disable·Dovecot | ||
| 148 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·does·not·need·to·operate·as·an·IMAP·or | ||
| 149 | POP3·server,·the·dovecot·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack | ||
| 118 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server | 150 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 119 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to | 151 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 120 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | 152 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means |
| 121 | that·passwords·and·other·data·transmitted·during·the·session·can·be | 153 | that·passwords·and·other·data·transmitted·during·the·session·can·be |
| 122 | captured·and·that·the·session·is·vulnerable·to·hijacking. | 154 | captured·and·that·the·session·is·vulnerable·to·hijacking. |
| 123 | Therefore,·running·the·FTP·server·software·is·not·recommended. | 155 | Therefore,·running·the·FTP·server·software·is·not·recommended. |
| 124 | <br><br> | 156 | <br><br> |
| Offset 874, 51 lines modified | Offset 907, 18 lines modified | ||
| 874 | supersede·domain-name-servers·192.168.1.2; | 907 | supersede·domain-name-servers·192.168.1.2; |
| 875 | supersede·nis-domain·""; | 908 | supersede·nis-domain·""; |
| 876 | supersede·nis-servers·""; | 909 | supersede·nis-servers·""; |
| 877 | supersede·ntp-servers·"ntp.example.com·"; | 910 | supersede·ntp-servers·"ntp.example.com·"; |
| 878 | supersede·routers·192.168.1.1; | 911 | supersede·routers·192.168.1.1; |
| 879 | supersede·time-offset·-18000; | 912 | supersede·time-offset·-18000; |
| 880 | request·subnet-mask; | 913 | request·subnet-mask; |
| 881 | require·subnet-mask;</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_restrict_options"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 914 | require·subnet-mask;</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_restrict_options"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_docker"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_docker">Docker·Service |
| 882 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 915 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_docker">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·docker·service·is·necessary·to·create·containers,·which·are |
| 883 | 916 | ··self-sufficient·and·self-contained·applications·using·the·resource | |
| 884 | contains | 917 | ··isolation·features·of·the·kernel.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC |
| 885 | configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configure_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configure_dovecot">Configure·Dovecot·if·Necessary | ||
| 886 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configure_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·will·operate·as·an·IMAP·or | ||
| 887 | POP3·server,·the·dovecot·software·should·be·configured·securely·by·following | ||
| 888 | the·recommendations·below.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">Enable·SSL·Support | ||
| 889 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>SSL·should·be·used·to·encrypt·network·traffic·between·the· | ||
| 890 | Dovecot·server·and·its·clients.·Users·must·authenticate·to·the·Dovecot· | ||
| 891 | server·in·order·to·read·their·mail,·and·passwords·should·never·be· | ||
| 892 | transmitted·in·clear·text.·In·addition,·protecting·mail·as·it·is· | ||
| 893 | downloaded·is·a·privacy·measure,·and·clients·may·use·SSL·certificates· | ||
| 894 | to·authenticate·the·server,·preventing·another·system·from·impersonating· | ||
| 895 | the·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">Allow·IMAP·Clients·to·Access·the·Server | ||
| 896 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·default·<code>firewalld</code>·configuration·does·not·allow·inbound | ||
| 897 | access·to·any·services.·This·modification·will·allow·remote·hosts·to | ||
| 898 | initiate·connections·to·the·IMAP·daemon,·while·keeping·all·other·ports | ||
| 899 | on·the·server·in·their·default·protected·state. | ||
| 900 | ········To·configure·<code>firewalld</code>·to·allow·access,·run·the·following·command(s): | ||
| 901 | ········<code>firewall-cmd·--permanent·--add-port=143/tcp</code>·and | ||
| 902 | ········</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">Support·Only·the·Necessary·Protocols | ||
| 903 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·supports·the·IMAP·and·POP3·protocols,·as·well·as· | ||
| 904 | SSL-protected·versions·of·those·protocols.·Configure·the·Dovecot·server· | ||
| 905 | to·support·only·the·protocols·needed·by·your·site.·Edit·<code>/etc/dovecot/dovecot.conf</code>.· | ||
| 906 | Add·or·correct·the·following·lines,·replacing·<code>PROTOCOL</code>·with· | ||
| 907 | only·the·subset·of·protocols·(<code>imap</code>,·<code>imaps</code>,· | ||
| 908 | <code>pop3</code>,·<code>pop3s</code>)·required: | ||
| 909 | <pre>protocols·=·PROTOCOL</pre> | ||
| 910 | If·possible,·require·SSL·protection·for·all·transactions.·The·SSL· | ||
| 911 | protocol·variants·listen·on·alternate·ports·(995·instead·of·110·for· | ||
| 912 | pop3s,·and·993·instead·of·143·for·imaps),·and·require·SSL-aware·clients.· | ||
| 913 | An·alternate·approach·is·to·listen·on·the·standard·port·and·require·the· | ||
| 914 | client·to·use·the·STARTTLS·command·before·authenticating.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dovecot">Disable·Dovecot | ||
| 915 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·does·not·need·to·operate·as·an·IMAP·or | ||
| 916 | POP3·server,·the·dovecot·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC | ||
| 917 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·File·System·is·a·popular·distributed·filesystem·for | 918 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·File·System·is·a·popular·distributed·filesystem·for |
| 918 | the·Unix·environment,·and·is·very·widely·deployed.··This·section·discusses·the | 919 | the·Unix·environment,·and·is·very·widely·deployed.··This·section·discusses·the |
| 919 | circumstances·under·which·it·is·possible·to·disable·NFS·and·its·dependencies, | 920 | circumstances·under·which·it·is·possible·to·disable·NFS·and·its·dependencies, |
| Max diff block lines reached; 84025/118662 bytes (70.81%) of diff not shown. | |||
| Offset 90, 24 lines modified | Offset 90, 24 lines modified | ||
| 90 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict | 90 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict |
| 91 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 91 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 92 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 92 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 93 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 93 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 94 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec | 94 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec |
| 95 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which | 95 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which |
| 96 | allow·cleartext·remote·access·and·have·an·insecure·trust | 96 | allow·cleartext·remote·access·and·have·an·insecure·trust |
| 97 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm3 | 97 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35994"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package |
| 98 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands | 98 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands |
| 99 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have | 99 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have |
| 100 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, | 100 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, |
| 101 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from | 101 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from |
| 102 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing | 102 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing |
| 103 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes | 103 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes |
| 104 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 104 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 105 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 105 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 106 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 106 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36017">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36017"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 107 | # | 107 | # |
| 108 | #·Example·Call(s): | 108 | #·Example·Call(s): |
| 109 | # | 109 | # |
| 110 | #·····package_remove·telnet-server | 110 | #·····package_remove·telnet-server |
| 111 | # | 111 | # |
| 112 | function·package_remove·{ | 112 | function·package_remove·{ |
| Offset 137, 62 lines modified | Offset 137, 62 lines modified | ||
| 137 | ··echo·"Aborting." | 137 | ··echo·"Aborting." |
| 138 | ··exit·1 | 138 | ··exit·1 |
| 139 | fi | 139 | fi |
| 140 | } | 140 | } |
| 141 | package_remove·rsh | 141 | package_remove·rsh |
| 142 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 142 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36019">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36019"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed |
| 143 | ··package: | 143 | ··package: |
| 144 | ····name="{{item}}" | 144 | ····name="{{item}}" |
| 145 | ····state=absent | 145 | ····state=absent |
| 146 | ··with_items: | 146 | ··with_items: |
| 147 | ····-·rsh | 147 | ····-·rsh |
| 148 | ··tags: | 148 | ··tags: |
| 149 | ····-·package_rsh_removed | 149 | ····-·package_rsh_removed |
| 150 | ····-·unknown_severity | 150 | ····-·unknown_severity |
| 151 | ····-·disable_strategy | 151 | ····-·disable_strategy |
| 152 | ····-·low_complexity | 152 | ····-·low_complexity |
| 153 | ····-·low_disruption | 153 | ····-·low_disruption |
| 154 | ····-·CCE-27274-0 | 154 | ····-·CCE-27274-0 |
| 155 | ····-·NIST-800-171-3.1.13 | 155 | ····-·NIST-800-171-3.1.13 |
| 156 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 156 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36020">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36020"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh |
| 157 | class·remove_rsh·{ | 157 | class·remove_rsh·{ |
| 158 | ··package·{·'rsh': | 158 | ··package·{·'rsh': |
| 159 | ····ensure·=>·'purged', | 159 | ····ensure·=>·'purged', |
| 160 | ··} | 160 | ··} |
| 161 | } | 161 | } |
| 162 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 162 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 163 | package·--remove=rsh | 163 | package·--remove=rsh |
| 164 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm360 | 164 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36026"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service |
| 165 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with | 165 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with |
| 166 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 166 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 167 | as·a·systemd·socket,·should·be·disabled. | 167 | as·a·systemd·socket,·should·be·disabled. |
| 168 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. | 168 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. |
| 169 | If·using·systemd,· | 169 | If·using·systemd,· |
| 170 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: | 170 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: |
| 171 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which | 171 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which |
| 172 | means·that·data·from·the·login·session,·including·passwords·and | 172 | means·that·data·from·the·login·session,·including·passwords·and |
| 173 | all·other·information·transmitted·during·the·session,·can·be | 173 | all·other·information·transmitted·during·the·session,·can·be |
| 174 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 174 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 175 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 175 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 176 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 176 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36050">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36050"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&&·\ |
| 177 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin | 177 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin |
| 178 | # | 178 | # |
| 179 | #·Disable·rlogin.socket·for·all·systemd·targets | 179 | #·Disable·rlogin.socket·for·all·systemd·targets |
| 180 | # | 180 | # |
| 181 | systemctl·disable·rlogin.socket | 181 | systemctl·disable·rlogin.socket |
| 182 | # | 182 | # |
| 183 | #·Stop·rlogin.socket·if·currently·running | 183 | #·Stop·rlogin.socket·if·currently·running |
| 184 | # | 184 | # |
| 185 | systemctl·stop·rlogin.socket | 185 | systemctl·stop·rlogin.socket |
| 186 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 186 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36051">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36051"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin |
| 187 | ··service: | 187 | ··service: |
| 188 | ····name="{{item}}" | 188 | ····name="{{item}}" |
| 189 | ····enabled="no" | 189 | ····enabled="no" |
| 190 | ····state="stopped" | 190 | ····state="stopped" |
| 191 | ··register:·service_result | 191 | ··register:·service_result |
| 192 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 192 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 193 | ··with_items: | 193 | ··with_items: |
| Offset 205, 39 lines modified | Offset 205, 39 lines modified | ||
| 205 | ····-·low_disruption | 205 | ····-·low_disruption |
| 206 | ····-·CCE-27336-7 | 206 | ····-·CCE-27336-7 |
| 207 | ····-·NIST-800-53-AC-17(8) | 207 | ····-·NIST-800-53-AC-17(8) |
| 208 | ····-·NIST-800-53-CM-7 | 208 | ····-·NIST-800-53-CM-7 |
| 209 | ····-·NIST-800-53-IA-5(1)(c) | 209 | ····-·NIST-800-53-IA-5(1)(c) |
| 210 | ····-·NIST-800-171-3.1.13 | 210 | ····-·NIST-800-171-3.1.13 |
| 211 | ····-·NIST-800-171-3.4.7 | 211 | ····-·NIST-800-171-3.4.7 |
| 212 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm360 | 212 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36056"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 213 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with | 213 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 214 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 214 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 215 | as·a·systemd·socket,·should·be·disabled. | 215 | as·a·systemd·socket,·should·be·disabled. |
| 216 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· | 216 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 217 | If·using·systemd,· | 217 | If·using·systemd,· |
| 218 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: | 218 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 219 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which | 219 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 220 | means·that·data·from·the·login·session,·including·passwords·and | 220 | means·that·data·from·the·login·session,·including·passwords·and |
| 221 | all·other·information·transmitted·during·the·session,·can·be | 221 | all·other·information·transmitted·during·the·session,·can·be |
| 222 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 222 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 223 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 223 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 224 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 224 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36080">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36080"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 225 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec | 225 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 226 | # | 226 | # |
| 227 | #·Disable·rexec.socket·for·all·systemd·targets | 227 | #·Disable·rexec.socket·for·all·systemd·targets |
| 228 | # | 228 | # |
| 229 | systemctl·disable·rexec.socket | 229 | systemctl·disable·rexec.socket |
| 230 | # | 230 | # |
| 231 | #·Stop·rexec.socket·if·currently·running | 231 | #·Stop·rexec.socket·if·currently·running |
| 232 | # | 232 | # |
| 233 | systemctl·stop·rexec.socket | 233 | systemctl·stop·rexec.socket |
| 234 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36 | 234 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36081">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36081"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 235 | ··service: | 235 | ··service: |
| 236 | ····name="{{item}}" | 236 | ····name="{{item}}" |
| 237 | ····enabled="no" | 237 | ····enabled="no" |
| 238 | ····state="stopped" | 238 | ····state="stopped" |
| 239 | ··register:·service_result | 239 | ··register:·service_result |
| 240 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 240 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 241 | ··with_items: | 241 | ··with_items: |
| Max diff block lines reached; 838078/863207 bytes (97.09%) of diff not shown. | |||
| Offset 98, 24 lines modified | Offset 98, 24 lines modified | ||
| 98 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict | 98 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict |
| 99 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 99 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 100 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 100 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 101 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 101 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 102 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec | 102 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec |
| 103 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which | 103 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which |
| 104 | allow·cleartext·remote·access·and·have·an·insecure·trust | 104 | allow·cleartext·remote·access·and·have·an·insecure·trust |
| 105 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm3 | 105 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35994"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package |
| 106 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands | 106 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands |
| 107 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have | 107 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have |
| 108 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, | 108 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, |
| 109 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from | 109 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from |
| 110 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing | 110 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing |
| 111 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes | 111 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes |
| 112 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 112 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 113 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 113 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 114 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 114 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36017">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36017"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 115 | # | 115 | # |
| 116 | #·Example·Call(s): | 116 | #·Example·Call(s): |
| 117 | # | 117 | # |
| 118 | #·····package_remove·telnet-server | 118 | #·····package_remove·telnet-server |
| 119 | # | 119 | # |
| 120 | function·package_remove·{ | 120 | function·package_remove·{ |
| Offset 145, 62 lines modified | Offset 145, 62 lines modified | ||
| 145 | ··echo·"Aborting." | 145 | ··echo·"Aborting." |
| 146 | ··exit·1 | 146 | ··exit·1 |
| 147 | fi | 147 | fi |
| 148 | } | 148 | } |
| 149 | package_remove·rsh | 149 | package_remove·rsh |
| 150 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 150 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36019">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36019"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed |
| 151 | ··package: | 151 | ··package: |
| 152 | ····name="{{item}}" | 152 | ····name="{{item}}" |
| 153 | ····state=absent | 153 | ····state=absent |
| 154 | ··with_items: | 154 | ··with_items: |
| 155 | ····-·rsh | 155 | ····-·rsh |
| 156 | ··tags: | 156 | ··tags: |
| 157 | ····-·package_rsh_removed | 157 | ····-·package_rsh_removed |
| 158 | ····-·unknown_severity | 158 | ····-·unknown_severity |
| 159 | ····-·disable_strategy | 159 | ····-·disable_strategy |
| 160 | ····-·low_complexity | 160 | ····-·low_complexity |
| 161 | ····-·low_disruption | 161 | ····-·low_disruption |
| 162 | ····-·CCE-27274-0 | 162 | ····-·CCE-27274-0 |
| 163 | ····-·NIST-800-171-3.1.13 | 163 | ····-·NIST-800-171-3.1.13 |
| 164 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 164 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36020">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36020"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh |
| 165 | class·remove_rsh·{ | 165 | class·remove_rsh·{ |
| 166 | ··package·{·'rsh': | 166 | ··package·{·'rsh': |
| 167 | ····ensure·=>·'purged', | 167 | ····ensure·=>·'purged', |
| 168 | ··} | 168 | ··} |
| 169 | } | 169 | } |
| 170 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 170 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 171 | package·--remove=rsh | 171 | package·--remove=rsh |
| 172 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm360 | 172 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36026"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service |
| 173 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with | 173 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with |
| 174 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 174 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 175 | as·a·systemd·socket,·should·be·disabled. | 175 | as·a·systemd·socket,·should·be·disabled. |
| 176 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. | 176 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. |
| 177 | If·using·systemd,· | 177 | If·using·systemd,· |
| 178 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: | 178 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: |
| 179 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which | 179 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which |
| 180 | means·that·data·from·the·login·session,·including·passwords·and | 180 | means·that·data·from·the·login·session,·including·passwords·and |
| 181 | all·other·information·transmitted·during·the·session,·can·be | 181 | all·other·information·transmitted·during·the·session,·can·be |
| 182 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 182 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 183 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 183 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 184 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 184 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36050">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36050"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&&·\ |
| 185 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin | 185 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin |
| 186 | # | 186 | # |
| 187 | #·Disable·rlogin.socket·for·all·systemd·targets | 187 | #·Disable·rlogin.socket·for·all·systemd·targets |
| 188 | # | 188 | # |
| 189 | systemctl·disable·rlogin.socket | 189 | systemctl·disable·rlogin.socket |
| 190 | # | 190 | # |
| 191 | #·Stop·rlogin.socket·if·currently·running | 191 | #·Stop·rlogin.socket·if·currently·running |
| 192 | # | 192 | # |
| 193 | systemctl·stop·rlogin.socket | 193 | systemctl·stop·rlogin.socket |
| 194 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 194 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36051">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36051"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin |
| 195 | ··service: | 195 | ··service: |
| 196 | ····name="{{item}}" | 196 | ····name="{{item}}" |
| 197 | ····enabled="no" | 197 | ····enabled="no" |
| 198 | ····state="stopped" | 198 | ····state="stopped" |
| 199 | ··register:·service_result | 199 | ··register:·service_result |
| 200 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 200 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 201 | ··with_items: | 201 | ··with_items: |
| Offset 213, 39 lines modified | Offset 213, 39 lines modified | ||
| 213 | ····-·low_disruption | 213 | ····-·low_disruption |
| 214 | ····-·CCE-27336-7 | 214 | ····-·CCE-27336-7 |
| 215 | ····-·NIST-800-53-AC-17(8) | 215 | ····-·NIST-800-53-AC-17(8) |
| 216 | ····-·NIST-800-53-CM-7 | 216 | ····-·NIST-800-53-CM-7 |
| 217 | ····-·NIST-800-53-IA-5(1)(c) | 217 | ····-·NIST-800-53-IA-5(1)(c) |
| 218 | ····-·NIST-800-171-3.1.13 | 218 | ····-·NIST-800-171-3.1.13 |
| 219 | ····-·NIST-800-171-3.4.7 | 219 | ····-·NIST-800-171-3.4.7 |
| 220 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm360 | 220 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36056"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 221 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with | 221 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 222 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 222 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 223 | as·a·systemd·socket,·should·be·disabled. | 223 | as·a·systemd·socket,·should·be·disabled. |
| 224 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· | 224 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 225 | If·using·systemd,· | 225 | If·using·systemd,· |
| 226 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: | 226 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 227 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which | 227 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 228 | means·that·data·from·the·login·session,·including·passwords·and | 228 | means·that·data·from·the·login·session,·including·passwords·and |
| 229 | all·other·information·transmitted·during·the·session,·can·be | 229 | all·other·information·transmitted·during·the·session,·can·be |
| 230 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 230 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 231 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 231 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 232 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 232 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36080">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36080"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 233 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec | 233 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 234 | # | 234 | # |
| 235 | #·Disable·rexec.socket·for·all·systemd·targets | 235 | #·Disable·rexec.socket·for·all·systemd·targets |
| 236 | # | 236 | # |
| 237 | systemctl·disable·rexec.socket | 237 | systemctl·disable·rexec.socket |
| 238 | # | 238 | # |
| 239 | #·Stop·rexec.socket·if·currently·running | 239 | #·Stop·rexec.socket·if·currently·running |
| 240 | # | 240 | # |
| 241 | systemctl·stop·rexec.socket | 241 | systemctl·stop·rexec.socket |
| 242 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36 | 242 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36081">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36081"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 243 | ··service: | 243 | ··service: |
| 244 | ····name="{{item}}" | 244 | ····name="{{item}}" |
| 245 | ····enabled="no" | 245 | ····enabled="no" |
| 246 | ····state="stopped" | 246 | ····state="stopped" |
| 247 | ··register:·service_result | 247 | ··register:·service_result |
| 248 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 248 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 249 | ··with_items: | 249 | ··with_items: |
| Max diff block lines reached; 1663737/1688866 bytes (98.51%) of diff not shown. | |||
| Offset 109, 24 lines modified | Offset 109, 24 lines modified | ||
| 109 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict | 109 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict |
| 110 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 110 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 111 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 111 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 112 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 112 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 113 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec | 113 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec |
| 114 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which | 114 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which |
| 115 | allow·cleartext·remote·access·and·have·an·insecure·trust | 115 | allow·cleartext·remote·access·and·have·an·insecure·trust |
| 116 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm3 | 116 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35994"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package |
| 117 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands | 117 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands |
| 118 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have | 118 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have |
| 119 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, | 119 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, |
| 120 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from | 120 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from |
| 121 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing | 121 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing |
| 122 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes | 122 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes |
| 123 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 123 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 124 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 124 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 125 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 125 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36017">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36017"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 126 | # | 126 | # |
| 127 | #·Example·Call(s): | 127 | #·Example·Call(s): |
| 128 | # | 128 | # |
| 129 | #·····package_remove·telnet-server | 129 | #·····package_remove·telnet-server |
| 130 | # | 130 | # |
| 131 | function·package_remove·{ | 131 | function·package_remove·{ |
| Offset 156, 62 lines modified | Offset 156, 62 lines modified | ||
| 156 | ··echo·"Aborting." | 156 | ··echo·"Aborting." |
| 157 | ··exit·1 | 157 | ··exit·1 |
| 158 | fi | 158 | fi |
| 159 | } | 159 | } |
| 160 | package_remove·rsh | 160 | package_remove·rsh |
| 161 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 161 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36019">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36019"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed |
| 162 | ··package: | 162 | ··package: |
| 163 | ····name="{{item}}" | 163 | ····name="{{item}}" |
| 164 | ····state=absent | 164 | ····state=absent |
| 165 | ··with_items: | 165 | ··with_items: |
| 166 | ····-·rsh | 166 | ····-·rsh |
| 167 | ··tags: | 167 | ··tags: |
| 168 | ····-·package_rsh_removed | 168 | ····-·package_rsh_removed |
| 169 | ····-·unknown_severity | 169 | ····-·unknown_severity |
| 170 | ····-·disable_strategy | 170 | ····-·disable_strategy |
| 171 | ····-·low_complexity | 171 | ····-·low_complexity |
| 172 | ····-·low_disruption | 172 | ····-·low_disruption |
| 173 | ····-·CCE-27274-0 | 173 | ····-·CCE-27274-0 |
| 174 | ····-·NIST-800-171-3.1.13 | 174 | ····-·NIST-800-171-3.1.13 |
| 175 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 175 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36020">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36020"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh |
| 176 | class·remove_rsh·{ | 176 | class·remove_rsh·{ |
| 177 | ··package·{·'rsh': | 177 | ··package·{·'rsh': |
| 178 | ····ensure·=>·'purged', | 178 | ····ensure·=>·'purged', |
| 179 | ··} | 179 | ··} |
| 180 | } | 180 | } |
| 181 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 181 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 182 | package·--remove=rsh | 182 | package·--remove=rsh |
| 183 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm360 | 183 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36026"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service |
| 184 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with | 184 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with |
| 185 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 185 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 186 | as·a·systemd·socket,·should·be·disabled. | 186 | as·a·systemd·socket,·should·be·disabled. |
| 187 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. | 187 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. |
| 188 | If·using·systemd,· | 188 | If·using·systemd,· |
| 189 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: | 189 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: |
| 190 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which | 190 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which |
| 191 | means·that·data·from·the·login·session,·including·passwords·and | 191 | means·that·data·from·the·login·session,·including·passwords·and |
| 192 | all·other·information·transmitted·during·the·session,·can·be | 192 | all·other·information·transmitted·during·the·session,·can·be |
| 193 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 193 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 194 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 194 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 195 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 195 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36050">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36050"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&&·\ |
| 196 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin | 196 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin |
| 197 | # | 197 | # |
| 198 | #·Disable·rlogin.socket·for·all·systemd·targets | 198 | #·Disable·rlogin.socket·for·all·systemd·targets |
| 199 | # | 199 | # |
| 200 | systemctl·disable·rlogin.socket | 200 | systemctl·disable·rlogin.socket |
| 201 | # | 201 | # |
| 202 | #·Stop·rlogin.socket·if·currently·running | 202 | #·Stop·rlogin.socket·if·currently·running |
| 203 | # | 203 | # |
| 204 | systemctl·stop·rlogin.socket | 204 | systemctl·stop·rlogin.socket |
| 205 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 205 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36051">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36051"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin |
| 206 | ··service: | 206 | ··service: |
| 207 | ····name="{{item}}" | 207 | ····name="{{item}}" |
| 208 | ····enabled="no" | 208 | ····enabled="no" |
| 209 | ····state="stopped" | 209 | ····state="stopped" |
| 210 | ··register:·service_result | 210 | ··register:·service_result |
| 211 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 211 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 212 | ··with_items: | 212 | ··with_items: |
| Offset 224, 39 lines modified | Offset 224, 39 lines modified | ||
| 224 | ····-·low_disruption | 224 | ····-·low_disruption |
| 225 | ····-·CCE-27336-7 | 225 | ····-·CCE-27336-7 |
| 226 | ····-·NIST-800-53-AC-17(8) | 226 | ····-·NIST-800-53-AC-17(8) |
| 227 | ····-·NIST-800-53-CM-7 | 227 | ····-·NIST-800-53-CM-7 |
| 228 | ····-·NIST-800-53-IA-5(1)(c) | 228 | ····-·NIST-800-53-IA-5(1)(c) |
| 229 | ····-·NIST-800-171-3.1.13 | 229 | ····-·NIST-800-171-3.1.13 |
| 230 | ····-·NIST-800-171-3.4.7 | 230 | ····-·NIST-800-171-3.4.7 |
| 231 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm360 | 231 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36056"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 232 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with | 232 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 233 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 233 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 234 | as·a·systemd·socket,·should·be·disabled. | 234 | as·a·systemd·socket,·should·be·disabled. |
| 235 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· | 235 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 236 | If·using·systemd,· | 236 | If·using·systemd,· |
| 237 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: | 237 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 238 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which | 238 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 239 | means·that·data·from·the·login·session,·including·passwords·and | 239 | means·that·data·from·the·login·session,·including·passwords·and |
| 240 | all·other·information·transmitted·during·the·session,·can·be | 240 | all·other·information·transmitted·during·the·session,·can·be |
| 241 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 241 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 242 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 242 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 243 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 243 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36080">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36080"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 244 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec | 244 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 245 | # | 245 | # |
| 246 | #·Disable·rexec.socket·for·all·systemd·targets | 246 | #·Disable·rexec.socket·for·all·systemd·targets |
| 247 | # | 247 | # |
| 248 | systemctl·disable·rexec.socket | 248 | systemctl·disable·rexec.socket |
| 249 | # | 249 | # |
| 250 | #·Stop·rexec.socket·if·currently·running | 250 | #·Stop·rexec.socket·if·currently·running |
| 251 | # | 251 | # |
| 252 | systemctl·stop·rexec.socket | 252 | systemctl·stop·rexec.socket |
| 253 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36 | 253 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36081">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36081"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 254 | ··service: | 254 | ··service: |
| 255 | ····name="{{item}}" | 255 | ····name="{{item}}" |
| 256 | ····enabled="no" | 256 | ····enabled="no" |
| 257 | ····state="stopped" | 257 | ····state="stopped" |
| 258 | ··register:·service_result | 258 | ··register:·service_result |
| 259 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 259 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 260 | ··with_items: | 260 | ··with_items: |
| Max diff block lines reached; 1663739/1688870 bytes (98.51%) of diff not shown. | |||
| Offset 116, 15 lines modified | Offset 116, 15 lines modified | ||
| 116 | <br><br> | 116 | <br><br> |
| 117 | Refer·to·<a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>·for·more·detailed·comparison·of·features·of·<code>chronyd</code> | 117 | Refer·to·<a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>·for·more·detailed·comparison·of·features·of·<code>chronyd</code> |
| 118 | and·<code>ntpd</code>·daemon·features·respectively,·and·for·further·guidance·how·to | 118 | and·<code>ntpd</code>·daemon·features·respectively,·and·for·further·guidance·how·to |
| 119 | choose·between·the·two·NTP·daemons. | 119 | choose·between·the·two·NTP·daemons. |
| 120 | <br><br> | 120 | <br><br> |
| 121 | The·upstream·manual·pages·at·<a·href="http://chrony.tuxfamily.org/manual.html">http://chrony.tuxfamily.org/manual.html</a>·for | 121 | The·upstream·manual·pages·at·<a·href="http://chrony.tuxfamily.org/manual.html">http://chrony.tuxfamily.org/manual.html</a>·for |
| 122 | <code>chronyd</code>·and·<a·href="http://www.ntp.org">http://www.ntp.org</a>·for·<code>ntpd</code>·provide·additional | 122 | <code>chronyd</code>·and·<a·href="http://www.ntp.org">http://www.ntp.org</a>·for·<code>ntpd</code>·provide·additional |
| 123 | information·on·the·capabilities·and·configuration·of·each·of·the·NTP·daemons.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm384 | 123 | information·on·the·capabilities·and·configuration·of·each·of·the·NTP·daemons.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm38485"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers |
| 124 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete | 124 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete |
| 125 | production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be | 125 | production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be |
| 126 | configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the | 126 | configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the |
| 127 | default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to | 127 | default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to |
| 128 | <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a> | 128 | <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a> |
| 129 | for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for | 129 | for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for |
| 130 | further·guidance·how·to·choose·between·the·two·NTP·daemons. | 130 | further·guidance·how·to·choose·between·the·two·NTP·daemons. |
| Offset 137, 15 lines modified | Offset 137, 15 lines modified | ||
| 137 | Add·additional·lines·of·the·following·form,·substituting·the·IP·address·or | 137 | Add·additional·lines·of·the·following·form,·substituting·the·IP·address·or |
| 138 | hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 138 | hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 139 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | 139 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of |
| 140 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | 140 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes |
| 141 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | 141 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for |
| 142 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 142 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 143 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 143 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 144 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38 | 144 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38505">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38505"><pre><code> |
| 145 | var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>" | 145 | var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>" |
| 146 | #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here. | 146 | #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here. |
| 147 | #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries | 147 | #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries |
| 148 | #·$1:·Path·to·the·config·file | 148 | #·$1:·Path·to·the·config·file |
| 149 | #·$2:·Comma-separated·list·of·servers | 149 | #·$2:·Comma-separated·list·of·servers |
| 150 | function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{ | 150 | function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{ |
| Offset 164, 15 lines modified | Offset 164, 15 lines modified | ||
| 164 | rhel7_ensure_there_are_servers_in_ntp_compatible_config_file | 164 | rhel7_ensure_there_are_servers_in_ntp_compatible_config_file |
| 165 | config_file="/etc/ntp.conf" | 165 | config_file="/etc/ntp.conf" |
| 166 | /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf" | 166 | /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf" |
| 167 | [·"$(grep·-c·'^server'·"$config_file")"·-gt·1·]·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers" | 167 | [·"$(grep·-c·'^server'·"$config_file")"·-gt·1·]·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers" |
| 168 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·id="guide-tree-leaf-idm38 | 168 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·id="guide-tree-leaf-idm38510"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 169 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete | 169 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete |
| 170 | production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be | 170 | production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be |
| 171 | configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the | 171 | configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the |
| 172 | default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to | 172 | default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to |
| 173 | <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a> | 173 | <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a> |
| 174 | for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for | 174 | for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for |
| 175 | further·guidance·how·to·choose·between·the·two·NTP·daemons. | 175 | further·guidance·how·to·choose·between·the·two·NTP·daemons. |
| Offset 184, 15 lines modified | Offset 184, 15 lines modified | ||
| 184 | Add·or·correct·the·following·lines,·substituting·the·IP·or·hostname·of·a·remote | 184 | Add·or·correct·the·following·lines,·substituting·the·IP·or·hostname·of·a·remote |
| 185 | NTP·server·for·<em>ntpserver</em>: | 185 | NTP·server·for·<em>ntpserver</em>: |
| 186 | <pre>server·<i>ntpserver</i></pre> | 186 | <pre>server·<i>ntpserver</i></pre> |
| 187 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 187 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 188 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible·to·collate·system | 188 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible·to·collate·system |
| 189 | logs·from·multiple·sources·or·correlate·computer·events·with·real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 189 | logs·from·multiple·sources·or·correlate·computer·events·with·real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 190 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 190 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 191 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38 | 191 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38534">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38534"><pre><code> |
| 192 | var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>" | 192 | var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>" |
| 193 | #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here. | 193 | #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here. |
| 194 | #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries | 194 | #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries |
| 195 | #·$1:·Path·to·the·config·file | 195 | #·$1:·Path·to·the·config·file |
| 196 | #·$2:·Comma-separated·list·of·servers | 196 | #·$2:·Comma-separated·list·of·servers |
| 197 | function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{ | 197 | function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{ |
| Offset 211, 15 lines modified | Offset 211, 15 lines modified | ||
| 211 | rhel7_ensure_there_are_servers_in_ntp_compatible_config_file | 211 | rhel7_ensure_there_are_servers_in_ntp_compatible_config_file |
| 212 | config_file="/etc/ntp.conf" | 212 | config_file="/etc/ntp.conf" |
| 213 | /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf" | 213 | /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf" |
| 214 | grep·-q·^server·"$config_file"·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers" | 214 | grep·-q·^server·"$config_file"·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers" |
| 215 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·id="guide-tree-leaf-idm38 | 215 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·id="guide-tree-leaf-idm38541"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">Enable·the·NTP·Daemon |
| 216 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 216 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 217 | ········The·<code>chronyd</code>·service·can·be·enabled·with·the·following·command: | 217 | ········The·<code>chronyd</code>·service·can·be·enabled·with·the·following·command: |
| 218 | ········<pre>$·sudo·systemctl·enable·chronyd.service</pre> | 218 | ········<pre>$·sudo·systemctl·enable·chronyd.service</pre> |
| 219 | Note:·The·<code>chronyd</code>·daemon·is·enabled·by·default. | 219 | Note:·The·<code>chronyd</code>·daemon·is·enabled·by·default. |
| 220 | <br><br> | 220 | <br><br> |
| 221 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 221 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| Offset 237, 15 lines modified | Offset 237, 15 lines modified | ||
| 237 | maintaining·accurate·logs·and·auditing·possible·security·breaches. | 237 | maintaining·accurate·logs·and·auditing·possible·security·breaches. |
| 238 | <br><br> | 238 | <br><br> |
| 239 | The·<code>chronyd</code>·and·<code>ntpd</code>·NTP·daemons·offer·all·of·the | 239 | The·<code>chronyd</code>·and·<code>ntpd</code>·NTP·daemons·offer·all·of·the |
| 240 | functionality·of·<code>ntpdate</code>,·which·is·now·deprecated.·Additional | 240 | functionality·of·<code>ntpdate</code>,·which·is·now·deprecated.·Additional |
| 241 | information·on·this·is·available·at | 241 | information·on·this·is·available·at |
| 242 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 242 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 243 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 243 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 244 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38 | 244 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38569">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38569"><pre><code> |
| 245 | if·!·`rpm·-q·--quiet·chrony`·&&·!·`rpm·-q·--quiet·ntp-`;·then | 245 | if·!·`rpm·-q·--quiet·chrony`·&&·!·`rpm·-q·--quiet·ntp-`;·then |
| 246 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 246 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 247 | # | 247 | # |
| 248 | #·Example·Call(s): | 248 | #·Example·Call(s): |
| 249 | # | 249 | # |
| 250 | #·····package_install·aide | 250 | #·····package_install·aide |
| Offset 450, 15 lines modified | Offset 450, 15 lines modified | ||
| 450 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program· | 450 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program· |
| 451 | is·called·<code>sshd</code>·and·provided·by·the·RPM·package | 451 | is·called·<code>sshd</code>·and·provided·by·the·RPM·package |
| 452 | <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary | 452 | <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary |
| 453 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 453 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 454 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 454 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 455 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 455 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 456 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 456 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 457 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm39 | 457 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm39768"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 458 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout | 458 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout |
| 459 | interval. | 459 | interval. |
| 460 | After·this·interval·has·passed,·the·idle·user·will·be | 460 | After·this·interval·has·passed,·the·idle·user·will·be |
| 461 | automatically·logged·out. | 461 | automatically·logged·out. |
| 462 | <br><br> | 462 | <br><br> |
| 463 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 463 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 464 | follows: | 464 | follows: |
| Offset 468, 15 lines modified | Offset 468, 15 lines modified | ||
| 468 | <br><br> | 468 | <br><br> |
| 469 | If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will· | 469 | If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will· |
| 470 | preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 470 | preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 471 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of | 471 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of |
| 472 | opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session | 472 | opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session |
| 473 | enabled·on·the·console·or·console·port·that·has·been·let·unattended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 473 | enabled·on·the·console·or·console·port·that·has·been·let·unattended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 474 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 474 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 475 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm | 475 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm39793">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39793"><pre><code> |
| 476 | sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>" | 476 | sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>" |
| 477 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 477 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 478 | #·it·does·not·exist. | 478 | #·it·does·not·exist. |
| 479 | # | 479 | # |
| 480 | #·Expects·arguments: | 480 | #·Expects·arguments: |
| 481 | # | 481 | # |
| 482 | #·config_file:» » Configuration·file·that·will·be·modified | 482 | #·config_file:» » Configuration·file·that·will·be·modified |
| Max diff block lines reached; 358165/379597 bytes (94.35%) of diff not shown. | |||
| Offset 83, 23 lines modified | Offset 83, 23 lines modified | ||
| 83 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 83 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 84 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 84 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 85 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 85 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 86 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet | 86 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet |
| 87 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity | 87 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity |
| 88 | for·information·transmitted·on·the·network.·This·includes·authentication | 88 | for·information·transmitted·on·the·network.·This·includes·authentication |
| 89 | information·such·as·passwords.·Organizations·which·use·telnet·should·be | 89 | information·such·as·passwords.·Organizations·which·use·telnet·should·be |
| 90 | actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed"·id="guide-tree-leaf-idm362 | 90 | actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed"·id="guide-tree-leaf-idm36206"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet_removed">Remove·telnet·Clients |
| 91 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·client·allows·users·to·start·connections·to·other· | 91 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·client·allows·users·to·start·connections·to·other· |
| 92 | systems·via·the·telnet·protocol.</p><span·class="label·label-primary">Rationale:</span><p>The·<code>telnet</code>·protocol·is·insecure·and·unencrypted.·The·use | 92 | systems·via·the·telnet·protocol.</p><span·class="label·label-primary">Rationale:</span><p>The·<code>telnet</code>·protocol·is·insecure·and·unencrypted.·The·use |
| 93 | of·an·unencrypted·transmission·medium·could·allow·an·unauthorized·user | 93 | of·an·unencrypted·transmission·medium·could·allow·an·unauthorized·user |
| 94 | to·steal·credentials.·The·<code>ssh</code>·package·provides·an | 94 | to·steal·credentials.·The·<code>ssh</code>·package·provides·an |
| 95 | encrypted·session·and·stronger·security·and·is·included·in·Red·Hat | 95 | encrypted·session·and·stronger·security·and·is·included·in·Red·Hat |
| 96 | Enterprise·Linux.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 96 | Enterprise·Linux.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 97 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 97 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 98 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm362 | 98 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36226">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36226"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 99 | # | 99 | # |
| 100 | #·Example·Call(s): | 100 | #·Example·Call(s): |
| 101 | # | 101 | # |
| 102 | #·····package_remove·telnet-server | 102 | #·····package_remove·telnet-server |
| 103 | # | 103 | # |
| 104 | function·package_remove·{ | 104 | function·package_remove·{ |
| Offset 129, 38 lines modified | Offset 129, 38 lines modified | ||
| 129 | ··echo·"Aborting." | 129 | ··echo·"Aborting." |
| 130 | ··exit·1 | 130 | ··exit·1 |
| 131 | fi | 131 | fi |
| 132 | } | 132 | } |
| 133 | package_remove·telnet | 133 | package_remove·telnet |
| 134 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm362 | 134 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36228">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36228"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnet·is·removed |
| 135 | ··package: | 135 | ··package: |
| 136 | ····name="{{item}}" | 136 | ····name="{{item}}" |
| 137 | ····state=absent | 137 | ····state=absent |
| 138 | ··with_items: | 138 | ··with_items: |
| 139 | ····-·telnet | 139 | ····-·telnet |
| 140 | ··tags: | 140 | ··tags: |
| 141 | ····-·package_telnet_removed | 141 | ····-·package_telnet_removed |
| 142 | ····-·low_severity | 142 | ····-·low_severity |
| 143 | ····-·disable_strategy | 143 | ····-·disable_strategy |
| 144 | ····-·low_complexity | 144 | ····-·low_complexity |
| 145 | ····-·low_disruption | 145 | ····-·low_disruption |
| 146 | ····-·CCE-27305-2 | 146 | ····-·CCE-27305-2 |
| 147 | ····-·NIST-800-171-3.1.13 | 147 | ····-·NIST-800-171-3.1.13 |
| 148 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm362 | 148 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36229">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36229"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnet |
| 149 | class·remove_telnet·{ | 149 | class·remove_telnet·{ |
| 150 | ··package·{·'telnet': | 150 | ··package·{·'telnet': |
| 151 | ····ensure·=>·'purged', | 151 | ····ensure·=>·'purged', |
| 152 | ··} | 152 | ··} |
| 153 | } | 153 | } |
| 154 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm362 | 154 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36230">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36230"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 155 | package·--remove=telnet | 155 | package·--remove=telnet |
| 156 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_telnet_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_telnet_disabled"·id="guide-tree-leaf-idm362 | 156 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_telnet_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_telnet_disabled"·id="guide-tree-leaf-idm36235"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_telnet_disabled">Disable·telnet·Service |
| 157 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_telnet_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet</code>·service·configuration·file·<code>/etc/xinetd.d/telnet</code> | 157 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_telnet_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet</code>·service·configuration·file·<code>/etc/xinetd.d/telnet</code> |
| 158 | is·not·created·automatically.·If·it·was·created·manually,·check·the | 158 | is·not·created·automatically.·If·it·was·created·manually,·check·the |
| 159 | <code>/etc/xinetd.d/telnet</code>·file·and·ensure·that·<code>disable·=·no</code> | 159 | <code>/etc/xinetd.d/telnet</code>·file·and·ensure·that·<code>disable·=·no</code> |
| 160 | is·changed·to·read·<code>disable·=·yes</code>·as·follows·below: | 160 | is·changed·to·read·<code>disable·=·yes</code>·as·follows·below: |
| 161 | <pre> | 161 | <pre> |
| 162 | #·description:·The·telnet·server·serves·telnet·sessions;·it·uses·\\ | 162 | #·description:·The·telnet·server·serves·telnet·sessions;·it·uses·\\ |
| 163 | #·······unencrypted·username/password·pairs·for·authentication. | 163 | #·······unencrypted·username/password·pairs·for·authentication. |
| Offset 183, 27 lines modified | Offset 183, 27 lines modified | ||
| 183 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: | 183 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 184 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·telnet·protocol·uses·unencrypted·network·communication,·which | 184 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·telnet·protocol·uses·unencrypted·network·communication,·which |
| 185 | means·that·data·from·the·login·session,·including·passwords·and | 185 | means·that·data·from·the·login·session,·including·passwords·and |
| 186 | all·other·information·transmitted·during·the·session,·can·be | 186 | all·other·information·transmitted·during·the·session,·can·be |
| 187 | stolen·by·eavesdroppers·on·the·network.·The·telnet·protocol·is·also | 187 | stolen·by·eavesdroppers·on·the·network.·The·telnet·protocol·is·also |
| 188 | subject·to·man-in-the-middle·attacks.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 188 | subject·to·man-in-the-middle·attacks.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 189 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 189 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 190 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.18</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm362 | 190 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.18</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36261">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36261"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/telnet·&&·\ |
| 191 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/telnet | 191 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/telnet |
| 192 | # | 192 | # |
| 193 | #·Disable·telnet.socket·for·all·systemd·targets | 193 | #·Disable·telnet.socket·for·all·systemd·targets |
| 194 | # | 194 | # |
| 195 | systemctl·disable·telnet.socket | 195 | systemctl·disable·telnet.socket |
| 196 | # | 196 | # |
| 197 | #·Stop·telnet.socket·if·currently·running | 197 | #·Stop·telnet.socket·if·currently·running |
| 198 | # | 198 | # |
| 199 | systemctl·stop·telnet.socket | 199 | systemctl·stop·telnet.socket |
| 200 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm362 | 200 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36262">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36262"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·telnet |
| 201 | ··service: | 201 | ··service: |
| 202 | ····name="{{item}}" | 202 | ····name="{{item}}" |
| 203 | ····enabled="no" | 203 | ····enabled="no" |
| 204 | ····state="stopped" | 204 | ····state="stopped" |
| 205 | ··register:·service_result | 205 | ··register:·service_result |
| 206 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 206 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 207 | ··with_items: | 207 | ··with_items: |
| Offset 216, 29 lines modified | Offset 216, 29 lines modified | ||
| 216 | ····-·low_disruption | 216 | ····-·low_disruption |
| 217 | ····-·CCE-27401-9 | 217 | ····-·CCE-27401-9 |
| 218 | ····-·NIST-800-53-AC-17(8) | 218 | ····-·NIST-800-53-AC-17(8) |
| 219 | ····-·NIST-800-53-CM-7 | 219 | ····-·NIST-800-53-CM-7 |
| 220 | ····-·NIST-800-53-IA-5(1)(c) | 220 | ····-·NIST-800-53-IA-5(1)(c) |
| 221 | ····-·NIST-800-171-3.1.13 | 221 | ····-·NIST-800-171-3.1.13 |
| 222 | ····-·NIST-800-171-3.4.7 | 222 | ····-·NIST-800-171-3.4.7 |
| 223 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm362 | 223 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm36267"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed">Uninstall·telnet-server·Package |
| 224 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with | 224 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with |
| 225 | the·following·command: | 225 | the·following·command: |
| 226 | <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding | 226 | <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding |
| 227 | requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore | 227 | requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore |
| 228 | may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors. | 228 | may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors. |
| 229 | <br> | 229 | <br> |
| 230 | The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the· | 230 | The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the· |
| 231 | confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were | 231 | confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were |
| 232 | to·login·using·this·service,·the·privileged·user·password·could·be·compromised. | 232 | to·login·using·this·service,·the·privileged·user·password·could·be·compromised. |
| 233 | <br> | 233 | <br> |
| 234 | Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental· | 234 | Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental· |
| 235 | (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 235 | (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 236 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 236 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 237 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 237 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36294">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36294"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 238 | # | 238 | # |
| 239 | #·Example·Call(s): | 239 | #·Example·Call(s): |
| 240 | # | 240 | # |
| 241 | #·····package_remove·telnet-server | 241 | #·····package_remove·telnet-server |
| 242 | # | 242 | # |
| 243 | function·package_remove·{ | 243 | function·package_remove·{ |
| Offset 268, 15 lines modified | Offset 268, 15 lines modified | ||
| 268 | ··echo·"Aborting." | 268 | ··echo·"Aborting." |
| 269 | ··exit·1 | 269 | ··exit·1 |
| 270 | fi | 270 | fi |
| 271 | } | 271 | } |
| Max diff block lines reached; 132658/157561 bytes (84.19%) of diff not shown. | |||
| Offset 71, 28 lines modified | Offset 71, 28 lines modified | ||
| 71 | Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 71 | Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 72 | system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 72 | system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 73 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons | 73 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons |
| 74 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | 74 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to |
| 75 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | 75 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost |
| 76 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | 76 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or |
| 77 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | 77 | may·not·be·required·on·a·given·system.·Both·daemons·should·be |
| 78 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm369 | 78 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm36989"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_atd_disabled">Disable·At·Service·(atd) |
| 79 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to | 79 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to |
| 80 | schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed | 80 | schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed |
| 81 | execution·in·a·manner·similar·to·cron,·except·that·it·is·not | 81 | execution·in·a·manner·similar·to·cron,·except·that·it·is·not |
| 82 | recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via | 82 | recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via |
| 83 | <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time. | 83 | <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time. |
| 84 | ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command: | 84 | ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command: |
| 85 | ········<pre>$·sudo·systemctl·disable·atd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry | 85 | ········<pre>$·sudo·systemctl·disable·atd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry |
| 86 | out·activities·outside·of·a·normal·login·session,·which·could·complicate | 86 | out·activities·outside·of·a·normal·login·session,·which·could·complicate |
| 87 | accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or | 87 | accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or |
| 88 | <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 88 | <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 89 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 89 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 90 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm3 | 90 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm37005">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm37005"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 91 | # | 91 | # |
| 92 | #·Example·Call(s): | 92 | #·Example·Call(s): |
| 93 | # | 93 | # |
| 94 | #·····service_command·enable·bluetooth | 94 | #·····service_command·enable·bluetooth |
| 95 | #·····service_command·disable·bluetooth.service | 95 | #·····service_command·disable·bluetooth.service |
| 96 | # | 96 | # |
| 97 | #·····Using·xinetd: | 97 | #·····Using·xinetd: |
| Offset 160, 15 lines modified | Offset 160, 15 lines modified | ||
| 160 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 160 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 161 | ··fi | 161 | ··fi |
| 162 | fi | 162 | fi |
| 163 | } | 163 | } |
| 164 | service_command·disable·atd | 164 | service_command·disable·atd |
| 165 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm3 | 165 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm37007">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm37007"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·atd |
| 166 | ··service: | 166 | ··service: |
| 167 | ····name="{{item}}" | 167 | ····name="{{item}}" |
| 168 | ····enabled="no" | 168 | ····enabled="no" |
| 169 | ····state="stopped" | 169 | ····state="stopped" |
| 170 | ··register:·service_result | 170 | ··register:·service_result |
| 171 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 171 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 172 | ··with_items: | 172 | ··with_items: |
| Offset 183, 27 lines modified | Offset 183, 27 lines modified | ||
| 183 | ····-·NIST-800-53-CM-7 | 183 | ····-·NIST-800-53-CM-7 |
| 184 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_base"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_base">Base·Services | 184 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_base"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_base">Base·Services |
| 185 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_base">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·addresses·the·base·services·that·are·installed·on·a | 185 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_base">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·addresses·the·base·services·that·are·installed·on·a |
| 186 | Red·Hat·Enterprise·Linux·7·default·installation·which·are·not·covered·in·other | 186 | Red·Hat·Enterprise·Linux·7·default·installation·which·are·not·covered·in·other |
| 187 | sections.·Some·of·these·services·listen·on·the·network·and | 187 | sections.·Some·of·these·services·listen·on·the·network·and |
| 188 | should·be·treated·with·particular·discretion.·Other·services·are·local | 188 | should·be·treated·with·particular·discretion.·Other·services·are·local |
| 189 | system·utilities·that·may·or·may·not·be·extraneous.·In·general,·system·services | 189 | system·utilities·that·may·or·may·not·be·extraneous.·In·general,·system·services |
| 190 | should·be·disabled·if·not·required.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·id="guide-tree-leaf-idm38 | 190 | should·be·disabled·if·not·required.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·id="guide-tree-leaf-idm38651"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_base"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled">Disable·Network·Router·Discovery·Daemon·(rdisc) |
| 191 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rdisc_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rdisc</code>·service·implements·the·client·side·of·the·ICMP | 191 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rdisc_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rdisc</code>·service·implements·the·client·side·of·the·ICMP |
| 192 | Internet·Router·Discovery·Protocol·(IRDP),·which·allows·discovery·of·routers·on | 192 | Internet·Router·Discovery·Protocol·(IRDP),·which·allows·discovery·of·routers·on |
| 193 | the·local·subnet.·If·a·router·is·discovered·then·the·local·routing·table·is | 193 | the·local·subnet.·If·a·router·is·discovered·then·the·local·routing·table·is |
| 194 | updated·with·a·corresponding·default·route.·By·default·this·daemon·is·disabled. | 194 | updated·with·a·corresponding·default·route.·By·default·this·daemon·is·disabled. |
| 195 | ········The·<code>rdisc</code>·service·can·be·disabled·with·the·following·command: | 195 | ········The·<code>rdisc</code>·service·can·be·disabled·with·the·following·command: |
| 196 | ········<pre>$·sudo·systemctl·disable·rdisc.service</pre></p><span·class="label·label-primary">Rationale:</span><p>General-purpose·systems·typically·have·their·network·and·routing | 196 | ········<pre>$·sudo·systemctl·disable·rdisc.service</pre></p><span·class="label·label-primary">Rationale:</span><p>General-purpose·systems·typically·have·their·network·and·routing |
| 197 | information·configured·statically·by·a·system·administrator.·Workstations·or | 197 | information·configured·statically·by·a·system·administrator.·Workstations·or |
| 198 | some·special-purpose·systems·often·use·DHCP·(instead·of·IRDP)·to·retrieve | 198 | some·special-purpose·systems·often·use·DHCP·(instead·of·IRDP)·to·retrieve |
| 199 | dynamic·network·configuration·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 199 | dynamic·network·configuration·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 200 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 200 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 201 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38 | 201 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38662">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38662"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 202 | # | 202 | # |
| 203 | #·Example·Call(s): | 203 | #·Example·Call(s): |
| 204 | # | 204 | # |
| 205 | #·····service_command·enable·bluetooth | 205 | #·····service_command·enable·bluetooth |
| 206 | #·····service_command·disable·bluetooth.service | 206 | #·····service_command·disable·bluetooth.service |
| 207 | # | 207 | # |
| 208 | #·····Using·xinetd: | 208 | #·····Using·xinetd: |
| Offset 271, 15 lines modified | Offset 271, 15 lines modified | ||
| 271 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 271 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 272 | ··fi | 272 | ··fi |
| 273 | fi | 273 | fi |
| 274 | } | 274 | } |
| 275 | service_command·disable·rdisc | 275 | service_command·disable·rdisc |
| 276 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm38 | 276 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm38664">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38664"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rdisc |
| 277 | ··service: | 277 | ··service: |
| 278 | ····name="{{item}}" | 278 | ····name="{{item}}" |
| 279 | ····enabled="no" | 279 | ····enabled="no" |
| 280 | ····state="stopped" | 280 | ····state="stopped" |
| 281 | ··register:·service_result | 281 | ··register:·service_result |
| 282 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 282 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 283 | ··with_items: | 283 | ··with_items: |
| Offset 290, 27 lines modified | Offset 290, 27 lines modified | ||
| 290 | ····-·disable_strategy | 290 | ····-·disable_strategy |
| 291 | ····-·low_complexity | 291 | ····-·low_complexity |
| 292 | ····-·low_disruption | 292 | ····-·low_disruption |
| 293 | ····-·CCE-80268-6 | 293 | ····-·CCE-80268-6 |
| 294 | ····-·NIST-800-53-AC-17(8) | 294 | ····-·NIST-800-53-AC-17(8) |
| 295 | ····-·NIST-800-53-AC-4 | 295 | ····-·NIST-800-53-AC-4 |
| 296 | ····-·NIST-800-53-CM-7 | 296 | ····-·NIST-800-53-CM-7 |
| 297 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·id="guide-tree-leaf-idm387 | 297 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·id="guide-tree-leaf-idm38784"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_base"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">Disable·Odd·Job·Daemon·(oddjobd) |
| 298 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>oddjobd</code>·service·exists·to·provide·an·interface·and | 298 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>oddjobd</code>·service·exists·to·provide·an·interface·and |
| 299 | access·control·mechanism·through·which | 299 | access·control·mechanism·through·which |
| 300 | specified·privileged·tasks·can·run·tasks·for·unprivileged·client | 300 | specified·privileged·tasks·can·run·tasks·for·unprivileged·client |
| 301 | applications.·Communication·with·<code>oddjobd</code>·through·the·system·message·bus. | 301 | applications.·Communication·with·<code>oddjobd</code>·through·the·system·message·bus. |
| 302 | ········The·<code>oddjobd</code>·service·can·be·disabled·with·the·following·command: | 302 | ········The·<code>oddjobd</code>·service·can·be·disabled·with·the·following·command: |
| 303 | ········<pre>$·sudo·systemctl·disable·oddjobd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>oddjobd</code>·service·may·provide·necessary·functionality·in | 303 | ········<pre>$·sudo·systemctl·disable·oddjobd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>oddjobd</code>·service·may·provide·necessary·functionality·in |
| 304 | some·environments,·and·can·be·disabled·if·it·is·not·needed.·Execution·of | 304 | some·environments,·and·can·be·disabled·if·it·is·not·needed.·Execution·of |
| 305 | tasks·by·privileged·programs,·on·behalf·of·unprivileged·ones,·has·traditionally | 305 | tasks·by·privileged·programs,·on·behalf·of·unprivileged·ones,·has·traditionally |
| 306 | been·a·source·of·privilege·escalation·security·issues.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 306 | been·a·source·of·privilege·escalation·security·issues.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 307 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 307 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 308 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm387 | 308 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38795">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38795"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 309 | # | 309 | # |
| 310 | #·Example·Call(s): | 310 | #·Example·Call(s): |
| 311 | # | 311 | # |
| 312 | #·····service_command·enable·bluetooth | 312 | #·····service_command·enable·bluetooth |
| 313 | #·····service_command·disable·bluetooth.service | 313 | #·····service_command·disable·bluetooth.service |
| 314 | # | 314 | # |
| 315 | #·····Using·xinetd: | 315 | #·····Using·xinetd: |
| Offset 378, 15 lines modified | Offset 378, 15 lines modified | ||
| 378 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 378 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 379 | ··fi | 379 | ··fi |
| 380 | fi | 380 | fi |
| 381 | } | 381 | } |
| 382 | service_command·disable·oddjobd | 382 | service_command·disable·oddjobd |
| 383 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm387 | 383 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm38797">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38797"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·oddjobd |
| 384 | ··service: | 384 | ··service: |
| 385 | ····name="{{item}}" | 385 | ····name="{{item}}" |
| Max diff block lines reached; 316204/334498 bytes (94.53%) of diff not shown. | |||
| Offset 92, 65 lines modified | Offset 92, 65 lines modified | ||
| 92 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict | 92 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict |
| 93 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 93 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 94 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 94 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 95 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 95 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 96 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·7·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec | 96 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·7·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec |
| 97 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which | 97 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which |
| 98 | allow·cleartext·remote·access·and·have·an·insecure·trust | 98 | allow·cleartext·remote·access·and·have·an·insecure·trust |
| 99 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files"·id="guide-tree-leaf-idm36 | 99 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files"·id="guide-tree-leaf-idm36086"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_host_based_files">Remove·Host-Based·Authentication·Files |
| 100 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>shosts.equiv</code>·file·list·remote·hosts | 100 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>shosts.equiv</code>·file·list·remote·hosts |
| 101 | and·users·that·are·trusted·by·the·local·system. | 101 | and·users·that·are·trusted·by·the·local·system. |
| 102 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any | 102 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any |
| 103 | location: | 103 | location: |
| 104 | <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre></p><span·class="label·label-primary">Rationale:</span><p>The·shosts.equiv·files·are·used·to·configure·host-based·authentication·for·the | 104 | <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre></p><span·class="label·label-primary">Rationale:</span><p>The·shosts.equiv·files·are·used·to·configure·host-based·authentication·for·the |
| 105 | system·via·SSH.·Host-based·authentication·is·not·sufficient·for·preventing | 105 | system·via·SSH.·Host-based·authentication·is·not·sufficient·for·preventing |
| 106 | unauthorized·access·to·the·system,·as·it·does·not·require·interactive | 106 | unauthorized·access·to·the·system,·as·it·does·not·require·interactive |
| 107 | identification·and·authentication·of·a·connection·request,·or·for·the·use·of | 107 | identification·and·authentication·of·a·connection·request,·or·for·the·use·of |
| 108 | two-factor·authentication.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 108 | two-factor·authentication.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 109 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 109 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 110 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 110 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36095">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36095"><pre><code> |
| 111 | #·Identify·local·mounts | 111 | #·Identify·local·mounts |
| 112 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | 112 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· |
| 113 | #·Find·file·on·each·listed·mount·point | 113 | #·Find·file·on·each·listed·mount·point |
| 114 | for·cur_mount·in·${MOUNT_LIST} | 114 | for·cur_mount·in·${MOUNT_LIST} |
| 115 | do | 115 | do |
| 116 | » find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\; | 116 | » find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\; |
| 117 | done | 117 | done |
| 118 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files"·id="guide-tree-leaf-idm361 | 118 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files"·id="guide-tree-leaf-idm36131"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_user_host_based_files">Remove·User·Host-Based·Authentication·Files |
| 119 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_user_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files | 119 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_user_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files |
| 120 | list·remote·hosts·and·users·that·are·trusted·by·the | 120 | list·remote·hosts·and·users·that·are·trusted·by·the |
| 121 | local·system.·To·remove·these·files,·run·the·following·command | 121 | local·system.·To·remove·these·files,·run·the·following·command |
| 122 | to·delete·them·from·any·location: | 122 | to·delete·them·from·any·location: |
| 123 | <pre>$·sudo·rm·~/.shosts</pre></p><span·class="label·label-primary">Rationale:</span><p>The·.shosts·files·are·used·to·configure·host-based·authentication·for | 123 | <pre>$·sudo·rm·~/.shosts</pre></p><span·class="label·label-primary">Rationale:</span><p>The·.shosts·files·are·used·to·configure·host-based·authentication·for |
| 124 | individual·users·or·the·system·via·SSH.·Host-based·authentication·is·not | 124 | individual·users·or·the·system·via·SSH.·Host-based·authentication·is·not |
| 125 | sufficient·for·preventing·unauthorized·access·to·the·system,·as·it·does·not | 125 | sufficient·for·preventing·unauthorized·access·to·the·system,·as·it·does·not |
| 126 | require·interactive·identification·and·authentication·of·a·connection·request, | 126 | require·interactive·identification·and·authentication·of·a·connection·request, |
| 127 | or·for·the·use·of·two-factor·authentication.false</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 127 | or·for·the·use·of·two-factor·authentication.false</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 128 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 128 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 129 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm361 | 129 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36140">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36140"><pre><code> |
| 130 | #·Identify·local·mounts | 130 | #·Identify·local·mounts |
| 131 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | 131 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· |
| 132 | #·Find·file·on·each·listed·mount·point | 132 | #·Find·file·on·each·listed·mount·point |
| 133 | for·cur_mount·in·${MOUNT_LIST} | 133 | for·cur_mount·in·${MOUNT_LIST} |
| 134 | do | 134 | do |
| 135 | » find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\; | 135 | » find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\; |
| 136 | done | 136 | done |
| 137 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm361 | 137 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36145"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package |
| 138 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with | 138 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with |
| 139 | the·following·command: | 139 | the·following·command: |
| 140 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not | 140 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not |
| 141 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak | 141 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak |
| 142 | authentication.·If·a·privileged·user·were·to·login·using·this·service,·the·privileged·user·password | 142 | authentication.·If·a·privileged·user·were·to·login·using·this·service,·the·privileged·user·password |
| 143 | could·be·compromised.·The·<code>rsh-server</code>·package·provides·several·obsolete·and·insecure | 143 | could·be·compromised.·The·<code>rsh-server</code>·package·provides·several·obsolete·and·insecure |
| 144 | network·services.·Removing·it·decreases·the·risk·of·those·services'·accidental·(or·intentional) | 144 | network·services.·Removing·it·decreases·the·risk·of·those·services'·accidental·(or·intentional) |
| 145 | activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 145 | activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 146 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 146 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 147 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86591r1_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm361 | 147 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86591r1_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36170">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36170"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 148 | # | 148 | # |
| 149 | #·Example·Call(s): | 149 | #·Example·Call(s): |
| 150 | # | 150 | # |
| 151 | #·····package_remove·telnet-server | 151 | #·····package_remove·telnet-server |
| 152 | # | 152 | # |
| 153 | function·package_remove·{ | 153 | function·package_remove·{ |
| Offset 180, 15 lines modified | Offset 180, 15 lines modified | ||
| 180 | ··echo·"Aborting." | 180 | ··echo·"Aborting." |
| 181 | ··exit·1 | 181 | ··exit·1 |
| 182 | fi | 182 | fi |
| 183 | } | 183 | } |
| 184 | package_remove·rsh-server | 184 | package_remove·rsh-server |
| 185 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm361 | 185 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36172">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36172"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh-server·is·removed |
| 186 | ··package: | 186 | ··package: |
| 187 | ····name="{{item}}" | 187 | ····name="{{item}}" |
| 188 | ····state=absent | 188 | ····state=absent |
| 189 | ··with_items: | 189 | ··with_items: |
| 190 | ····-·rsh-server | 190 | ····-·rsh-server |
| 191 | ··tags: | 191 | ··tags: |
| 192 | ····-·package_rsh-server_removed | 192 | ····-·package_rsh-server_removed |
| Offset 196, 42 lines modified | Offset 196, 42 lines modified | ||
| 196 | ····-·disable_strategy | 196 | ····-·disable_strategy |
| 197 | ····-·low_complexity | 197 | ····-·low_complexity |
| 198 | ····-·low_disruption | 198 | ····-·low_disruption |
| 199 | ····-·CCE-27342-5 | 199 | ····-·CCE-27342-5 |
| 200 | ····-·NIST-800-53-AC-17(8) | 200 | ····-·NIST-800-53-AC-17(8) |
| 201 | ····-·NIST-800-53-CM-7(a) | 201 | ····-·NIST-800-53-CM-7(a) |
| 202 | ····-·DISA-STIG-RHEL-07-020000 | 202 | ····-·DISA-STIG-RHEL-07-020000 |
| 203 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm361 | 203 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36173">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36173"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh-server |
| 204 | class·remove_rsh-server·{ | 204 | class·remove_rsh-server·{ |
| 205 | ··package·{·'rsh-server': | 205 | ··package·{·'rsh-server': |
| 206 | ····ensure·=>·'purged', | 206 | ····ensure·=>·'purged', |
| 207 | ··} | 207 | ··} |
| 208 | } | 208 | } |
| 209 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm361 | 209 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36174">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36174"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 210 | package·--remove=rsh-server | 210 | package·--remove=rsh-server |
| 211 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet | 211 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet |
| 212 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity | 212 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity |
| 213 | for·information·transmitted·on·the·network.·This·includes·authentication | 213 | for·information·transmitted·on·the·network.·This·includes·authentication |
| 214 | information·such·as·passwords.·Organizations·which·use·telnet·should·be | 214 | information·such·as·passwords.·Organizations·which·use·telnet·should·be |
| 215 | actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm362 | 215 | actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm36267"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed">Uninstall·telnet-server·Package |
| 216 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with | 216 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with |
| 217 | the·following·command: | 217 | the·following·command: |
| 218 | <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding | 218 | <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding |
| 219 | requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore | 219 | requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore |
| 220 | may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors. | 220 | may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors. |
| 221 | <br> | 221 | <br> |
| 222 | The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the· | 222 | The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the· |
| 223 | confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were | 223 | confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were |
| 224 | to·login·using·this·service,·the·privileged·user·password·could·be·compromised. | 224 | to·login·using·this·service,·the·privileged·user·password·could·be·compromised. |
| 225 | <br> | 225 | <br> |
| 226 | Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental· | 226 | Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental· |
| 227 | (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 227 | (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 228 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 228 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 229 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 229 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36294">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36294"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 230 | # | 230 | # |
| 231 | #·Example·Call(s): | 231 | #·Example·Call(s): |
| 232 | # | 232 | # |
| 233 | #·····package_remove·telnet-server | 233 | #·····package_remove·telnet-server |
| 234 | # | 234 | # |
| 235 | function·package_remove·{ | 235 | function·package_remove·{ |
| Offset 261, 15 lines modified | Offset 261, 15 lines modified | ||
| 261 | ··echo·"Aborting." | 261 | ··echo·"Aborting." |
| 262 | ··exit·1 | 262 | ··exit·1 |
| Max diff block lines reached; 928191/953987 bytes (97.30%) of diff not shown. | |||
| Offset 48, 27 lines modified | Offset 48, 24 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_openstack">OpenStack</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_routing">Network·Routing</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="[·...·truncated·by·diffoscope;·len:·950,·SHA:·a7c844d718d4a2cf68abe69bc182d0b9229d73dc5dbe42fbcbb39f6b8f5fcc63·...·]</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 58 | the·software·which·Red·Hat·OpenStack·Platform·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 58 | the·software·which·Red·Hat·OpenStack·Platform·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·OpenStack·Platform·7·system·and·provides·guidance·about·which | 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·OpenStack·Platform·7·system·and·provides·guidance·about·which |
| 60 | ones·can·be·safely·disabled. | 60 | ones·can·be·safely·disabled. |
| 61 | <br><br> | 61 | <br><br> |
| 62 | Red·Hat·OpenStack·Platform·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 62 | Red·Hat·OpenStack·Platform·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 63 | system.·When·building·Red·Hat·OpenStack·Platform·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 63 | system.·When·building·Red·Hat·OpenStack·Platform·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 64 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 64 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_docker">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·docker·service·is·necessary·to·create·containers,·which·are | ||
| 66 | ··self-sufficient·and·self-contained·applications·using·the·resource | ||
| 67 | ··isolation·features·of·the·kernel.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services | ||
| 68 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible |
| 69 | services·which·have·historically·caused·problems·for·system | 66 | services·which·have·historically·caused·problems·for·system |
| 70 | security,·and·for·which·disabling·or·severely·limiting·the·service | 67 | security,·and·for·which·disabling·or·severely·limiting·the·service |
| 71 | has·been·the·best·available·guidance·for·some·time.·As·a·result·of | 68 | has·been·the·best·available·guidance·for·some·time.·As·a·result·of |
| 72 | this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·7 | 69 | this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·7 |
| 73 | by·default. | 70 | by·default. |
| 74 | <br><br> | 71 | <br><br> |
| Offset 102, 15 lines modified | Offset 99, 51 lines modified | ||
| 102 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd | 99 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd |
| 103 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some | 100 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some |
| 104 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 101 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 105 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 102 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 106 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 103 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 107 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services | 104 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services |
| 108 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages | 105 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages |
| 109 | across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 106 | across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_imap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server |
| 107 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_imap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·provides·IMAP·and·POP3·services.·It·is·not | ||
| 108 | installed·by·default.·The·project·page·at·<a·href="http://www.dovecot.org">http://www.dovecot.org</a> | ||
| 109 | contains·more·detailed·information·about·Dovecot | ||
| 110 | configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configure_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configure_dovecot">Configure·Dovecot·if·Necessary | ||
| 111 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configure_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·will·operate·as·an·IMAP·or | ||
| 112 | POP3·server,·the·dovecot·software·should·be·configured·securely·by·following | ||
| 113 | the·recommendations·below.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">Enable·SSL·Support | ||
| 114 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>SSL·should·be·used·to·encrypt·network·traffic·between·the· | ||
| 115 | Dovecot·server·and·its·clients.·Users·must·authenticate·to·the·Dovecot· | ||
| 116 | server·in·order·to·read·their·mail,·and·passwords·should·never·be· | ||
| 117 | transmitted·in·clear·text.·In·addition,·protecting·mail·as·it·is· | ||
| 118 | downloaded·is·a·privacy·measure,·and·clients·may·use·SSL·certificates· | ||
| 119 | to·authenticate·the·server,·preventing·another·system·from·impersonating· | ||
| 120 | the·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">Allow·IMAP·Clients·to·Access·the·Server | ||
| 121 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·default·<code>firewalld</code>·configuration·does·not·allow·inbound | ||
| 122 | access·to·any·services.·This·modification·will·allow·remote·hosts·to | ||
| 123 | initiate·connections·to·the·IMAP·daemon,·while·keeping·all·other·ports | ||
| 124 | on·the·server·in·their·default·protected·state. | ||
| 125 | ········To·configure·<code>firewalld</code>·to·allow·access,·run·the·following·command(s): | ||
| 126 | ········<code>firewall-cmd·--permanent·--add-port=143/tcp</code>·and | ||
| 127 | ········</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">Support·Only·the·Necessary·Protocols | ||
| 128 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·supports·the·IMAP·and·POP3·protocols,·as·well·as· | ||
| 129 | SSL-protected·versions·of·those·protocols.·Configure·the·Dovecot·server· | ||
| 130 | to·support·only·the·protocols·needed·by·your·site.·Edit·<code>/etc/dovecot/dovecot.conf</code>.· | ||
| 131 | Add·or·correct·the·following·lines,·replacing·<code>PROTOCOL</code>·with· | ||
| 132 | only·the·subset·of·protocols·(<code>imap</code>,·<code>imaps</code>,· | ||
| 133 | <code>pop3</code>,·<code>pop3s</code>)·required: | ||
| 134 | <pre>protocols·=·PROTOCOL</pre> | ||
| 135 | If·possible,·require·SSL·protection·for·all·transactions.·The·SSL· | ||
| 136 | protocol·variants·listen·on·alternate·ports·(995·instead·of·110·for· | ||
| 137 | pop3s,·and·993·instead·of·143·for·imaps),·and·require·SSL-aware·clients.· | ||
| 138 | An·alternate·approach·is·to·listen·on·the·standard·port·and·require·the· | ||
| 139 | client·to·use·the·STARTTLS·command·before·authenticating.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dovecot">Disable·Dovecot | ||
| 140 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·does·not·need·to·operate·as·an·IMAP·or | ||
| 141 | POP3·server,·the·dovecot·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack | ||
| 110 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cinder"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_cinder">Cinder·STIG·Checklist | 142 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cinder"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_cinder">Cinder·STIG·Checklist |
| 111 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cinder">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Cinder·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_keystone"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_keystone"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_keystone">Keystone·STIG·Checklist | 143 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cinder">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Cinder·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_keystone"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_keystone"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_keystone">Keystone·STIG·Checklist |
| 112 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_keystone">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Keystone·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_keystone"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nova"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nova"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_nova">Nova·STIG·Checklist | 144 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_keystone">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Keystone·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_keystone"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nova"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nova"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_nova">Nova·STIG·Checklist |
| 113 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_nova">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Nova·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_nova"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_horizon"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_horizon"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_horizon">Horizon·STIG·Checklist | 145 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_nova">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Nova·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_nova"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_horizon"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_horizon"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_horizon">Horizon·STIG·Checklist |
| 114 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_horizon">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Horizon·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_horizon"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_neutron"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_neutron"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_neutron">Neutron·STIG·Checklist | 146 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_horizon">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Horizon·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_horizon"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_neutron"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_neutron"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_neutron">Neutron·STIG·Checklist |
| 115 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_neutron">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Neutron·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_neutron"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server | 147 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_neutron">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Neutron·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_neutron"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 116 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to | 148 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| Offset 854, 51 lines modified | Offset 887, 18 lines modified | ||
| 854 | supersede·domain-name-servers·192.168.1.2; | 887 | supersede·domain-name-servers·192.168.1.2; |
| 855 | supersede·nis-domain·""; | 888 | supersede·nis-domain·""; |
| 856 | supersede·nis-servers·""; | 889 | supersede·nis-servers·""; |
| 857 | supersede·ntp-servers·"ntp.example.com·"; | 890 | supersede·ntp-servers·"ntp.example.com·"; |
| 858 | supersede·routers·192.168.1.1; | 891 | supersede·routers·192.168.1.1; |
| 859 | supersede·time-offset·-18000; | 892 | supersede·time-offset·-18000; |
| 860 | request·subnet-mask; | 893 | request·subnet-mask; |
| 861 | require·subnet-mask;</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_restrict_options"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 894 | require·subnet-mask;</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_restrict_options"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_docker"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_docker">Docker·Service |
| 862 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 895 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_docker">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·docker·service·is·necessary·to·create·containers,·which·are |
| 863 | 896 | ··self-sufficient·and·self-contained·applications·using·the·resource | |
| 864 | contains | 897 | ··isolation·features·of·the·kernel.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC |
| 865 | configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configure_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configure_dovecot">Configure·Dovecot·if·Necessary | ||
| 866 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configure_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·will·operate·as·an·IMAP·or | ||
| 867 | POP3·server,·the·dovecot·software·should·be·configured·securely·by·following | ||
| 868 | the·recommendations·below.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">Enable·SSL·Support | ||
| 869 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>SSL·should·be·used·to·encrypt·network·traffic·between·the· | ||
| 870 | Dovecot·server·and·its·clients.·Users·must·authenticate·to·the·Dovecot· | ||
| 871 | server·in·order·to·read·their·mail,·and·passwords·should·never·be· | ||
| 872 | transmitted·in·clear·text.·In·addition,·protecting·mail·as·it·is· | ||
| 873 | downloaded·is·a·privacy·measure,·and·clients·may·use·SSL·certificates· | ||
| 874 | to·authenticate·the·server,·preventing·another·system·from·impersonating· | ||
| 875 | the·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">Allow·IMAP·Clients·to·Access·the·Server | ||
| 876 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·default·<code>firewalld</code>·configuration·does·not·allow·inbound | ||
| 877 | access·to·any·services.·This·modification·will·allow·remote·hosts·to | ||
| 878 | initiate·connections·to·the·IMAP·daemon,·while·keeping·all·other·ports | ||
| 879 | on·the·server·in·their·default·protected·state. | ||
| 880 | ········To·configure·<code>firewalld</code>·to·allow·access,·run·the·following·command(s): | ||
| 881 | ········<code>firewall-cmd·--permanent·--add-port=143/tcp</code>·and | ||
| 882 | ········</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">Support·Only·the·Necessary·Protocols | ||
| 883 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·supports·the·IMAP·and·POP3·protocols,·as·well·as· | ||
| 884 | SSL-protected·versions·of·those·protocols.·Configure·the·Dovecot·server· | ||
| 885 | to·support·only·the·protocols·needed·by·your·site.·Edit·<code>/etc/dovecot/dovecot.conf</code>.· | ||
| 886 | Add·or·correct·the·following·lines,·replacing·<code>PROTOCOL</code>·with· | ||
| 887 | only·the·subset·of·protocols·(<code>imap</code>,·<code>imaps</code>,· | ||
| 888 | <code>pop3</code>,·<code>pop3s</code>)·required: | ||
| 889 | <pre>protocols·=·PROTOCOL</pre> | ||
| 890 | If·possible,·require·SSL·protection·for·all·transactions.·The·SSL· | ||
| 891 | protocol·variants·listen·on·alternate·ports·(995·instead·of·110·for· | ||
| 892 | pop3s,·and·993·instead·of·143·for·imaps),·and·require·SSL-aware·clients.· | ||
| 893 | An·alternate·approach·is·to·listen·on·the·standard·port·and·require·the· | ||
| 894 | client·to·use·the·STARTTLS·command·before·authenticating.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dovecot">Disable·Dovecot | ||
| 895 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·does·not·need·to·operate·as·an·IMAP·or | ||
| 896 | POP3·server,·the·dovecot·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC | ||
| 897 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·File·System·is·a·popular·distributed·filesystem·for | 898 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·File·System·is·a·popular·distributed·filesystem·for |
| 898 | the·Unix·environment,·and·is·very·widely·deployed.··This·section·discusses·the | 899 | the·Unix·environment,·and·is·very·widely·deployed.··This·section·discusses·the |
| 899 | circumstances·under·which·it·is·possible·to·disable·NFS·and·its·dependencies, | 900 | circumstances·under·which·it·is·possible·to·disable·NFS·and·its·dependencies, |
| Max diff block lines reached; 84051/121344 bytes (69.27%) of diff not shown. | |||
| Offset 58, 70 lines modified | Offset 58, 83 lines modified | ||
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·OpenStack·Platform·7·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·OpenStack·Platform·7·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Red·Hat·OpenStack·Platform·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Red·Hat·OpenStack·Platform·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Red·Hat·OpenStack·Platform·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Red·Hat·OpenStack·Platform·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 63 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack | 63 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cinder"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_cinder">Cinder·STIG·Checklist | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cinder"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_cinder">Cinder·STIG·Checklist |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cinder">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Cinder·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><small>contains·8·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_glance_tls"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_glance_tls"·id="guide-tree-leaf-idm43 | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cinder">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Cinder·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><small>contains·8·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_glance_tls"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_glance_tls"·id="guide-tree-leaf-idm4347"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_glance_tls">Check-Block-06:·Does·cinder·communicates·with·glance·over·TLS? |
| 66 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_glance_tls">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Similar·to·previous·check·(Check-Block-05:·Does·cinder·communicates·with·nova·over·TLS?),·it·is·recommended·all·the·components·must·communicate·with·each·other·using·a·secured·communication·protocol. | 66 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_glance_tls">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Similar·to·previous·check·(Check-Block-05:·Does·cinder·communicates·with·nova·over·TLS?),·it·is·recommended·all·the·components·must·communicate·with·each·other·using·a·secured·communication·protocol. |
| 67 | <br> | 67 | <br> |
| 68 | <br> | 68 | <br> |
| 69 | Pass:·If·value·of·parameter·glance_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·False. | 69 | Pass:·If·value·of·parameter·glance_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·False. |
| 70 | <br> | 70 | <br> |
| 71 | <br> | 71 | <br> |
| 72 | Fail:·If·value·of·parameter·glance_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·True.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 72 | Fail:·If·value·of·parameter·glance_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·True.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 73 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 73 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 74 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 74 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 75 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm43 | 75 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4357">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4357"><pre><code>openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·glance_api_insecure·False |
| 76 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions"·id="guide-tree-leaf-idm43 | 76 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions"·id="guide-tree-leaf-idm4358"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions">Check-Block-07:·Is·NAS·operating·in·secure·enviornment? |
| 77 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Cinder·supports·an·NFS·driver·which·works·differently·than·a·traditional·block·storage·driver.·The·NFS·driver·does·not·actually·allow·an·instance·to·access·a·storage·device·at·the·block·level.·Instead,·files·are·created·on·an·NFS·share·and·mapped·to·instances,·which·emulates·a·block·device.·Cinder·supports·secure·configuration·for·such·files·by·controlling·the·file·permissions·when·cinder·volumes·are·created.·Cinder·configuration·can·also·control·whether·file·operations·are·run·as·the·root·user·or·the·current·OpenStack·process·user. | 77 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Cinder·supports·an·NFS·driver·which·works·differently·than·a·traditional·block·storage·driver.·The·NFS·driver·does·not·actually·allow·an·instance·to·access·a·storage·device·at·the·block·level.·Instead,·files·are·created·on·an·NFS·share·and·mapped·to·instances,·which·emulates·a·block·device.·Cinder·supports·secure·configuration·for·such·files·by·controlling·the·file·permissions·when·cinder·volumes·are·created.·Cinder·configuration·can·also·control·whether·file·operations·are·run·as·the·root·user·or·the·current·OpenStack·process·user. |
| 78 | <br> | 78 | <br> |
| 79 | <br> | 79 | <br> |
| 80 | Pass:·If·value·of·parameter·nas_secure_file_permissions·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·auto.·When·set·to·auto,·a·check·is·done·during·cinder·startup·to·determine·if·there·are·existing·cinder·volumes,·no·volumes·will·set·the·option·to·True,·and·use·secure·file·permissions.·The·detection·of·existing·volumes·will·set·the·option·to·False,·and·use·the·current·insecure·method·of·handling·file·permissions.·If·value·of·parameter·nas_secure_file_operations·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·auto.·When·set·to·“auto”,·a·check·is·done·during·cinder·startup·to·determine·if·there·are·existing·cinder·volumes,·no·volumes·will·set·the·option·to·True,·be·secure·and·do·NOT·run·as·the·root·user.·The·detection·of·existing·volumes·will·set·the·option·to·False,·and·use·the·current·method·of·running·operations·as·the·root·user.·For·new·installations,·a·“marker·file”·is·written·so·that·subsequent·restarts·of·cinder·will·know·what·the·original·determination·had·been. | 80 | Pass:·If·value·of·parameter·nas_secure_file_permissions·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·auto.·When·set·to·auto,·a·check·is·done·during·cinder·startup·to·determine·if·there·are·existing·cinder·volumes,·no·volumes·will·set·the·option·to·True,·and·use·secure·file·permissions.·The·detection·of·existing·volumes·will·set·the·option·to·False,·and·use·the·current·insecure·method·of·handling·file·permissions.·If·value·of·parameter·nas_secure_file_operations·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·auto.·When·set·to·“auto”,·a·check·is·done·during·cinder·startup·to·determine·if·there·are·existing·cinder·volumes,·no·volumes·will·set·the·option·to·True,·be·secure·and·do·NOT·run·as·the·root·user.·The·detection·of·existing·volumes·will·set·the·option·to·False,·and·use·the·current·method·of·running·operations·as·the·root·user.·For·new·installations,·a·“marker·file”·is·written·so·that·subsequent·restarts·of·cinder·will·know·what·the·original·determination·had·been. |
| 81 | <br> | 81 | <br> |
| 82 | <br> | 82 | <br> |
| 83 | Fail:·If·value·of·parameter·nas_secure_file_permissions·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·False·and·if·value·of·parameter·nas_secure_file_operations·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·False.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 83 | Fail:·If·value·of·parameter·nas_secure_file_permissions·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·False·and·if·value·of·parameter·nas_secure_file_operations·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·False.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 84 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 84 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 85 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 85 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 86 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_using_keystone"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_using_keystone"·id="guide-tree-leaf-idm43 | 86 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_using_keystone"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_using_keystone"·id="guide-tree-leaf-idm4368"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_using_keystone">Check-Block-03:·Is·keystone·used·for·authentication? |
| 87 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_using_keystone">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>OpenStack·supports·various·authentication·strategies·like·noauth,·keystone·etc.·If·the·‘noauth’·strategy·is·used·then·the·users·could·interact·with·OpenStack·services·without·any·authentication.·This·could·be·a·potential·risk·since·an·attacker·might·gain·unauthorized·access·to·the·OpenStack·components.·Thus·it·is·strongly·recommended·that·all·services·must·be·authenticated·with·keystone·using·their·service·accounts. | 87 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_using_keystone">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>OpenStack·supports·various·authentication·strategies·like·noauth,·keystone·etc.·If·the·‘noauth’·strategy·is·used·then·the·users·could·interact·with·OpenStack·services·without·any·authentication.·This·could·be·a·potential·risk·since·an·attacker·might·gain·unauthorized·access·to·the·OpenStack·components.·Thus·it·is·strongly·recommended·that·all·services·must·be·authenticated·with·keystone·using·their·service·accounts. |
| 88 | <br> | 88 | <br> |
| 89 | <br> | 89 | <br> |
| 90 | Pass:·If·value·of·parameter·auth_strategy·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·keystone. | 90 | Pass:·If·value·of·parameter·auth_strategy·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·keystone. |
| 91 | <br> | 91 | <br> |
| 92 | <br> | 92 | <br> |
| 93 | Fail:·If·value·of·parameter·auth_strategy·under·[DEFAULT]·section·is·set·to·noauth.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 93 | Fail:·If·value·of·parameter·auth_strategy·under·[DEFAULT]·section·is·set·to·noauth.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 94 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 94 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 95 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 95 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 96 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm43 | 96 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4378">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4378"><pre><code>openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·auth_strategy·keystone |
| 97 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_ | 97 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_nova_tls"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_nova_tls"·id="guide-tree-leaf-idm4379"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_nova_tls">Check-Block-05:·Does·cinder·communicates·with·nova·over·TLS? |
| 98 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_nova_tls">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>OpenStack·components·communicate·with·each·other·using·various·protocols·and·the·communication·might·involve·sensitive·/·confidential·data.·An·attacker·may·try·to·eavesdrop·on·the·channel·in·order·to·get·access·to·sensitive·information.·Thus·all·the·components·must·communicate·with·each·other·using·a·secured·communication·protocol. | ||
| 99 | <br> | ||
| 100 | <br> | ||
| 101 | Pass:·If·value·of·parameter·nova_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·False. | ||
| 102 | <br> | ||
| 103 | <br> | ||
| 104 | Fail:·If·value·of·parameter·nova_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·True.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 105 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 106 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 107 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4389">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4389"><pre><code>openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·nova_api_insecure·False | ||
| 108 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_tls_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_tls_enabled"·id="guide-tree-leaf-idm4390"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_tls_enabled">Check-Block-04:·Is·TLS·enabled·for·authentication? | ||
| 98 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_tls_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>OpenStack·components·communicate·with·each·other·using·various·protocols·and·the·communication·might·involve·sensitive·/·confidential·data.·An·attacker·may·try·to·eavesdrop·on·the·channel·in·order·to·get·access·to·sensitive·information.·Thus·all·the·components·must·communicate·with·each·other·using·a·secured·communication·protocol. | 109 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_tls_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>OpenStack·components·communicate·with·each·other·using·various·protocols·and·the·communication·might·involve·sensitive·/·confidential·data.·An·attacker·may·try·to·eavesdrop·on·the·channel·in·order·to·get·access·to·sensitive·information.·Thus·all·the·components·must·communicate·with·each·other·using·a·secured·communication·protocol. |
| 99 | <br> | 110 | <br> |
| 100 | <br> | 111 | <br> |
| 101 | Pass:·If·value·of·parameter·auth_protocol·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·set·to·https,·or·if·value·of·parameter·identity_uri·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·set·to·Identity·API·endpoint·starting·with·https://·and·value·of·parameter·insecure·under·the·same·[keystone_authtoken]·section·in·the·same·/etc/cinder/cinder.conf·is·set·to·False. | 112 | Pass:·If·value·of·parameter·auth_protocol·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·set·to·https,·or·if·value·of·parameter·identity_uri·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·set·to·Identity·API·endpoint·starting·with·https://·and·value·of·parameter·insecure·under·the·same·[keystone_authtoken]·section·in·the·same·/etc/cinder/cinder.conf·is·set·to·False. |
| 102 | <br> | 113 | <br> |
| 103 | <br> | 114 | <br> |
| 104 | Fail:·If·value·of·parameter·auth_protocol·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·set·to·http,·or·if·value·of·parameter·identity_uri·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·not·set·to·Identity·API·endpoint·starting·with·https://·or·value·of·parameter·insecure·under·the·same·[keystone_authtoken]·section·in·the·same·/etc/cinder/cinder.conf·is·set·to·True.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 115 | Fail:·If·value·of·parameter·auth_protocol·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·set·to·http,·or·if·value·of·parameter·identity_uri·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·not·set·to·Identity·API·endpoint·starting·with·https://·or·value·of·parameter·insecure·under·the·same·[keystone_authtoken]·section·in·the·same·/etc/cinder/cinder.conf·is·set·to·True.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 105 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 116 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 106 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 117 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 107 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4 | 118 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4400">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4400"><pre><code>OLD_IDENTITY_URL=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri) |
| 108 | NEW_IDENTITY_URI="${OLD_IDENTITY_URI:0:4}s${OLD_IDENTITY_URI:4:-1}" | 119 | NEW_IDENTITY_URI="${OLD_IDENTITY_URI:0:4}s${OLD_IDENTITY_URI:4:-1}" |
| 109 | openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri·$NEW_IDENTIY_URI | 120 | openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri·$NEW_IDENTIY_URI |
| 110 | OLD_AUTH_URI=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri) | 121 | OLD_AUTH_URI=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri) |
| 111 | NEW_AUTH_URI="${OLD_AUTH_URI:0:4}s${OLD_AUTH_URI:4:-1}" | 122 | NEW_AUTH_URI="${OLD_AUTH_URI:0:4}s${OLD_AUTH_URI:4:-1}" |
| 112 | openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri·$NEW_AUTH_URI | 123 | openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri·$NEW_AUTH_URI |
| 113 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_file_perms"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_file_perms"·id="guide-tree-leaf-idm4 | 124 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_file_perms"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_file_perms"·id="guide-tree-leaf-idm4401"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_file_perms">Check-Block-02:·Are·strict·permissions·set·for·Compute·configuration·files? |
| 114 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_file_perms">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Similar·to·the·previous·check,·it·is·recommended·to·set·strict·access·permissions·for·such·configuration·files. | 125 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_file_perms">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Similar·to·the·previous·check,·it·is·recommended·to·set·strict·access·permissions·for·such·configuration·files. |
| 115 | <br> | 126 | <br> |
| 116 | <br> | 127 | <br> |
| 117 | Run·the·following·commands: | 128 | Run·the·following·commands: |
| 118 | <br> | 129 | <br> |
| 119 | <br> | 130 | <br> |
| 120 | <code> | 131 | <code> |
| Offset 155, 32 lines modified | Offset 168, 19 lines modified | ||
| 155 | other········--- | 168 | other········--- |
| 156 | </code> | 169 | </code> |
| 157 | <br> | 170 | <br> |
| 158 | <br> | 171 | <br> |
| 159 | Fail:·If·permissions·are·not·set·to·at·least·640.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 172 | Fail:·If·permissions·are·not·set·to·at·least·640.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 160 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 173 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 161 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 174 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 162 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4 | 175 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4428">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4428"><pre><code>chmod·640·/etc/cinder/cinder.conf |
| 163 | chmod·640·/etc/cinder/api-paste.ini | 176 | chmod·640·/etc/cinder/api-paste.ini |
| 164 | chmod·640·/etc/cinder/policy.json | 177 | chmod·640·/etc/cinder/policy.json |
| 165 | chmod·640·/etc/cinder/rootwrap.conf | 178 | chmod·640·/etc/cinder/rootwrap.conf |
| 166 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_ | 179 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_file_ownership"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_file_ownership"·id="guide-tree-leaf-idm4429"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_file_ownership">Check-Block-01:·Is·user/group·ownership·of·config·files·set·to·root/cinder? |
| 167 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_nova_tls">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>OpenStack·components·communicate·with·each·other·using·various·protocols·and·the·communication·might·involve·sensitive·/·confidential·data.·An·attacker·may·try·to·eavesdrop·on·the·channel·in·order·to·get·access·to·sensitive·information.·Thus·all·the·components·must·communicate·with·each·other·using·a·secured·communication·protocol. | ||
| 168 | <br> | ||
| 169 | <br> | ||
| 170 | Pass:·If·value·of·parameter·nova_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·False. | ||
| 171 | <br> | ||
| 172 | <br> | ||
| 173 | Fail:·If·value·of·parameter·nova_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·True.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 174 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 175 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 176 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4402">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4402"><pre><code>openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·nova_api_insecure·False | ||
| 177 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_file_ownership"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_file_ownership"·id="guide-tree-leaf-idm4403"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_file_ownership">Check-Block-01:·Is·user/group·ownership·of·config·files·set·to·root/cinder? | ||
| 178 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_file_ownership">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Configuration·files·contain·critical·parameters·and·information·required·for·smooth·functioning·of·the·component.·If·an·unprivileged·user,·either·intentionally·or·accidentally,·modifies·or·deletes·any·of·the·parameters·or·the·file·itself·then·it·would·cause·severe·availability·issues·resulting·in·a·denial·of·service·to·the·other·end·users.·Thus·user·ownership·of·such·critical·configuration·files·must·be·set·to·root·and·group·ownership·must·be·set·to·cinder. | 180 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_file_ownership">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Configuration·files·contain·critical·parameters·and·information·required·for·smooth·functioning·of·the·component.·If·an·unprivileged·user,·either·intentionally·or·accidentally,·modifies·or·deletes·any·of·the·parameters·or·the·file·itself·then·it·would·cause·severe·availability·issues·resulting·in·a·denial·of·service·to·the·other·end·users.·Thus·user·ownership·of·such·critical·configuration·files·must·be·set·to·root·and·group·ownership·must·be·set·to·cinder. |
| 179 | <br> | 181 | <br> |
| 180 | <br> | 182 | <br> |
| 181 | Run·the·following·commands: | 183 | Run·the·following·commands: |
| 182 | <br> | 184 | <br> |
| 183 | <br> | 185 | <br> |
| 184 | <code> | 186 | <code> |
| Offset 196, 46 lines modified | Offset 196, 46 lines modified | ||
| 196 | <br> | 196 | <br> |
| 197 | Pass:·If·user·and·group·ownership·of·all·these·config·files·is·set·to·root·and·cinder·respectively.·The·above·commands·show·output·of·root·cinder. | 197 | Pass:·If·user·and·group·ownership·of·all·these·config·files·is·set·to·root·and·cinder·respectively.·The·above·commands·show·output·of·root·cinder. |
| 198 | <br> | 198 | <br> |
| 199 | <br> | 199 | <br> |
| 200 | Fail:·If·the·above·commands·does·not·return·any·output·as·the·user·and·group·ownership·might·have·set·to·any·user·other·than·root·or·any·group·other·than·cinder.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 200 | Fail:·If·the·above·commands·does·not·return·any·output·as·the·user·and·group·ownership·might·have·set·to·any·user·other·than·root·or·any·group·other·than·cinder.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 201 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 201 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 202 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 202 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 203 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm44 | 203 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm4447">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4447"><pre><code>for·file·in·/etc/cinder/cinder.conf·\ |
| 204 | » » /etc/cinder/api-paste.ini·\ | 204 | » » /etc/cinder/api-paste.ini·\ |
| 205 | » » /etc/cinder/policy.json·\ | 205 | » » /etc/cinder/policy.json·\ |
| Max diff block lines reached; 68940/98431 bytes (70.04%) of diff not shown. | |||
| Offset 1872, 21 lines modified | Offset 1872, 39 lines modified | ||
| 1872 | ····<pre·xml:space="preserve">$·sudo·chmod·0644·/etc/passwd</pre> | 1872 | ····<pre·xml:space="preserve">$·sudo·chmod·0644·/etc/passwd</pre> |
| 1873 | ············</p><span·class="label·label-primary">Rationale:</span><p>If·the·<code>/etc/passwd</code>·file·is·writable·by·a·group-owner·or·the | 1873 | ············</p><span·class="label·label-primary">Rationale:</span><p>If·the·<code>/etc/passwd</code>·file·is·writable·by·a·group-owner·or·the |
| 1874 | world·the·risk·of·its·compromise·is·increased.·The·file·contains·the·list·of | 1874 | world·the·risk·of·its·compromise·is·increased.·The·file·contains·the·list·of |
| 1875 | accounts·on·the·system·and·associated·information,·and·protection·of·this·file | 1875 | accounts·on·the·system·and·associated·information,·and·protection·of·this·file |
| 1876 | is·critical·for·system·security.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 1876 | is·critical·for·system·security.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 1877 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 1877 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 1878 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26868-0">CCE-26868-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 1878 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26868-0">CCE-26868-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 1879 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000225</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000041</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50257r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm65638">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm65638"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code> | 1879 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000225</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000041</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50257r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm65638">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm65638"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code> |
| 1880 | 1880 | chmod·0644·/etc/passwd | |
| 1881 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm65639">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm65639"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code> | ||
| 1882 | -·name:·Find·/etc/passwd·file(s) | ||
| 1883 | ··find: | ||
| 1884 | ····paths:·"{{·'/etc/passwd'·|·dirname·}}" | ||
| 1885 | ····patterns:·"{{·'/etc/passwd'·|·basename·}}" | ||
| 1886 | ··register:·files_found | ||
| 1887 | ··tags: | ||
| 1888 | ····-·file_permissions_etc_passwd | ||
| 1889 | ····-·medium_severity | ||
| 1890 | ····-·configure_strategy | ||
| 1891 | ····-·low_complexity | ||
| 1892 | ····-·low_disruption | ||
| 1893 | ····-·CCE-26868-0 | ||
| 1894 | ····-·NIST-800-53-AC-6 | ||
| 1895 | ····-·PCI-DSS-Req-8.7.c | ||
| 1896 | ····-·DISA-STIG-RHEL-06-000041 | ||
| 1897 | -·name:·Set·permissions | ||
| 1881 | ··file: | 1898 | ··file: |
| 1882 | ····path | 1899 | ····path:·"{{·item.path·}}" |
| 1883 | ····mode | 1900 | ····mode:·0644 |
| 1884 | ··with_items: | 1901 | ··with_items: |
| 1885 | ····-· | 1902 | ····-·"{{·files_found.files·}}" |
| 1886 | ··tags: | 1903 | ··tags: |
| 1887 | ····-·file_permissions_etc_passwd | 1904 | ····-·file_permissions_etc_passwd |
| 1888 | ····-·medium_severity | 1905 | ····-·medium_severity |
| 1889 | ····-·configure_strategy | 1906 | ····-·configure_strategy |
| 1890 | ····-·low_complexity | 1907 | ····-·low_complexity |
| 1891 | ····-·low_disruption | 1908 | ····-·low_disruption |
| 1892 | ····-·CCE-26868-0 | 1909 | ····-·CCE-26868-0 |
| Offset 2374, 157 lines modified | Offset 2392, 15 lines modified | ||
| 2374 | } | 2392 | } |
| 2375 | » fix_audit_syscall_rule·"auditctl"·"$PATTERN"·"$GROUP"·"$ARCH"·"$FULL_RULE" | 2393 | » fix_audit_syscall_rule·"auditctl"·"$PATTERN"·"$GROUP"·"$ARCH"·"$FULL_RULE" |
| 2376 | done | 2394 | done |
| 2377 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-10.2.2"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-10.2.2"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-10.2"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-10.2.2">10.2.2 | 2395 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-10.2.2"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-10.2.2"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-10.2"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-10.2.2">10.2.2 |
| 2378 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-10.2.2">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·actions·taken·by·any</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-10.2.2"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-10.2"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_ | 2396 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-10.2.2">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·actions·taken·by·any</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-10.2.2"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-10.2"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands"·id="guide-tree-leaf-idm65694"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-10.2.2"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands">Ensure·auditd·Collects·Information·on·the·Use·of·Privileged·Commands |
| 2379 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>At·a·minimum·the·audit·system·should·collect | ||
| 2380 | administrator·actions·for·all·users·and·root.·Add·the·following·to | ||
| 2381 | <code>/etc/audit/audit.rules</code>: | ||
| 2382 | <pre>-w·/etc/sudoers·-p·wa·-k·actions</pre></p><span·class="label·label-primary">Rationale:</span><p>The·actions·taken·by·system·administrators·should·be·audited·to·keep·a·record | ||
| 2383 | of·what·was·executed·on·the·system,·as·well·as,·for·accountability·purposes.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 2384 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 2385 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26662-7">CCE-26662-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 2386 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(7)(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(10)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.2</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.5.b</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000201</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50379r2_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm65716">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm65716"><pre><code> | ||
| 2387 | #·Perform·the·remediation | ||
| 2388 | #·Function·to·fix·audit·file·system·object·watch·rule·for·given·path: | ||
| 2389 | #·*·if·rule·exists,·also·verifies·the·-w·bits·match·the·requirements | ||
| 2390 | #·*·if·rule·doesn't·exist·yet,·appends·expected·rule·form·to·$files_to_inspect | ||
| 2391 | #···audit·rules·file,·depending·on·the·tool·which·was·used·to·load·audit·rules | ||
| 2392 | # | ||
| 2393 | #·Expects·four·arguments·(each·of·them·is·required)·in·the·form·of: | ||
| 2394 | #·*·audit·tool» » » » tool·used·to·load·audit·rules, | ||
| 2395 | #·» » » » » either·'auditctl',·or·'augenrules' | ||
| 2396 | #·*·path························» value·of·-w·audit·rule's·argument | ||
| 2397 | #·*·required·access·bits········» value·of·-p·audit·rule's·argument | ||
| 2398 | #·*·key·························» value·of·-k·audit·rule's·argument | ||
| 2399 | # | ||
| 2400 | #·Example·call: | ||
| 2401 | # | ||
| 2402 | #·······fix_audit_watch_rule·"auditctl"·"/etc/localtime"·"wa"·"audit_time_rules" | ||
| 2403 | # | ||
| 2404 | function·fix_audit_watch_rule·{ | ||
| 2405 | #·Load·function·arguments·into·local·variables | ||
| 2406 | local·tool="$1" | ||
| 2407 | local·path="$2" | ||
| 2408 | local·required_access_bits="$3" | ||
| 2409 | local·key="$4" | ||
| 2410 | #·Check·sanity·of·the·input | ||
| 2411 | if·[·$#·-ne·"4"·] | ||
| 2412 | then | ||
| 2413 | » echo·"Usage:·fix_audit_watch_rule·'tool'·'path'·'bits'·'key'" | ||
| 2414 | » echo·"Aborting." | ||
| 2415 | » exit·1 | ||
| 2416 | fi | ||
| 2417 | #·Create·a·list·of·audit·*.rules·files·that·should·be·inspected·for·presence·and·correctness | ||
| 2418 | #·of·a·particular·audit·rule.·The·scheme·is·as·follows: | ||
| 2419 | # | ||
| 2420 | #·----------------------------------------------------------------------------------------- | ||
| 2421 | #·Tool·used·to·load·audit·rules» |·Rule·already·defined» |··Audit·rules·file·to·inspect» ··| | ||
| 2422 | #·----------------------------------------------------------------------------------------- | ||
| 2423 | #» auditctl» » |·····Doesn't·matter»|··/etc/audit/audit.rules» ··| | ||
| 2424 | #·----------------------------------------------------------------------------------------- | ||
| 2425 | #·» augenrules» » |··········Yes»»|··/etc/audit/rules.d/*.rules» ··| | ||
| 2426 | #·» augenrules» » |··········No» » |··/etc/audit/rules.d/$key.rules··| | ||
| 2427 | #·----------------------------------------------------------------------------------------- | ||
| 2428 | declare·-a·files_to_inspect | ||
| 2429 | #·Check·sanity·of·the·specified·audit·tool | ||
| 2430 | if·[·"$tool"·!=·'auditctl'·]·&&·[·"$tool"·!=·'augenrules'·] | ||
| 2431 | then | ||
| 2432 | » echo·"Unknown·audit·rules·loading·tool:·$1.·Aborting." | ||
| 2433 | » echo·"Use·either·'auditctl'·or·'augenrules'!" | ||
| 2434 | » exit·1 | ||
| 2435 | #·If·the·audit·tool·is·'auditctl',·then·add·'/etc/audit/audit.rules' | ||
| 2436 | #·into·the·list·of·files·to·be·inspected | ||
| 2437 | elif·[·"$tool"·==·'auditctl'·] | ||
| 2438 | then | ||
| 2439 | » files_to_inspect=("${files_to_inspect[@]}"·'/etc/audit/audit.rules') | ||
| 2440 | #·If·the·audit·is·'augenrules',·then·check·if·rule·is·already·defined | ||
| 2441 | #·If·rule·is·defined,·add·'/etc/audit/rules.d/*.rules'·to·list·of·files·for·inspection. | ||
| 2442 | #·If·rule·isn't·defined,·add·'/etc/audit/rules.d/$key.rules'·to·list·of·files·for·inspection. | ||
| 2443 | elif·[·"$tool"·==·'augenrules'·] | ||
| 2444 | then | ||
| 2445 | » #·Case·when·particular·audit·rule·is·already·defined·in·some·of·/etc/audit/rules.d/*.rules·file | ||
| 2446 | » #·Get·pair·--·filepath·:·matching_row·into·@matches·array | ||
| 2447 | » IFS=$'\n'·matches=($(grep·-P·"[\s]*-w[\s]+$path"·/etc/audit/rules.d/*.rules)) | ||
| 2448 | » #·Reset·IFS·back·to·default | ||
| 2449 | » unset·IFS | ||
| 2450 | » #·For·each·of·the·matched·entries | ||
| 2451 | » for·match·in·"${matches[@]}" | ||
| 2452 | » do | ||
| Max diff block lines reached; 241965/258533 bytes (93.59%) of diff not shown. | |||
| Offset 57, 46 lines modified | Offset 57, 44 lines modified | ||
| 57 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 57 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 61 | quality,·reliability,·or·any·other·characteristic. | 61 | quality,·reliability,·or·any·other·characteristic. |
| 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 63 | ····························(as·of·2018-07-26) | 63 | ····························(as·of·2018-07-26) |
| 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xcc[·...·truncated·by·diffoscope;·len:·1198,·SHA:·bdda777e798c14415249d64418047c1cc9cd8c85417860e53ddf05c3b92b2b1b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·188·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·45·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·45·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 74 | 74 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 75 | 75 | that·passwords·and·other·data·transmitted·during·the·session·can·be | |
| 76 | 76 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 77 | 77 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 78 | 78 | <br><br> | |
| 79 | 79 | However,·there·are·some·FTP·server·configurations·which·may | |
| 80 | 80 | be·appropriate·for·some·environments,·particularly·those·which | |
| 81 | 81 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 82 | de | 82 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible |
| 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_s | 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 84 | 84 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29095"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package | |
| 85 | a | 85 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 86 | sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_samba_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_samba_removed"·id="guide-tree-leaf-idm28988"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_samba_removed">Uninstall·samba·Package | ||
| 87 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_samba_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | ||
| 88 | ············ | 86 | ············ |
| 89 | ········The·<code>s | 87 | ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command: |
| 90 | ········<pre>$·sudo·yum·erase·s | 88 | ········<pre>$·sudo·yum·erase·vsftpd</pre> |
| 91 | ··········</p><span·class="label·label-primary">Rationale:</span><p> | 89 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its |
| 92 | 90 | accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 93 | the·potential·attack·surface.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 94 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 91 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 95 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-2 | 92 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26687-4">CCE-26687-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 93 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 96 | # | 94 | # |
| 97 | #·Example·Call(s): | 95 | #·Example·Call(s): |
| 98 | # | 96 | # |
| 99 | #·····package_remove·telnet-server | 97 | #·····package_remove·telnet-server |
| 100 | # | 98 | # |
| 101 | function·package_remove·{ | 99 | function·package_remove·{ |
| Offset 125, 60 lines modified | Offset 123, 61 lines modified | ||
| 125 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 123 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 126 | ··echo·"Aborting." | 124 | ··echo·"Aborting." |
| 127 | ··exit·1 | 125 | ··exit·1 |
| 128 | fi | 126 | fi |
| 129 | } | 127 | } |
| 130 | package_remove·s | 128 | package_remove·vsftpd |
| 131 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm2 | 129 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29106">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29106"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·vsftpd·is·removed |
| 132 | ··package: | 130 | ··package: |
| 133 | ····name="{{item}}" | 131 | ····name="{{item}}" |
| 134 | ····state=absent | 132 | ····state=absent |
| 135 | ··with_items: | 133 | ··with_items: |
| 136 | ····-·s | 134 | ····-·vsftpd |
| 137 | ··tags: | 135 | ··tags: |
| 138 | ····-·package_s | 136 | ····-·package_vsftpd_removed |
| 139 | ····-·unknown_severity | 137 | ····-·unknown_severity |
| 140 | ····-·disable_strategy | 138 | ····-·disable_strategy |
| 141 | ····-·low_complexity | 139 | ····-·low_complexity |
| 142 | ····-·low_disruption | 140 | ····-·low_disruption |
| 143 | ····-·CCE-2 | 141 | ····-·CCE-26687-4 |
| 144 | 142 | ····-·NIST-800-53-CM-7 | |
| 143 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29107">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29107"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_vsftpd | ||
| 145 | class·remove_s | 144 | class·remove_vsftpd·{ |
| 146 | ··package·{·'s | 145 | ··package·{·'vsftpd': |
| 147 | ····ensure·=>·'purged', | 146 | ····ensure·=>·'purged', |
| 148 | ··} | 147 | ··} |
| 149 | } | 148 | } |
| 150 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm2 | 149 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29108">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29108"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 151 | package·--remove=s | 150 | package·--remove=vsftpd |
| 152 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server | 151 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server |
| 153 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to | 152 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to |
| 154 | content·via·the·HTTP·protocol.·Web·servers·represent·a·significant | 153 | content·via·the·HTTP·protocol.·Web·servers·represent·a·significant |
| 155 | security·risk·because: | 154 | security·risk·because: |
| 156 | <br><br> | 155 | <br><br> |
| 157 | <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long | 156 | <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long |
| 158 | history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive | 157 | history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive |
| 159 | monitoring</li></ul> | 158 | monitoring</li></ul> |
| 160 | <br><br> | 159 | <br><br> |
| 161 | The·system's·default·web·server·software·is·Apache·2·and·is | 160 | The·system's·default·web·server·software·is·Apache·2·and·is |
| 162 | provided·in·the·RPM·package·<code>httpd</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_httpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_httpd">Disable·Apache·if·Possible | 161 | provided·in·the·RPM·package·<code>httpd</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_httpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_httpd">Disable·Apache·if·Possible |
| 163 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_httpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Apache·was·installed·and·activated,·but·the·system | 162 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_httpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Apache·was·installed·and·activated,·but·the·system |
| 164 | does·not·need·to·act·as·a·web·server,·then·it·should·be·disabled | 163 | does·not·need·to·act·as·a·web·server,·then·it·should·be·disabled |
| 165 | and·removed·from·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_httpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_httpd_removed"·id="guide-tree-leaf-idm291 | 164 | and·removed·from·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_httpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_httpd_removed"·id="guide-tree-leaf-idm29158"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_httpd_removed">Uninstall·httpd·Package |
| 166 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_httpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 165 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_httpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 167 | ············ | 166 | ············ |
| 168 | ········The·<code>httpd</code>·package·can·be·removed·with·the·following·command: | 167 | ········The·<code>httpd</code>·package·can·be·removed·with·the·following·command: |
| 169 | ········<pre>$·sudo·yum·erase·httpd</pre> | 168 | ········<pre>$·sudo·yum·erase·httpd</pre> |
| 170 | ··········</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·no·need·to·make·the·web·server·software·available, | 169 | ··········</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·no·need·to·make·the·web·server·software·available, |
| 171 | removing·it·provides·a·safeguard·against·its·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 170 | removing·it·provides·a·safeguard·against·its·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 172 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 171 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 173 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27133-8">CCE-27133-8</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 172 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27133-8">CCE-27133-8</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 174 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm291 | 173 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29166">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29166"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 175 | # | 174 | # |
| 176 | #·Example·Call(s): | 175 | #·Example·Call(s): |
| 177 | # | 176 | # |
| 178 | #·····package_remove·telnet-server | 177 | #·····package_remove·telnet-server |
| 179 | # | 178 | # |
| 180 | function·package_remove·{ | 179 | function·package_remove·{ |
| Offset 208, 90 lines modified | Offset 207, 55 lines modified | ||
| 208 | ··echo·"Aborting." | 207 | ··echo·"Aborting." |
| 209 | ··exit·1 | 208 | ··exit·1 |
| 210 | fi | 209 | fi |
| 211 | } | 210 | } |
| 212 | package_remove·httpd | 211 | package_remove·httpd |
| 213 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm291 | 212 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29168">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29168"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·httpd·is·removed |
| 214 | ··package: | 213 | ··package: |
| 215 | ····name="{{item}}" | 214 | ····name="{{item}}" |
| 216 | ····state=absent | 215 | ····state=absent |
| 217 | ··with_items: | 216 | ··with_items: |
| 218 | ····-·httpd | 217 | ····-·httpd |
| 219 | ··tags: | 218 | ··tags: |
| 220 | ····-·package_httpd_removed | 219 | ····-·package_httpd_removed |
| 221 | ····-·unknown_severity | 220 | ····-·unknown_severity |
| 222 | ····-·disable_strategy | 221 | ····-·disable_strategy |
| Max diff block lines reached; 1641676/1669443 bytes (98.34%) of diff not shown. | |||
| Offset 48, 46 lines modified | Offset 48, 65 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Example·Server·Profile</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CS2</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Example·Server·Profile</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CS2</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xcc[·...·truncated·by·diffoscope;·len:·1198,·SHA:·bdda777e798c14415249d64418047c1cc9cd8c85417860e53ddf05c3b92b2b1b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·313·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 63 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·124·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 63 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·124·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 65 | 65 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 66 | 66 | that·passwords·and·other·data·transmitted·during·the·session·can·be | |
| 67 | 67 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 68 | 68 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 69 | 69 | <br><br> | |
| 70 | 70 | However,·there·are·some·FTP·server·configurations·which·may | |
| 71 | 71 | be·appropriate·for·some·environments,·particularly·those·which | |
| 72 | 72 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 73 | de | 73 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary |
| 74 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 74 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is |
| 75 | 75 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or | |
| 76 | a | 76 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29019"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions |
| 77 | 77 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> | |
| 78 | 78 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | |
| 79 | <pre>xferlog_enable=YES | ||
| 80 | xferlog_std_format=NO | ||
| 81 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to | ||
| 82 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log | ||
| 83 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 84 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 85 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27142-9">CCE-27142-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 86 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000339</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29043"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users | ||
| 87 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 88 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 89 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 90 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 91 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27145-2">CCE-27145-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 92 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000348</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible | ||
| 93 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all | ||
| 94 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service | ||
| 95 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | ||
| 79 | ············ | 96 | ············ |
| 80 | ········The·<code>s | 97 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: |
| 81 | ········<pre>$·sudo·chkconfig·s | 98 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> |
| 82 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running· | 99 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue |
| 83 | 100 | of·attack,·and·should·be·disabled·if·not·needed. | |
| 101 | Furthermore,·the·FTP·protocol·is·unencrypted·and·creates | ||
| 102 | a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 84 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 103 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 85 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-2 | 104 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26948-0">CCE-26948-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 86 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm2 | 105 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29088">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29088"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 87 | # | 106 | # |
| 88 | #·Example·Call(s): | 107 | #·Example·Call(s): |
| 89 | # | 108 | # |
| 90 | #·····service_command·enable·bluetooth | 109 | #·····service_command·enable·bluetooth |
| 91 | #·····service_command·disable·bluetooth.service | 110 | #·····service_command·disable·bluetooth.service |
| 92 | # | 111 | # |
| 93 | #·····Using·xinetd: | 112 | #·····Using·xinetd: |
| Offset 154, 139 lines modified | Offset 173, 125 lines modified | ||
| 154 | ··else | 173 | ··else |
| 155 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 174 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 156 | ··fi | 175 | ··fi |
| 157 | fi | 176 | fi |
| 158 | } | 177 | } |
| 159 | service_command·disable·s | 178 | service_command·disable·vsftpd |
| 160 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm2 | 179 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29090"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·vsftpd |
| 161 | ··service: | 180 | ··service: |
| 162 | ····name="{{item}}" | 181 | ····name="{{item}}" |
| 163 | ····enabled="no" | 182 | ····enabled="no" |
| 164 | ····state="stopped" | 183 | ····state="stopped" |
| 165 | ··register:·service_result | 184 | ··register:·service_result |
| 166 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 185 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 167 | ··with_items: | 186 | ··with_items: |
| 168 | ····-·s | 187 | ····-·vsftpd |
| 169 | ··tags: | 188 | ··tags: |
| 170 | ····-·service_s | 189 | ····-·service_vsftpd_disabled |
| 171 | ····-·unknown_severity | 190 | ····-·unknown_severity |
| 172 | ····-·disable_strategy | 191 | ····-·disable_strategy |
| 173 | ····-·low_complexity | 192 | ····-·low_complexity |
| 174 | ····-·low_disruption | 193 | ····-·low_disruption |
| 175 | ····-·CCE-2 | 194 | ····-·CCE-26948-0 |
| 176 | 195 | ····-·NIST-800-53-CM-7 | |
| 177 | · | 196 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29095"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package |
| 178 | 197 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | |
| 179 | 198 | ············ | |
| 180 | 199 | ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command: | |
| 181 | 200 | ········<pre>$·sudo·yum·erase·vsftpd</pre> | |
| 182 | an | 201 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its |
| 183 | 202 | accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 184 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_smb_server_disable_root"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_smb_server_disable_root"·id="guide-tree-leaf-idm29046"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_smb_server_disable_root">Disable·Root·Access·to·SMB·Shares | ||
| 185 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_smb_server_disable_root">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Administrators·should·not·use·administrator·accounts·to·access | ||
| 186 | Samba·file·and·printer·shares.·Disable·the·root·user·and·the·wheel | ||
| 187 | administrator·group: | ||
| 188 | <pre>[<i>share</i>] | ||
| 189 | ··invalid·users·=·root·@wheel</pre> | ||
| 190 | If·administrator·accounts·cannot·be·disabled,·ensure·that·local·system | ||
| 191 | passwords·and·Samba·service·passwords·do·not·match.</p><span·class="label·label-primary">Rationale:</span><p>Typically,·administrator·access·is·required·when·Samba·must·create·user·and | ||
| 192 | system·accounts·and·shares.·Domain·member·servers·and·standalone·servers·may | ||
| 193 | not·need·administrator·access·at·all.·If·that·is·the·case,·add·the·invalid | ||
| 194 | users·parameter·to·<code>[global]</code>·instead.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 195 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 196 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27533-9">CCE-27533-9</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29054"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient | ||
| 197 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | ||
| 198 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | ||
| 199 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | ||
| 200 | <pre>client·signing·=·mandatory</pre> | ||
| 201 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | ||
| 202 | signing·ensures·they·can | ||
| 203 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | ||
| 204 | man-in-the-middle·attacks·which·modify·SMB·packets·in | ||
| 205 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 206 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 203 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 207 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26 | 204 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26687-4">CCE-26687-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 208 | ············<a·href="http://iase.disa.mil/stigs/ | 205 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 209 | # | 206 | # |
| 210 | # | 207 | #·Example·Call(s): |
| 211 | # | 208 | # |
| 209 | #·····package_remove·telnet-server | ||
| Max diff block lines reached; 2499793/2532415 bytes (98.71%) of diff not shown. | |||
| Offset 53, 278 lines modified | Offset 53, 148 lines modified | ||
| 53 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 53 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 54 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 54 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 55 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 55 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 56 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 56 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 57 | quality,·reliability,·or·any·other·characteristic. | 57 | quality,·reliability,·or·any·other·characteristic. |
| 58 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CSCF·RHEL6·MLS·Core·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 58 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CSCF·RHEL6·MLS·Core·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 59 | ····························(as·of·2018-07-26) | 59 | ····························(as·of·2018-07-26) |
| 60 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 60 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SS[·...·truncated·by·diffoscope;·len:·769,·SHA:·db505ea275ff2d5c2ba13f068156b97f7fb51fc9aa062d91c74450db7783e2d3·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·215·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 61 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 61 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 62 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 62 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 63 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 63 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 64 | ones·can·be·safely·disabled. | 64 | ones·can·be·safely·disabled. |
| 65 | <br><br> | 65 | <br><br> |
| 66 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 66 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 67 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 67 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 68 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·62·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 68 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·62·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 70 | 70 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 71 | se | 71 | that·passwords·and·other·data·transmitted·during·the·session·can·be |
| 72 | 72 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 73 | 73 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 74 | history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive | ||
| 75 | monitoring</li></ul> | ||
| 76 | <br><br> | ||
| 77 | The·system's·default·web·server·software·is·Apache·2·and·is | ||
| 78 | provided·in·the·RPM·package·<code>httpd</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_securing_httpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_securing_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_securing_httpd">Secure·Apache·Configuration | ||
| 79 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_securing_httpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>httpd</code>·configuration·file·is | ||
| 80 | <code>/etc/httpd/conf/httpd.conf</code>.·Apply·the·recommendations·in·the·remainder | ||
| 81 | of·this·section·to·this·file.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_securing_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage">Restrict·Web·Server·Information·Leakage | ||
| 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>ServerTokens</code>·and·<code>ServerSignature</code>·directives·determine·how | ||
| 83 | much·information·the·web·server·discloses·about·the·configuration·of·the | ||
| 84 | system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_servertokens_prod"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_servertokens_prod"·id="guide-tree-leaf-idm29164"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_servertokens_prod">Set·httpd·ServerTokens·Directive·to·Prod | ||
| 85 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_servertokens_prod">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p><code>ServerTokens·Prod</code>·restricts·information·in·page·headers,·returning·only·the·word·"Apache." | ||
| 86 | <br><br> | 74 | <br><br> |
| 87 | 75 | However,·there·are·some·FTP·server·configurations·which·may | |
| 88 | 76 | be·appropriate·for·some·environments,·particularly·those·which | |
| 89 | 77 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 90 | 78 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible | |
| 91 | ············ | 79 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 92 | 80 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service | |
| 93 | ···················· | 81 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 94 | 82 | ············ | |
| 95 | ········ | 83 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: |
| 96 | ········ | 84 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> |
| 97 | 85 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue | |
| 98 | 86 | of·attack,·and·should·be·disabled·if·not·needed. | |
| 99 | 87 | Furthermore,·the·FTP·protocol·is·unencrypted·and·creates | |
| 100 | 88 | a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 101 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29233">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29233"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code> | ||
| 102 | chmod·0640·/etc/httpd/conf/* | ||
| 103 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29234">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29234"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code> | ||
| 104 | -·name:·Find·/etc/httpd/conf/*·file(s) | ||
| 105 | ··find: | ||
| 106 | ····paths:·"{{·'/etc/httpd/conf/*'·|·dirname·}}" | ||
| 107 | ····patterns:·"{{·'/etc/httpd/conf/*'·|·basename·}}" | ||
| 108 | ··register:·files_found | ||
| 109 | ··tags: | ||
| 110 | ····-·file_permissions_httpd_server_conf_files | ||
| 111 | ····-·unknown_severity | ||
| 112 | ····-·configure_strategy | ||
| 113 | ····-·low_complexity | ||
| 114 | ····-·low_disruption | ||
| 115 | ····-·CCE-27316-9 | ||
| 116 | ····-·NIST-800-53-CM-7 | ||
| 117 | -·name:·Set·permissions | ||
| 118 | ··file: | ||
| 119 | ····path:·"{{·item.path·}}" | ||
| 120 | ····mode:·0640 | ||
| 121 | ··with_items: | ||
| 122 | ····-·"{{·files_found.files·}}" | ||
| 123 | ··tags: | ||
| 124 | ····-·file_permissions_httpd_server_conf_files | ||
| 125 | ····-·unknown_severity | ||
| 126 | ····-·configure_strategy | ||
| 127 | ····-·low_complexity | ||
| 128 | ····-·low_disruption | ||
| 129 | ····-·CCE-27316-9 | ||
| 130 | ····-·NIST-800-53-CM-7 | ||
| 131 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·id="guide-tree-leaf-idm29237"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">Set·Permissions·on·the·/var/log/httpd/·Directory | ||
| 132 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Ensure·that·the·permissions·on·the·web·server·log·directory·is·set·to·700: | ||
| 133 | <pre>$·sudo·chmod·700·/var/log/httpd/</pre> | ||
| 134 | This·is·its·default·setting.</p><span·class="label·label-primary">Rationale:</span><p>Access·to·the·web·server's·log·files·may·allow·an·unauthorized·user·or·attacker | ||
| 135 | to·access·information·about·the·web·server·or·alter·the·server's·log·files.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 136 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 89 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 137 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-2 | 90 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26948-0">CCE-26948-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 138 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div>< | 91 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29088">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29088"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 139 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network. | ||
| 140 | Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious | ||
| 141 | targets·of·network·attack. | ||
| 142 | Ensure·that·systems·are·not·running·MTAs·unnecessarily, | ||
| 143 | and·configure·needed·MTAs·as·defensively·as·possible. | ||
| 144 | <br><br> | ||
| 145 | Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the | ||
| 146 | network.·Users·should·instead·use·mail·client·programs·to·retrieve·email | ||
| 147 | from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3. | ||
| 148 | However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email, | ||
| 149 | for·instance·so·that·cron·jobs·can·report·output·to·an·administrator. | ||
| 150 | Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from | ||
| 151 | the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), | ||
| 152 | but·the·system·still·cannot·receive·mail·directly·over·a·network. | ||
| 153 | <br><br> | ||
| 154 | The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software | ||
| 155 | (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred. | ||
| 156 | Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by | ||
| 157 | SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions. | ||
| 158 | More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients | ||
| 159 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only | ||
| 160 | e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·id="guide-tree-leaf-idm29530"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">Disable·Postfix·Network·Listening | ||
| 161 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·file·<code>/etc/postfix/main.cf</code>·to·ensure·that·only·the·following | ||
| 162 | <code>inet_interfaces</code>·line·appears: | ||
| 163 | <pre>inet_interfaces·=·localhost</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·<code>postfix</code>·accepts·mail·messages | ||
| 164 | (such·as·cron·job·reports)·from·the·local·system·only, | ||
| 165 | and·not·from·the·network,·which·protects·it·from·network·attack.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 166 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 167 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26780-7">CCE-26780-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 168 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000249</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50423r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_sendmail_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_sendmail_removed"·id="guide-tree-leaf-idm29625"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_sendmail_removed">Uninstall·Sendmail·Package | ||
| 169 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_sendmail_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Sendmail·is·not·the·default·mail·transfer·agent·and·is | ||
| 170 | not·installed·by·default. | ||
| 171 | ········The·<code>sendmail</code>·package·can·be·removed·with·the·following·command: | ||
| 172 | ········<pre>$·sudo·yum·erase·sendmail</pre></p><span·class="label·label-primary">Rationale:</span><p>The·sendmail·software·was·not·developed·with·security·in·mind·and | ||
| 173 | its·design·prevents·it·from·being·effectively·contained·by·SELinux.··Postfix | ||
| 174 | should·be·used·instead.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 175 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 176 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27515-6">CCE-27515-6</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 177 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000288</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50472r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29636">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29636"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| Max diff block lines reached; 1677183/1710229 bytes (98.07%) of diff not shown. | |||
| Offset 48, 89 lines modified | Offset 48, 44 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sssd">System·Security·Services·Daemon</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li[·...·truncated·by·diffoscope;·len:·1394,·SHA:·9a1bfb5c7765341b73597905fe9f3f980e67a77f0272acdc04afd633558c2516·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 58 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 58 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 60 | ones·can·be·safely·disabled. | 60 | ones·can·be·safely·disabled. |
| 61 | <br><br> | 61 | <br><br> |
| 62 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 62 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 63 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 63 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 64 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 64 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 66 | 66 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 67 | 67 | that·passwords·and·other·data·transmitted·during·the·session·can·be | |
| 68 | 68 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 69 | 69 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 70 | 70 | <br><br> | |
| 71 | 71 | However,·there·are·some·FTP·server·configurations·which·may | |
| 72 | 72 | be·appropriate·for·some·environments,·particularly·those·which | |
| 73 | 73 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 74 | de | 74 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary |
| 75 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 75 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is |
| 76 | 76 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or | |
| 77 | a | 77 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_restrict_users"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_ftp_restrict_users">Restrict·the·Set·of·Users·Allowed·to·Access·FTP |
| 78 | 78 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_restrict_users">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·describes·how·to·disable·non-anonymous·(password-based)·FTP·logins,·or,·if·it·is·not·possible·to | |
| 79 | 79 | do·this·entirely·due·to·legacy·applications,·how·to·restrict·insecure·FTP·login·to·only·those·users·who·have·an | |
| 80 | <co | 80 | identified·need·for·this·access.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary |
| 81 | <c | 81 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_use_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·your·use-case·requires·FTP·service,·install·and |
| 82 | 82 | set-up·vsftpd·to·provide·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible | |
| 83 | s | 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 84 | and·al | 84 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server |
| 85 | printers.·It·is·recommended·that·these·settings·be·changed·or·that | ||
| 86 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb_disable_printing"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb_disable_printing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_smb_disable_printing">Restrict·Printer·Sharing | ||
| 87 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb_disable_printing">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>By·default,·Samba·utilizes·the·CUPS·printing·service·to·enable | ||
| 88 | printer·sharing·with·Microsoft·Windows·workstations.·If·there·are·no·printers | ||
| 89 | on·the·local·system,·or·if·printer·sharing·with·Microsoft·Windows·is·not | ||
| 90 | required,·disable·the·printer·sharing·capability·by·commenting·out·the | ||
| 91 | following·lines,·found·in·<code>/etc/samba/smb.conf</code>: | ||
| 92 | <pre>[global] | ||
| 93 | ··load·printers·=·yes | ||
| 94 | ··cups·options·=·raw | ||
| 95 | [printers] | ||
| 96 | ··comment·=·All·Printers | ||
| 97 | ··path·=·/usr/spool/samba | ||
| 98 | ··browseable·=·no | ||
| 99 | ··guest·ok·=·no | ||
| 100 | ··writable·=·no | ||
| 101 | ··printable·=·yes</pre> | ||
| 102 | There·may·be·other·options·present,·but·these·are·the·only·options·enabled·and | ||
| 103 | uncommented·by·default.·Removing·the·<code>[printers]</code>·share·should·be·enough | ||
| 104 | for·most·users.··If·the·Samba·printer·sharing·capability·is·needed,·consider | ||
| 105 | disabling·the·Samba·network·browsing·capability·or·restricting·access·to·a | ||
| 106 | particular·set·of·users·or·network·addresses.·Set·the·<code>valid·users</code> | ||
| 107 | parameter·to·a·small·subset·of·users·or·restrict·it·to·a·particular·group·of | ||
| 108 | users·with·the·shorthand·<code>@</code>.·Separate·each·user·or·group·of·users·with | ||
| 109 | a·space.·For·example,·under·the·<code>[printers]</code>·share: | ||
| 110 | <pre>[printers] | ||
| 111 | ··valid·users·=·user·@printerusers</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb_disable_printing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb_restrict_file_sharing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing">Restrict·SMB·File·Sharing·to·Configured·Networks | ||
| 112 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb_restrict_file_sharing">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Only·users·with·local·user·accounts·will·be·able·to·log·in·to | ||
| 113 | Samba·shares·by·default.·Shares·can·be·limited·to·particular·users·or·network | ||
| 114 | addresses.·Use·the·<code>hosts·allow</code>·and·<code>hosts·deny</code>·directives | ||
| 115 | accordingly,·and·consider·setting·the·valid·users·directive·to·a·limited·subset | ||
| 116 | of·users·or·to·a·group·of·users.·Separate·each·address,·user,·or·user·group | ||
| 117 | with·a·space·as·follows·for·a·particular·<i>share</i>·or·global: | ||
| 118 | <pre>[<i>share</i>] | ||
| 119 | ··hosts·allow·=·192.168.1.·127.0.0.1 | ||
| 120 | ··valid·users·=·userone·usertwo·@usergroup</pre> | ||
| 121 | It·is·also·possible·to·limit·read·and·write·access·to·particular·users·with·the | ||
| 122 | read·list·and·write·list·options,·though·the·permissions·set·by·the·system | ||
| 123 | itself·will·override·these·settings.·Set·the·read·only·attribute·for·each·share | ||
| 124 | to·ensure·that·global·settings·will·not·accidentally·override·the·individual | ||
| 125 | share·settings.·Then,·as·with·the·valid·users·directive,·separate·each·user·or | ||
| 126 | group·of·users·with·a·space: | ||
| 127 | <pre>[<i>share</i>] | ||
| 128 | ··read·only·=·yes | ||
| 129 | ··write·list·=·userone·usertwo·@usergroup</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb_restrict_file_sharing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server | ||
| 130 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to | 85 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to |
| 131 | content·via·the·HTTP·protocol.·Web·servers·represent·a·significant | 86 | content·via·the·HTTP·protocol.·Web·servers·represent·a·significant |
| 132 | security·risk·because: | 87 | security·risk·because: |
| 133 | <br><br> | 88 | <br><br> |
| 134 | <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long | 89 | <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long |
| 135 | history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive | 90 | history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive |
| 136 | monitoring</li></ul> | 91 | monitoring</li></ul> |
| Offset 343, 165 lines modified | Offset 298, 179 lines modified | ||
| 343 | <pre>#LoadModule·ext_filter_module·modules/mod_ext_filter.so</pre></li><li>User-specified·Cache·Control·and·Expiration | 298 | <pre>#LoadModule·ext_filter_module·modules/mod_ext_filter.so</pre></li><li>User-specified·Cache·Control·and·Expiration |
| 344 | <pre>#LoadModule·expires_module·modules/mod_expires.so</pre></li><li>Compression·Output·Filter·(provides·content·compression·prior·to·client·delivery) | 299 | <pre>#LoadModule·expires_module·modules/mod_expires.so</pre></li><li>Compression·Output·Filter·(provides·content·compression·prior·to·client·delivery) |
| 345 | <pre>#LoadModule·deflate_module·modules/mod_deflate.so</pre></li><li>HTTP·Response/Request·Header·Customization | 300 | <pre>#LoadModule·deflate_module·modules/mod_deflate.so</pre></li><li>HTTP·Response/Request·Header·Customization |
| 346 | <pre>#LoadModule·headers_module·modules/mod_headers.so</pre></li><li>User·activity·monitoring·via·cookies | 301 | <pre>#LoadModule·headers_module·modules/mod_headers.so</pre></li><li>User·activity·monitoring·via·cookies |
| 347 | <pre>#LoadModule·usertrack_module·modules/mod_usertrack.so</pre></li><li>Dynamically·configured·mass·virtual·hosting | 302 | <pre>#LoadModule·usertrack_module·modules/mod_usertrack.so</pre></li><li>Dynamically·configured·mass·virtual·hosting |
| 348 | <pre>#LoadModule·vhost_alias_module·modules/mod_vhost_alias.so</pre></li></ul> | 303 | <pre>#LoadModule·vhost_alias_module·modules/mod_vhost_alias.so</pre></li></ul> |
| 349 | Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | 304 | Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk |
| 350 | by·limiting·the·capabilities·allowed·by·the·web·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_optional_components"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 305 | by·limiting·the·capabilities·allowed·by·the·web·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_optional_components"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dns">DNS·Server |
| 351 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 306 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Most·organizations·have·an·operational·need·to·run·at |
| 352 | 307 | least·one·nameserver.·However,·there·are·many·common·attacks | |
| 353 | 308 | involving·DNS·server·software,·and·this·server·software·should | |
| 354 | 309 | be·disabled·on·any·system | |
| 355 | and·con | 310 | on·which·it·is·not·needed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_isolation"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_isolation">Isolate·DNS·from·Other·Services |
| 356 | < | 311 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_isolation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·mechanisms·for·preventing·the·DNS·server |
| 357 | 312 | from·interfering·with·other·services.·This·is·done·both·to·protect·the | |
| 358 | ne | 313 | remainder·of·the·network·should·a·nameserver·be·compromised,·and·to·make·direct |
| 359 | fro | 314 | attacks·on·nameservers·more·difficult.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_chroot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_chroot">Run·DNS·Software·in·a·chroot·Jail |
| 360 | 315 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_chroot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Install·the·<code>bind-chroot</code>·package: | |
| 361 | 316 | <pre>$·sudo·yum·install·bind-chroot</pre> | |
| 362 | 317 | Place·a·valid·named.conf·file·inside·the·chroot·jail: | |
| 363 | 318 | <pre>$·sudo·cp·/etc/named.conf·/var/named/chroot/etc/named.conf | |
| 364 | 319 | $·sudo·chown·root:root·/var/named/chroot/etc/named.conf | |
| 365 | 320 | $·sudo·chmod·644·/var/named/chroot/etc/named.conf</pre> | |
| 366 | 321 | Create·and·populate·an·appropriate·zone·directory·within·the·jail,·based·on·the | |
| 367 | 322 | options·directive.·If·your·<code>named.conf</code>·includes: | |
| 368 | 323 | <pre>options·{ | |
| 369 | 324 | directory·"/path/to/DIRNAME·"; | |
| 370 | 325 | ... | |
| 371 | 326 | }</pre> | |
| 372 | 327 | then·copy·that·directory·and·its·contents·from·the·original·zone·directory: | |
| 373 | 328 | <pre>$·sudo·cp·-r·/path/to/DIRNAME·/var/named/chroot/DIRNAME</pre> | |
| 374 | 329 | Add·or·correct·the·following·line·within·<code>/etc/sysconfig/named</code>: | |
| 375 | 330 | <pre>ROOTDIR=/var/named/chroot</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_dedicated"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_dedicated">Run·DNS·Software·on·Dedicated·Servers | |
| 376 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 331 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_dedicated">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Since·DNS·is |
| 377 | 332 | a·high-risk·service·which·must·frequently·be·made·available·to·the·entire | |
| 378 | 333 | Internet,·it·is·strongly·recommended·that·no·other·services·be·offered·by | |
| 379 | 334 | machines·which·act·as·organizational·DNS·servers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_protection"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_protection"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_protection">Protect·DNS·Data·from·Tampering·or·Attack | |
| Max diff block lines reached; 198673/260554 bytes (76.25%) of diff not shown. | |||
| Offset 49, 46 lines modified | Offset 49, 46 lines modified | ||
| 49 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 49 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 50 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 50 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 51 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 51 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 52 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 52 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 53 | quality,·reliability,·or·any·other·characteristic. | 53 | quality,·reliability,·or·any·other·characteristic. |
| 54 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Desktop·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_desktop</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 54 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Desktop·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_desktop</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 55 | ····························(as·of·2018-07-26) | 55 | ····························(as·of·2018-07-26) |
| 56 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 56 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·1034,·SHA:·1b10be6148833f42610be20bd7d90e370d8d04968a079fa39af8874411e4f268·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·206·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 58 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 58 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 60 | ones·can·be·safely·disabled. | 60 | ones·can·be·safely·disabled. |
| 61 | <br><br> | 61 | <br><br> |
| 62 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 62 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 63 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 63 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 64 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·63·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 64 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·63·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 66 | 66 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 67 | 67 | that·passwords·and·other·data·transmitted·during·the·session·can·be | |
| 68 | 68 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 69 | 69 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 70 | 70 | <br><br> | |
| 71 | 71 | However,·there·are·some·FTP·server·configurations·which·may | |
| 72 | 72 | be·appropriate·for·some·environments,·particularly·those·which | |
| 73 | 73 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 74 | de | 74 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible |
| 75 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_s | 75 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 76 | 76 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service | |
| 77 | a | 77 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 78 | sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_smb_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_smb_disabled"·id="guide-tree-leaf-idm28973"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_smb_disabled">Disable·Samba | ||
| 79 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_smb_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | ||
| 80 | ············ | 78 | ············ |
| 81 | ········The·<code>s | 79 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: |
| 82 | ········<pre>$·sudo·chkconfig·s | 80 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> |
| 83 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running· | 81 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue |
| 84 | 82 | of·attack,·and·should·be·disabled·if·not·needed. | |
| 83 | Furthermore,·the·FTP·protocol·is·unencrypted·and·creates | ||
| 84 | a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 85 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 85 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 86 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-2 | 86 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26948-0">CCE-26948-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 87 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm2 | 87 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29088">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29088"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 88 | # | 88 | # |
| 89 | #·Example·Call(s): | 89 | #·Example·Call(s): |
| 90 | # | 90 | # |
| 91 | #·····service_command·enable·bluetooth | 91 | #·····service_command·enable·bluetooth |
| 92 | #·····service_command·disable·bluetooth.service | 92 | #·····service_command·disable·bluetooth.service |
| 93 | # | 93 | # |
| 94 | #·····Using·xinetd: | 94 | #·····Using·xinetd: |
| Offset 155, 127 lines modified | Offset 155, 125 lines modified | ||
| 155 | ··else | 155 | ··else |
| 156 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 156 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 157 | ··fi | 157 | ··fi |
| 158 | fi | 158 | fi |
| 159 | } | 159 | } |
| 160 | service_command·disable·s | 160 | service_command·disable·vsftpd |
| 161 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm2 | 161 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29090"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·vsftpd |
| 162 | ··service: | 162 | ··service: |
| 163 | ····name="{{item}}" | 163 | ····name="{{item}}" |
| 164 | ····enabled="no" | 164 | ····enabled="no" |
| 165 | ····state="stopped" | 165 | ····state="stopped" |
| 166 | ··register:·service_result | 166 | ··register:·service_result |
| 167 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 167 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 168 | ··with_items: | 168 | ··with_items: |
| 169 | ····-·s | 169 | ····-·vsftpd |
| 170 | ··tags: | 170 | ··tags: |
| 171 | ····-·service_s | 171 | ····-·service_vsftpd_disabled |
| 172 | ····-·unknown_severity | 172 | ····-·unknown_severity |
| 173 | ····-·disable_strategy | 173 | ····-·disable_strategy |
| 174 | ····-·low_complexity | 174 | ····-·low_complexity |
| 175 | ····-·low_disruption | 175 | ····-·low_disruption |
| 176 | ····-·CCE-2 | 176 | ····-·CCE-26948-0 |
| 177 | 177 | ····-·NIST-800-53-CM-7 | |
| 178 | · | 178 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29095"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package |
| 179 | 179 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | |
| 180 | 180 | ············ | |
| 181 | 181 | ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command: | |
| 182 | 182 | ········<pre>$·sudo·yum·erase·vsftpd</pre> | |
| 183 | an | 183 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its |
| 184 | 184 | accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 185 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29054"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient | ||
| 186 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | ||
| 187 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | ||
| 188 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | ||
| 189 | <pre>client·signing·=·mandatory</pre> | ||
| 190 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | ||
| 191 | signing·ensures·they·can | ||
| 192 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | ||
| 193 | man-in-the-middle·attacks·which·modify·SMB·packets·in | ||
| 194 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 195 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 185 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 196 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26 | 186 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26687-4">CCE-26687-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 197 | ············<a·href="http://iase.disa.mil/stigs/ | 187 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 198 | # | 188 | # |
| 199 | # | 189 | #·Example·Call(s): |
| 200 | # | 190 | # |
| 191 | #·····package_remove·telnet-server | ||
| 192 | # | ||
| 193 | function·package_remove·{ | ||
| 201 | 194 | #·Load·function·arguments·into·local·variables | |
| 195 | local·package="$1" | ||
| 202 | 196 | #·Check·sanity·of·the·input | |
| 203 | 197 | if·[·$#·-ne·"1"·] | |
| 204 | 198 | then | |
| 199 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 200 | ··echo·"Aborting." | ||
| 201 | ··exit·1 | ||
| 202 | fi | ||
| 203 | if·which·dnf·;·then | ||
| 204 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 205 | ····dnf·remove·-y·"$package" | ||
| 206 | ··fi | ||
| 207 | elif·which·yum·;·then | ||
| 208 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 209 | ····yum·remove·-y·"$package" | ||
| 210 | ··fi | ||
| 211 | elif·which·apt-get·;·then | ||
| 212 | ··apt-get·remove·-y·"$package" | ||
| 205 | else | 213 | else |
| 206 | 214 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 215 | ··echo·"Aborting." | ||
| 216 | ··exit·1 | ||
| 207 | fi | 217 | fi |
| Max diff block lines reached; 1730156/1756860 bytes (98.48%) of diff not shown. | |||
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FISMA·Medium·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_fisma-medium-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FISMA·Medium·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_fisma-medium-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_o | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="[·...·truncated·by·diffoscope;·len:·81,·SHA:·4c0efd7fd5ff299a2185037a736930f562109fd8f8ac833d06c44618aa2adc79·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·211·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 83, 15 lines modified | Offset 83, 15 lines modified | ||
| 83 | <br><br> | 83 | <br><br> |
| 84 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 84 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 85 | servers,·and·the·remainder·obtaining·time·information·from·those | 85 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 86 | internal·servers. | 86 | internal·servers. |
| 87 | <br><br> | 87 | <br><br> |
| 88 | More·information·on·how·to·configure·the·NTP·server·software, | 88 | More·information·on·how·to·configure·the·NTP·server·software, |
| 89 | including·configuration·of·cryptographic·authentication·for | 89 | including·configuration·of·cryptographic·authentication·for |
| 90 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 90 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29861"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 91 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 91 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 92 | ·········· | 92 | ·········· |
| 93 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 93 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 94 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 94 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 95 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 95 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 96 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 96 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 97 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 97 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 101, 15 lines modified | Offset 101, 15 lines modified | ||
| 101 | logs·and·auditing·possible·security·breaches.·· | 101 | logs·and·auditing·possible·security·breaches.·· |
| 102 | <br><br> | 102 | <br><br> |
| 103 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 103 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 104 | deprecated.··Additional·information·on·this·is·available·at· | 104 | deprecated.··Additional·information·on·this·is·available·at· |
| 105 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 105 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 106 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 106 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 107 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27093-4">CCE-27093-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 107 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27093-4">CCE-27093-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 108 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000247</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 108 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000247</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 109 | # | 109 | # |
| 110 | #·Example·Call(s): | 110 | #·Example·Call(s): |
| 111 | # | 111 | # |
| 112 | #·····service_command·enable·bluetooth | 112 | #·····service_command·enable·bluetooth |
| 113 | #·····service_command·disable·bluetooth.service | 113 | #·····service_command·disable·bluetooth.service |
| 114 | # | 114 | # |
| 115 | #·····Using·xinetd: | 115 | #·····Using·xinetd: |
| Offset 177, 15 lines modified | Offset 177, 15 lines modified | ||
| 177 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 177 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 178 | ··fi | 178 | ··fi |
| 179 | fi | 179 | fi |
| 180 | } | 180 | } |
| 181 | service_command·enable·ntpd | 181 | service_command·enable·ntpd |
| 182 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 182 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 183 | ··service: | 183 | ··service: |
| 184 | ····name="{{item}}" | 184 | ····name="{{item}}" |
| 185 | ····enabled="yes" | 185 | ····enabled="yes" |
| 186 | ····state="started" | 186 | ····state="started" |
| 187 | ··with_items: | 187 | ··with_items: |
| 188 | ····-·ntpd | 188 | ····-·ntpd |
| 189 | ··tags: | 189 | ··tags: |
| Offset 194, 37 lines modified | Offset 194, 252 lines modified | ||
| 194 | ····-·enable_strategy | 194 | ····-·enable_strategy |
| 195 | ····-·low_complexity | 195 | ····-·low_complexity |
| 196 | ····-·low_disruption | 196 | ····-·low_disruption |
| 197 | ····-·CCE-27093-4 | 197 | ····-·CCE-27093-4 |
| 198 | ····-·NIST-800-53-AU-8(1) | 198 | ····-·NIST-800-53-AU-8(1) |
| 199 | ····-·PCI-DSS-Req-10.4 | 199 | ····-·PCI-DSS-Req-10.4 |
| 200 | ····-·DISA-STIG-RHEL-06-000247 | 200 | ····-·DISA-STIG-RHEL-06-000247 |
| 201 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29 | 201 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29887"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers |
| 202 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization | 202 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization |
| 203 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | 203 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the |
| 204 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | 204 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for |
| 205 | <em>ntpserver</em>: | 205 | <em>ntpserver</em>: |
| 206 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | 206 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of |
| 207 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | 207 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes |
| 208 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | 208 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for |
| 209 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 209 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 210 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 210 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 211 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26958-9">CCE-26958-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 211 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26958-9">CCE-26958-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 212 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm299 | 212 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29900"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 213 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit | 213 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit |
| 214 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, | 214 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, |
| 215 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 215 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 216 | <pre>server·<i>ntpserver</i></pre> | 216 | <pre>server·<i>ntpserver</i></pre> |
| 217 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 217 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 218 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible | 218 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible |
| 219 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with | 219 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with |
| 220 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 220 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 221 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 221 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 222 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27098-3">CCE-27098-3</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 222 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27098-3">CCE-27098-3</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 223 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000248</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_o | 223 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000248</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons |
| 224 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | ||
| 225 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | ||
| 226 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | ||
| 227 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | ||
| 228 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_crond_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_crond_enabled"·id="guide-tree-leaf-idm30128"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_crond_enabled">Enable·cron·Service | ||
| 229 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_crond_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>crond</code>·service·is·used·to·execute·commands·at | ||
| 230 | preconfigured·times.·It·is·required·by·almost·all·systems·to·perform·necessary | ||
| 231 | maintenance·tasks,·such·as·notifying·root·of·system·activity. | ||
| 232 | ········The·<code>crond</code>·service·can·be·enabled·with·the·following·command: | ||
| 233 | ········<pre>$·sudo·chkconfig·--level·2345·crond·on</pre></p><span·class="label·label-primary">Rationale:</span><p>Due·to·its·usage·for·maintenance·and·security-supporting·tasks, | ||
| 234 | enabling·the·cron·daemon·is·essential.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 235 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 236 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27070-2">CCE-27070-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 237 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000224</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50406r2_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm30140">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30140"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 238 | # | ||
| 239 | #·Example·Call(s): | ||
| 240 | # | ||
| 241 | #·····service_command·enable·bluetooth | ||
| 242 | #·····service_command·disable·bluetooth.service | ||
| 243 | # | ||
| 244 | #·····Using·xinetd: | ||
| 245 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 246 | # | ||
| 247 | function·service_command·{ | ||
| 248 | #·Load·function·arguments·into·local·variables | ||
| 249 | local·service_state=$1 | ||
| 250 | local·service=$2 | ||
| 251 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 252 | #·Check·sanity·of·the·input | ||
| 253 | if·[·$#·-lt·"2"·] | ||
| Max diff block lines reached; 1682618/1716627 bytes (98.02%) of diff not shown. | |||
| Offset 48, 23 lines modified | Offset 48, 146 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FTP·Server·Profile·(vsftpd)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_ftp-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FTP·Server·Profile·(vsftpd)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_ftp-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="[·...·truncated·by·diffoscope;·len:·734,·SHA:·25c03cfca8c8e7566953764cd9421d66561e88aec462809a5f7eec462db2bd40·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·192·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 63 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·51·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 63 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·51·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to | ||
| 65 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | ||
| 66 | that·passwords·and·other·data·transmitted·during·the·session·can·be | ||
| 67 | captured·and·that·the·session·is·vulnerable·to·hijacking. | ||
| 68 | Therefore,·running·the·FTP·server·software·is·not·recommended. | ||
| 69 | <br><br> | ||
| 70 | However,·there·are·some·FTP·server·configurations·which·may | ||
| 71 | be·appropriate·for·some·environments,·particularly·those·which | ||
| 72 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | ||
| 73 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary | ||
| 74 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is | ||
| 75 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or | ||
| 76 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_restrict_users"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_ftp_restrict_users">Restrict·the·Set·of·Users·Allowed·to·Access·FTP | ||
| 77 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_restrict_users">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·describes·how·to·disable·non-anonymous·(password-based)·FTP·logins,·or,·if·it·is·not·possible·to | ||
| 78 | do·this·entirely·due·to·legacy·applications,·how·to·restrict·insecure·FTP·login·to·only·those·users·who·have·an | ||
| 79 | identified·need·for·this·access.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·id="guide-tree-leaf-idm28977"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">Restrict·Access·to·Anonymous·Users·if·Possible | ||
| 80 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than | ||
| 81 | using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option: | ||
| 82 | <pre>local_enable=NO</pre> | ||
| 83 | If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure | ||
| 84 | these·logins·as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>The·use·of·non-anonymous·FTP·logins·is·strongly·discouraged.·Since·SSH·clients·and·servers·are·widely·available,·and·since·SSH·provides·support·for·a·transfer·mode·which·resembles·FTP·in·user·interface,·there·is·no·good·reason·to·allow·password-based·FTP·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 85 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 86 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27115-5">CCE-27115-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 87 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_home_partition"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_home_partition"·id="guide-tree-leaf-idm29014"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_home_partition">Place·the·FTP·Home·Directory·on·its·Own·Partition | ||
| 88 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_home_partition">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>By·default,·the·anonymous·FTP·root·is·the·home·directory·of·the·FTP·user·account.·The·df·command·can | ||
| 89 | be·used·to·verify·that·this·directory·is·on·its·own·partition.</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·a·mission-critical·reason·for·anonymous·users·to·upload·files,·precautions·must·be·taken·to·prevent | ||
| 90 | these·users·from·filling·a·disk·used·by·other·services.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 91 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 92 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27411-8">CCE-27411-8</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29019"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions | ||
| 93 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> | ||
| 94 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | ||
| 95 | <pre>xferlog_enable=YES | ||
| 96 | xferlog_std_format=NO | ||
| 97 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to | ||
| 98 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log | ||
| 99 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 100 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 101 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27142-9">CCE-27142-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 102 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000339</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_disable_uploads"·id="guide-tree-leaf-idm29035"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads">Disable·FTP·Uploads·if·Possible | ||
| 103 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_disable_uploads">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·upload·files·via·FTP?·If·not, | ||
| 104 | edit·the·vsftpd·configuration·file·to·add·or·correct·the·following·configuration·options: | ||
| 105 | <pre>write_enable=NO</pre> | ||
| 106 | If·FTP·uploads·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure·these·transactions | ||
| 107 | as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>Anonymous·FTP·can·be·a·convenient·way·to·make·files·available·for·universal·download.·However,·it·is·less | ||
| 108 | common·to·have·a·need·to·allow·unauthenticated·users·to·place·files·on·the·FTP·server.·If·this·must·be·done,·it | ||
| 109 | is·necessary·to·ensure·that·files·cannot·be·uploaded·and·downloaded·from·the·same·directory.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 110 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 111 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27117-1">CCE-27117-1</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29043"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users | ||
| 112 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 113 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 114 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 115 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 116 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27145-2">CCE-27145-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 117 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000348</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary | ||
| 118 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_use_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·your·use-case·requires·FTP·service,·install·and | ||
| 119 | set-up·vsftpd·to·provide·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·id="guide-tree-leaf-idm29061"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed">Install·vsftpd·Package | ||
| 120 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·this·system·must·operate·as·an·FTP·server,·install·the·<code>vsftpd</code>·package·via·the·standard·channels. | ||
| 121 | <pre>$·sudo·yum·install·vsftpd</pre></p><span·class="label·label-primary">Rationale:</span><p>After·Red·Hat·Enterprise·Linux·2.1,·Red·Hat·switched·from·distributing·wu-ftpd·with·Red·Hat·Enterprise·Linux·to·distributing·vsftpd.·For·security | ||
| 122 | and·for·consistency·with·future·Red·Hat·releases,·the·use·of·vsftpd·is·recommended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 123 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 124 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27187-4">CCE-27187-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 125 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29069">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29069"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 126 | # | ||
| 127 | #·Example·Call(s): | ||
| 128 | # | ||
| 129 | #·····package_install·aide | ||
| 130 | # | ||
| 131 | function·package_install·{ | ||
| 132 | #·Load·function·arguments·into·local·variables | ||
| 133 | local·package="$1" | ||
| 134 | #·Check·sanity·of·the·input | ||
| 135 | if·[·$#·-ne·"1"·] | ||
| 136 | then | ||
| 137 | ··echo·"Usage:·package_install·'package_name'" | ||
| 138 | ··echo·"Aborting." | ||
| 139 | ··exit·1 | ||
| 140 | fi | ||
| 141 | if·which·dnf·;·then | ||
| 142 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 143 | ····dnf·install·-y·"$package" | ||
| 144 | ··fi | ||
| 145 | elif·which·yum·;·then | ||
| 146 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 147 | ····yum·install·-y·"$package" | ||
| 148 | ··fi | ||
| 149 | elif·which·apt-get·;·then | ||
| 150 | ··apt-get·install·-y·"$package" | ||
| 151 | else | ||
| 152 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 153 | ··echo·"Aborting." | ||
| 154 | ··exit·1 | ||
| 155 | fi | ||
| 156 | } | ||
| 157 | package_install·vsftpd | ||
| 158 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29071">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29071"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·vsftpd·is·installed | ||
| 159 | ··package: | ||
| 160 | ····name="{{item}}" | ||
| 161 | ····state=present | ||
| 162 | ··with_items: | ||
| 163 | ····-·vsftpd | ||
| 164 | ··tags: | ||
| 165 | ····-·package_vsftpd_installed | ||
| 166 | ····-·unknown_severity | ||
| 167 | ····-·enable_strategy | ||
| 168 | ····-·low_complexity | ||
| 169 | ····-·low_disruption | ||
| Max diff block lines reached; 1556352/1584645 bytes (98.21%) of diff not shown. | |||
| Offset 53, 128 lines modified | Offset 53, 127 lines modified | ||
| 53 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 53 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 54 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 54 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 55 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 55 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 56 | quality,·reliability,·or·any·other·characteristic. | 56 | quality,·reliability,·or·any·other·characteristic. |
| 57 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CNSSI·1253·Low/Low/Low·Control·Baseline·for·Red·Hat· | 57 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CNSSI·1253·Low/Low/Low·Control·Baseline·for·Red·Hat· |
| 58 | Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_nist-CL-IL-AL</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 58 | Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_nist-CL-IL-AL</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 59 | ····························(as·of·2018-07-26) | 59 | ····························(as·of·2018-07-26) |
| 60 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 60 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org[·...·truncated·by·diffoscope;·len:·879,·SHA:·a9e3098c4894efb85e37b60670bbc0450483217500119b1f1ca43a0e1222a6a3·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·270·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 61 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 61 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 62 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 62 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 63 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 63 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 64 | ones·can·be·safely·disabled. | 64 | ones·can·be·safely·disabled. |
| 65 | <br><br> | 65 | <br><br> |
| 66 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 66 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 67 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 67 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 68 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·76·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 68 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·76·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 70 | 70 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 71 | 71 | that·passwords·and·other·data·transmitted·during·the·session·can·be | |
| 72 | 72 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 73 | 73 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 74 | 74 | <br><br> | |
| 75 | 75 | However,·there·are·some·FTP·server·configurations·which·may | |
| 76 | 76 | be·appropriate·for·some·environments,·particularly·those·which | |
| 77 | 77 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 78 | de | 78 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible |
| 79 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 79 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 80 | <c | 80 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29095"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package |
| 81 | <c | 81 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 82 | 82 | ············ | |
| 83 | 83 | ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command: | |
| 84 | 84 | ········<pre>$·sudo·yum·erase·vsftpd</pre> | |
| 85 | p | 85 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its |
| 86 | a | 86 | accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 87 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | ||
| 88 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | ||
| 89 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | ||
| 90 | <pre>client·signing·=·mandatory</pre> | ||
| 91 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | ||
| 92 | signing·ensures·they·can | ||
| 93 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | ||
| 94 | man-in-the-middle·attacks·which·modify·SMB·packets·in | ||
| 95 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 96 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 87 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 97 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26 | 88 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26687-4">CCE-26687-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 98 | ············<a·href="http://iase.disa.mil/stigs/ | 89 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 99 | # | 90 | # |
| 100 | # | 91 | #·Example·Call(s): |
| 101 | # | 92 | # |
| 93 | #·····package_remove·telnet-server | ||
| 94 | # | ||
| 95 | function·package_remove·{ | ||
| 102 | 96 | #·Load·function·arguments·into·local·variables | |
| 97 | local·package="$1" | ||
| 103 | 98 | #·Check·sanity·of·the·input | |
| 104 | 99 | if·[·$#·-ne·"1"·] | |
| 105 | 100 | then | |
| 101 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 102 | ··echo·"Aborting." | ||
| 103 | ··exit·1 | ||
| 104 | fi | ||
| 105 | if·which·dnf·;·then | ||
| 106 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 107 | ····dnf·remove·-y·"$package" | ||
| 108 | ··fi | ||
| 109 | elif·which·yum·;·then | ||
| 110 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 111 | ····yum·remove·-y·"$package" | ||
| 112 | ··fi | ||
| 113 | elif·which·apt-get·;·then | ||
| 114 | ··apt-get·remove·-y·"$package" | ||
| 106 | else | 115 | else |
| 107 | 116 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 117 | ··echo·"Aborting." | ||
| 118 | ··exit·1 | ||
| 108 | fi | 119 | fi |
| 109 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29068">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29068"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists | ||
| 110 | ··stat: | ||
| 111 | ····path:·/etc/samba/smb.conf | ||
| 112 | ··register:·st_smb | ||
| 113 | ··tags: | ||
| 114 | ····-·require_smb_client_signing | ||
| 115 | ····-·unknown_severity | ||
| 116 | ····-·configure_strategy | ||
| 117 | ····-·low_complexity | ||
| 118 | ····-·medium_disruption | ||
| 119 | ····-·CCE-26328-5 | ||
| 120 | ····-·DISA-STIG-RHEL-06-000272 | ||
| 121 | 120 | } | |
| 122 | ··lineinfile: | ||
| 123 | 121 | package_remove·vsftpd | |
| 124 | ····line | 122 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29106">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29106"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·vsftpd·is·removed |
| 125 | ·· | 123 | ··package: |
| 126 | ···· | 124 | ····name="{{item}}" |
| 127 | ·· | 125 | ····state=absent |
| 126 | ··with_items: | ||
| 127 | ····-·vsftpd | ||
| 128 | ··tags: | 128 | ··tags: |
| 129 | ····-· | 129 | ····-·package_vsftpd_removed |
| 130 | ····-·unknown_severity | 130 | ····-·unknown_severity |
| 131 | ····-· | 131 | ····-·disable_strategy |
| 132 | ····-·low_complexity | 132 | ····-·low_complexity |
| 133 | ····-· | 133 | ····-·low_disruption |
| 134 | ····-·CCE-26 | 134 | ····-·CCE-26687-4 |
| 135 | ····-· | 135 | ····-·NIST-800-53-CM-7 |
| 136 | </code></pre></div>< | 136 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29107">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29107"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_vsftpd |
| 137 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba | ||
| 138 | 137 | class·remove_vsftpd·{ | |
| 139 | 138 | ··package·{·'vsftpd': | |
| 140 | 139 | ····ensure·=>·'purged', | |
| 141 | 140 | ··} | |
| 142 | 141 | } | |
| 143 | client·sho | 142 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29108">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29108"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 144 | pack | 143 | package·--remove=vsftpd |
| 145 | 144 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server | |
| 146 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 147 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26792-2">CCE-26792-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 148 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000273</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server | ||
| 149 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to | 145 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to |
| 150 | content·via·the·HTTP·protocol.·Web·servers·represent·a·significant | 146 | content·via·the·HTTP·protocol.·Web·servers·represent·a·significant |
| 151 | security·risk·because: | 147 | security·risk·because: |
| 152 | <br><br> | 148 | <br><br> |
| 153 | <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long | 149 | <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long |
| Max diff block lines reached; 2195256/2220209 bytes (98.88%) of diff not shown. | |||
| Offset 48, 15 lines modified | Offset 48, 15 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>PCI-DSS·v3·Control·Baseline·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>PCI-DSS·v3·Control·Baseline·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 83, 15 lines modified | Offset 83, 15 lines modified | ||
| 83 | <br><br> | 83 | <br><br> |
| 84 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 84 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 85 | servers,·and·the·remainder·obtaining·time·information·from·those | 85 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 86 | internal·servers. | 86 | internal·servers. |
| 87 | <br><br> | 87 | <br><br> |
| 88 | More·information·on·how·to·configure·the·NTP·server·software, | 88 | More·information·on·how·to·configure·the·NTP·server·software, |
| 89 | including·configuration·of·cryptographic·authentication·for | 89 | including·configuration·of·cryptographic·authentication·for |
| 90 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 90 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29861"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 91 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 91 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 92 | ·········· | 92 | ·········· |
| 93 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 93 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 94 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 94 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 95 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 95 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 96 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 96 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 97 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 97 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 101, 15 lines modified | Offset 101, 15 lines modified | ||
| 101 | logs·and·auditing·possible·security·breaches.·· | 101 | logs·and·auditing·possible·security·breaches.·· |
| 102 | <br><br> | 102 | <br><br> |
| 103 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 103 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 104 | deprecated.··Additional·information·on·this·is·available·at· | 104 | deprecated.··Additional·information·on·this·is·available·at· |
| 105 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 105 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 106 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 106 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 107 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27093-4">CCE-27093-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 107 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27093-4">CCE-27093-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 108 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000247</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 108 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000247</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 109 | # | 109 | # |
| 110 | #·Example·Call(s): | 110 | #·Example·Call(s): |
| 111 | # | 111 | # |
| 112 | #·····service_command·enable·bluetooth | 112 | #·····service_command·enable·bluetooth |
| 113 | #·····service_command·disable·bluetooth.service | 113 | #·····service_command·disable·bluetooth.service |
| 114 | # | 114 | # |
| 115 | #·····Using·xinetd: | 115 | #·····Using·xinetd: |
| Offset 177, 15 lines modified | Offset 177, 15 lines modified | ||
| 177 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 177 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 178 | ··fi | 178 | ··fi |
| 179 | fi | 179 | fi |
| 180 | } | 180 | } |
| 181 | service_command·enable·ntpd | 181 | service_command·enable·ntpd |
| 182 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 182 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 183 | ··service: | 183 | ··service: |
| 184 | ····name="{{item}}" | 184 | ····name="{{item}}" |
| 185 | ····enabled="yes" | 185 | ····enabled="yes" |
| 186 | ····state="started" | 186 | ····state="started" |
| 187 | ··with_items: | 187 | ··with_items: |
| 188 | ····-·ntpd | 188 | ····-·ntpd |
| 189 | ··tags: | 189 | ··tags: |
| Offset 194, 26 lines modified | Offset 194, 26 lines modified | ||
| 194 | ····-·enable_strategy | 194 | ····-·enable_strategy |
| 195 | ····-·low_complexity | 195 | ····-·low_complexity |
| 196 | ····-·low_disruption | 196 | ····-·low_disruption |
| 197 | ····-·CCE-27093-4 | 197 | ····-·CCE-27093-4 |
| 198 | ····-·NIST-800-53-AU-8(1) | 198 | ····-·NIST-800-53-AU-8(1) |
| 199 | ····-·PCI-DSS-Req-10.4 | 199 | ····-·PCI-DSS-Req-10.4 |
| 200 | ····-·DISA-STIG-RHEL-06-000247 | 200 | ····-·DISA-STIG-RHEL-06-000247 |
| 201 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29 | 201 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29887"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers |
| 202 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization | 202 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization |
| 203 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | 203 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the |
| 204 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | 204 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for |
| 205 | <em>ntpserver</em>: | 205 | <em>ntpserver</em>: |
| 206 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | 206 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of |
| 207 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | 207 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes |
| 208 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | 208 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for |
| 209 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 209 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 210 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 210 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 211 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26958-9">CCE-26958-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 211 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26958-9">CCE-26958-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 212 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm299 | 212 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29900"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 213 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit | 213 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit |
| 214 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, | 214 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, |
| 215 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 215 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 216 | <pre>server·<i>ntpserver</i></pre> | 216 | <pre>server·<i>ntpserver</i></pre> |
| 217 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 217 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 218 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible | 218 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible |
| 219 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with | 219 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with |
| Offset 229, 15 lines modified | Offset 229, 15 lines modified | ||
| 229 | detailed·documentation·is·available·from·its·website, | 229 | detailed·documentation·is·available·from·its·website, |
| 230 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·is·called·<code>sshd</code>·and | 230 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·is·called·<code>sshd</code>·and |
| 231 | provided·by·the·RPM·package·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary | 231 | provided·by·the·RPM·package·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary |
| 232 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 232 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 233 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 233 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 234 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 234 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 235 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 235 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 236 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm3 | 236 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm32018"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 237 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout | 237 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout |
| 238 | interval. | 238 | interval. |
| 239 | After·this·interval·has·passed,·the·idle·user·will·be | 239 | After·this·interval·has·passed,·the·idle·user·will·be |
| 240 | automatically·logged·out. | 240 | automatically·logged·out. |
| 241 | <br><br> | 241 | <br><br> |
| 242 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 242 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 243 | follows: | 243 | follows: |
| Offset 249, 23 lines modified | Offset 249, 23 lines modified | ||
| 249 | shell,·that·value·will·preempt·any·SSH | 249 | shell,·that·value·will·preempt·any·SSH |
| 250 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 250 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 251 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out | 251 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out |
| 252 | guards·against·compromises·one·system·leading·trivially | 252 | guards·against·compromises·one·system·leading·trivially |
| 253 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 253 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 254 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 254 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 255 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26919-1">CCE-26919-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 255 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26919-1">CCE-26919-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 256 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000879</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000230</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50409r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm3 | 256 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000879</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000230</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50409r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm32041">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm32041"><pre><code> |
| 257 | sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>" | 257 | sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>" |
| 258 | grep·-q·^ClientAliveInterval·/etc/ssh/sshd_config·&&·\ | 258 | grep·-q·^ClientAliveInterval·/etc/ssh/sshd_config·&&·\ |
| 259 | ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config | 259 | ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config |
| 260 | if·!·[·$?·-eq·0·];·then | 260 | if·!·[·$?·-eq·0·];·then |
| 261 | ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config | 261 | ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config |
| 262 | fi | 262 | fi |
| 263 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm3 | 263 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm32043">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm32043"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·XCCDF·Value·sshd_idle_timeout_value·#·promote·to·variable |
| 264 | ··set_fact: | 264 | ··set_fact: |
| 265 | ····sshd_idle_timeout_value:·<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr> | 265 | ····sshd_idle_timeout_value:·<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr> |
| 266 | ··tags: | 266 | ··tags: |
| 267 | ····-·always | 267 | ····-·always |
| Max diff block lines reached; 841276/865965 bytes (97.15%) of diff not shown. | |||
| Offset 48, 23 lines modified | Offset 48, 136 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Red·Hat·Corporate·Profile·for·Certified·Cloud·Providers·(RH·CCP)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Red·Hat·Corporate·Profile·for·Certified·Cloud·Providers·(RH·CCP)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_o | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 57 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 58 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 59 | ones·can·be·safely·disabled. | 59 | ones·can·be·safely·disabled. |
| 60 | <br><br> | 60 | <br><br> |
| 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 61 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 62 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 63 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·29·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_o | 63 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·29·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | ||
| 65 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | ||
| 66 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | ||
| 67 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | ||
| 68 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm30147"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_atd_disabled">Disable·At·Service·(atd) | ||
| 69 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to | ||
| 70 | schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed | ||
| 71 | execution·in·a·manner·similar·to·cron,·except·that·it·is·not | ||
| 72 | recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via | ||
| 73 | <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time. | ||
| 74 | ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command: | ||
| 75 | ········<pre>$·sudo·chkconfig·atd·off</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry | ||
| 76 | out·activities·outside·of·a·normal·login·session,·which·could·complicate | ||
| 77 | accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or | ||
| 78 | <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 79 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 80 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27249-2">CCE-27249-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 81 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000262</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50442r3_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm30167">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30167"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 82 | # | ||
| 83 | #·Example·Call(s): | ||
| 84 | # | ||
| 85 | #·····service_command·enable·bluetooth | ||
| 86 | #·····service_command·disable·bluetooth.service | ||
| 87 | # | ||
| 88 | #·····Using·xinetd: | ||
| 89 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 90 | # | ||
| 91 | function·service_command·{ | ||
| 92 | #·Load·function·arguments·into·local·variables | ||
| 93 | local·service_state=$1 | ||
| 94 | local·service=$2 | ||
| 95 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 96 | #·Check·sanity·of·the·input | ||
| 97 | if·[·$#·-lt·"2"·] | ||
| 98 | then | ||
| 99 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 100 | ··echo | ||
| 101 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 102 | ··echo·"as·the·last·argument"·· | ||
| 103 | ··echo·"Aborting." | ||
| 104 | ··exit·1 | ||
| 105 | fi | ||
| 106 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 107 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 108 | ··service_util="/usr/bin/systemctl" | ||
| 109 | else | ||
| 110 | ··service_util="/sbin/service" | ||
| 111 | ··chkconfig_util="/sbin/chkconfig" | ||
| 112 | fi | ||
| 113 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 114 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 115 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 116 | ··service_state="enable" | ||
| 117 | ··service_operation="start" | ||
| 118 | ··chkconfig_state="on" | ||
| 119 | else | ||
| 120 | ··service_state="disable" | ||
| 121 | ··service_operation="stop" | ||
| 122 | ··chkconfig_state="off" | ||
| 123 | fi | ||
| 124 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 125 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 126 | ··$service_util·$service·$service_operation | ||
| 127 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 128 | else | ||
| 129 | ··$service_util·$service_operation·$service | ||
| 130 | ··$service_util·$service_state·$service | ||
| 131 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 132 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 133 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 134 | ··$service_util·reset-failed·$service | ||
| 135 | fi | ||
| 136 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 137 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 138 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 139 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 140 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 141 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 142 | ··else | ||
| 143 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 144 | ··fi | ||
| 145 | fi | ||
| 146 | } | ||
| 147 | service_command·disable·atd | ||
| 148 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm30169">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30169"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·atd | ||
| 149 | ··service: | ||
| 150 | ····name="{{item}}" | ||
| 151 | ····enabled="no" | ||
| 152 | ····state="stopped" | ||
| 153 | ··register:·service_result | ||
| 154 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 155 | ··with_items: | ||
| 156 | ····-·atd | ||
| 157 | ··tags: | ||
| 158 | ····-·service_atd_disabled | ||
| 159 | ····-·unknown_severity | ||
| 160 | ····-·disable_strategy | ||
| 161 | ····-·low_complexity | ||
| 162 | ····-·low_disruption | ||
| 163 | ····-·CCE-27249-2 | ||
| 164 | ····-·NIST-800-53-CM-7 | ||
| Max diff block lines reached; 653371/668176 bytes (97.78%) of diff not shown. | |||
| Offset 49, 15 lines modified | Offset 49, 15 lines modified | ||
| 49 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 49 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 50 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 50 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 51 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 51 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 52 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 52 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 53 | quality,·reliability,·or·any·other·characteristic. | 53 | quality,·reliability,·or·any·other·characteristic. |
| 54 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Server·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 54 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Server·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 55 | ····························(as·of·2018-07-26) | 55 | ····························(as·of·2018-07-26) |
| 56 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 56 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgpr[·...·truncated·by·diffoscope;·len:·550,·SHA:·57496307fa97d1728004b56852784b91d9d3fe09769ff2b07f1473882fcbec47·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·186·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 58 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 58 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 60 | ones·can·be·safely·disabled. | 60 | ones·can·be·safely·disabled. |
| 61 | <br><br> | 61 | <br><br> |
| 62 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 62 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 63 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 63 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 75, 40 lines modified | Offset 75, 40 lines modified | ||
| 75 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in | 75 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in |
| 76 | <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a | 76 | <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a |
| 77 | <code>[global]</code>·configuration·section·and·a·series·of·user | 77 | <code>[global]</code>·configuration·section·and·a·series·of·user |
| 78 | created·share·definition·sections·meant·to·describe·file·or·print | 78 | created·share·definition·sections·meant·to·describe·file·or·print |
| 79 | shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode | 79 | shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode |
| 80 | and·allow·client·systems·to·access·local·home·directories·and | 80 | and·allow·client·systems·to·access·local·home·directories·and |
| 81 | printers.·It·is·recommended·that·these·settings·be·changed·or·that | 81 | printers.·It·is·recommended·that·these·settings·be·changed·or·that |
| 82 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29 | 82 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29711"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient |
| 83 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | 83 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use |
| 84 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | 84 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section |
| 85 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | 85 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: |
| 86 | <pre>client·signing·=·mandatory</pre> | 86 | <pre>client·signing·=·mandatory</pre> |
| 87 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | 87 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet |
| 88 | signing·ensures·they·can | 88 | signing·ensures·they·can |
| 89 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | 89 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent |
| 90 | man-in-the-middle·attacks·which·modify·SMB·packets·in | 90 | man-in-the-middle·attacks·which·modify·SMB·packets·in |
| 91 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 91 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 92 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 92 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 93 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26328-5">CCE-26328-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 93 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26328-5">CCE-26328-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 94 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000272</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 94 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000272</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29724">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29724"><pre><code>###################################################################### |
| 95 | #By·Luke·"Brisk-OH"·Brisk | 95 | #By·Luke·"Brisk-OH"·Brisk |
| 96 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com | 96 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com |
| 97 | ###################################################################### | 97 | ###################################################################### |
| 98 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) | 98 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) |
| 99 | if·[·"$CLIENTSIGNING"·-eq·0·];··then | 99 | if·[·"$CLIENTSIGNING"·-eq·0·];··then |
| 100 | » #·Add·to·global·section | 100 | » #·Add·to·global·section |
| 101 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf | 101 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 102 | else | 102 | else |
| 103 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf | 103 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 104 | fi | 104 | fi |
| 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 105 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29725">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29725"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists |
| 106 | ··stat: | 106 | ··stat: |
| 107 | ····path:·/etc/samba/smb.conf | 107 | ····path:·/etc/samba/smb.conf |
| 108 | ··register:·st_smb | 108 | ··register:·st_smb |
| 109 | ··tags: | 109 | ··tags: |
| 110 | ····-·require_smb_client_signing | 110 | ····-·require_smb_client_signing |
| 111 | ····-·unknown_severity | 111 | ····-·unknown_severity |
| 112 | ····-·configure_strategy | 112 | ····-·configure_strategy |
| Offset 128, 87 lines modified | Offset 128, 27 lines modified | ||
| 128 | ····-·require_smb_client_signing | 128 | ····-·require_smb_client_signing |
| 129 | ····-·unknown_severity | 129 | ····-·unknown_severity |
| 130 | ····-·configure_strategy | 130 | ····-·configure_strategy |
| 131 | ····-·low_complexity | 131 | ····-·low_complexity |
| 132 | ····-·medium_disruption | 132 | ····-·medium_disruption |
| 133 | ····-·CCE-26328-5 | 133 | ····-·CCE-26328-5 |
| 134 | ····-·DISA-STIG-RHEL-06-000272 | 134 | ····-·DISA-STIG-RHEL-06-000272 |
| 135 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29 | 135 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29730"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs |
| 136 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba | 136 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba |
| 137 | shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares | 137 | shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares |
| 138 | in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either | 138 | in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either |
| 139 | <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used. | 139 | <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used. |
| 140 | <br><br> | 140 | <br><br> |
| 141 | See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba | 141 | See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba |
| 142 | client·should·only·communicate·with·servers·who·can·support·SMB | 142 | client·should·only·communicate·with·servers·who·can·support·SMB |
| 143 | packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle | 143 | packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle |
| 144 | attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 144 | attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 145 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 145 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 146 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26792-2">CCE-26792-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 146 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26792-2">CCE-26792-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 147 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000273</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 147 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000273</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 148 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network. | ||
| 149 | Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious | ||
| 150 | targets·of·network·attack. | ||
| 151 | Ensure·that·systems·are·not·running·MTAs·unnecessarily, | ||
| 152 | and·configure·needed·MTAs·as·defensively·as·possible. | ||
| 153 | <br><br> | ||
| 154 | Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the | ||
| 155 | network.·Users·should·instead·use·mail·client·programs·to·retrieve·email | ||
| 156 | from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3. | ||
| 157 | However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email, | ||
| 158 | for·instance·so·that·cron·jobs·can·report·output·to·an·administrator. | ||
| 159 | Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from | ||
| 160 | the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), | ||
| 161 | but·the·system·still·cannot·receive·mail·directly·over·a·network. | ||
| 162 | <br><br> | ||
| 163 | The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software | ||
| 164 | (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred. | ||
| 165 | Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by | ||
| 166 | SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions. | ||
| 167 | More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients | ||
| 168 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only | ||
| 169 | e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·id="guide-tree-leaf-idm29530"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">Disable·Postfix·Network·Listening | ||
| 170 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·file·<code>/etc/postfix/main.cf</code>·to·ensure·that·only·the·following | ||
| 171 | <code>inet_interfaces</code>·line·appears: | ||
| 172 | <pre>inet_interfaces·=·localhost</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·<code>postfix</code>·accepts·mail·messages | ||
| 173 | (such·as·cron·job·reports)·from·the·local·system·only, | ||
| 174 | and·not·from·the·network,·which·protects·it·from·network·attack.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 175 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 176 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26780-7">CCE-26780-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 177 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000249</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50423r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP | ||
| 178 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 179 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 180 | parameters·from·a·server. | ||
| 181 | <br><br> | ||
| 182 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 183 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 184 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 185 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 186 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 187 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 188 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 189 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 190 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29771"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 191 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 192 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 193 | following·changes: | ||
| 194 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 195 | <pre>BOOTPROTO=none</pre> | ||
| 196 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 197 | values·based·on·your·site's·addressing·scheme: | ||
| Max diff block lines reached; 1515729/1543957 bytes (98.17%) of diff not shown. | |||
| Offset 50, 15 lines modified | Offset 50, 15 lines modified | ||
| 50 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 50 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 51 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 51 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 52 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 52 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 53 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 53 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 54 | quality,·reliability,·or·any·other·characteristic. | 54 | quality,·reliability,·or·any·other·characteristic. |
| 55 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 55 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 56 | ····························(as·of·2018-07-26) | 56 | ····························(as·of·2018-07-26) |
| 57 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 57 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li>[·...·truncated·by·diffoscope;·len:·399,·SHA:·fbfb410e2703115c5bde514edad124bef19a840feb775eacf478f7e80a5206c7·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·182·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 58 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 58 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 59 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 59 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 60 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 60 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 61 | ones·can·be·safely·disabled. | 61 | ones·can·be·safely·disabled. |
| 62 | <br><br> | 62 | <br><br> |
| 63 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 63 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 64 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 64 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 76, 40 lines modified | Offset 76, 40 lines modified | ||
| 76 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in | 76 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in |
| 77 | <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a | 77 | <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a |
| 78 | <code>[global]</code>·configuration·section·and·a·series·of·user | 78 | <code>[global]</code>·configuration·section·and·a·series·of·user |
| 79 | created·share·definition·sections·meant·to·describe·file·or·print | 79 | created·share·definition·sections·meant·to·describe·file·or·print |
| 80 | shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode | 80 | shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode |
| 81 | and·allow·client·systems·to·access·local·home·directories·and | 81 | and·allow·client·systems·to·access·local·home·directories·and |
| 82 | printers.·It·is·recommended·that·these·settings·be·changed·or·that | 82 | printers.·It·is·recommended·that·these·settings·be·changed·or·that |
| 83 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29 | 83 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29711"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient |
| 84 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | 84 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use |
| 85 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | 85 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section |
| 86 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | 86 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: |
| 87 | <pre>client·signing·=·mandatory</pre> | 87 | <pre>client·signing·=·mandatory</pre> |
| 88 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | 88 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet |
| 89 | signing·ensures·they·can | 89 | signing·ensures·they·can |
| 90 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | 90 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent |
| 91 | man-in-the-middle·attacks·which·modify·SMB·packets·in | 91 | man-in-the-middle·attacks·which·modify·SMB·packets·in |
| 92 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 92 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 93 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 93 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 94 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26328-5">CCE-26328-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 94 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26328-5">CCE-26328-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 95 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000272</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 95 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000272</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29724">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29724"><pre><code>###################################################################### |
| 96 | #By·Luke·"Brisk-OH"·Brisk | 96 | #By·Luke·"Brisk-OH"·Brisk |
| 97 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com | 97 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com |
| 98 | ###################################################################### | 98 | ###################################################################### |
| 99 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) | 99 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) |
| 100 | if·[·"$CLIENTSIGNING"·-eq·0·];··then | 100 | if·[·"$CLIENTSIGNING"·-eq·0·];··then |
| 101 | » #·Add·to·global·section | 101 | » #·Add·to·global·section |
| 102 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf | 102 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 103 | else | 103 | else |
| 104 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf | 104 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 105 | fi | 105 | fi |
| 106 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 106 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29725">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29725"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists |
| 107 | ··stat: | 107 | ··stat: |
| 108 | ····path:·/etc/samba/smb.conf | 108 | ····path:·/etc/samba/smb.conf |
| 109 | ··register:·st_smb | 109 | ··register:·st_smb |
| 110 | ··tags: | 110 | ··tags: |
| 111 | ····-·require_smb_client_signing | 111 | ····-·require_smb_client_signing |
| 112 | ····-·unknown_severity | 112 | ····-·unknown_severity |
| 113 | ····-·configure_strategy | 113 | ····-·configure_strategy |
| Offset 129, 57 lines modified | Offset 129, 27 lines modified | ||
| 129 | ····-·require_smb_client_signing | 129 | ····-·require_smb_client_signing |
| 130 | ····-·unknown_severity | 130 | ····-·unknown_severity |
| 131 | ····-·configure_strategy | 131 | ····-·configure_strategy |
| 132 | ····-·low_complexity | 132 | ····-·low_complexity |
| 133 | ····-·medium_disruption | 133 | ····-·medium_disruption |
| 134 | ····-·CCE-26328-5 | 134 | ····-·CCE-26328-5 |
| 135 | ····-·DISA-STIG-RHEL-06-000272 | 135 | ····-·DISA-STIG-RHEL-06-000272 |
| 136 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29 | 136 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29730"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs |
| 137 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba | 137 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba |
| 138 | shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares | 138 | shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares |
| 139 | in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either | 139 | in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either |
| 140 | <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used. | 140 | <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used. |
| 141 | <br><br> | 141 | <br><br> |
| 142 | See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba | 142 | See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba |
| 143 | client·should·only·communicate·with·servers·who·can·support·SMB | 143 | client·should·only·communicate·with·servers·who·can·support·SMB |
| 144 | packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle | 144 | packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle |
| 145 | attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 145 | attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 146 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 146 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 147 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26792-2">CCE-26792-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 147 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26792-2">CCE-26792-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 148 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000273</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 148 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000273</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 149 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network. | ||
| 150 | Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious | ||
| 151 | targets·of·network·attack. | ||
| 152 | Ensure·that·systems·are·not·running·MTAs·unnecessarily, | ||
| 153 | and·configure·needed·MTAs·as·defensively·as·possible. | ||
| 154 | <br><br> | ||
| 155 | Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the | ||
| 156 | network.·Users·should·instead·use·mail·client·programs·to·retrieve·email | ||
| 157 | from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3. | ||
| 158 | However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email, | ||
| 159 | for·instance·so·that·cron·jobs·can·report·output·to·an·administrator. | ||
| 160 | Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from | ||
| 161 | the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), | ||
| 162 | but·the·system·still·cannot·receive·mail·directly·over·a·network. | ||
| 163 | <br><br> | ||
| 164 | The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software | ||
| 165 | (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred. | ||
| 166 | Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by | ||
| 167 | SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions. | ||
| 168 | More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients | ||
| 169 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only | ||
| 170 | e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·id="guide-tree-leaf-idm29530"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">Disable·Postfix·Network·Listening | ||
| 171 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·file·<code>/etc/postfix/main.cf</code>·to·ensure·that·only·the·following | ||
| 172 | <code>inet_interfaces</code>·line·appears: | ||
| 173 | <pre>inet_interfaces·=·localhost</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·<code>postfix</code>·accepts·mail·messages | ||
| 174 | (such·as·cron·job·reports)·from·the·local·system·only, | ||
| 175 | and·not·from·the·network,·which·protects·it·from·network·attack.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 176 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 177 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26780-7">CCE-26780-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 178 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000249</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50423r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol | ||
| 179 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system | 149 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 180 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | 150 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so |
| 181 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time | 151 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 182 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | 152 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among |
| 183 | a·network·of·systems,·and·that·their·time·is·consistent·with·the | 153 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 184 | outside·world. | 154 | outside·world. |
| 185 | <br><br> | 155 | <br><br> |
| Offset 198, 15 lines modified | Offset 168, 15 lines modified | ||
| 198 | <br><br> | 168 | <br><br> |
| 199 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 169 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 200 | servers,·and·the·remainder·obtaining·time·information·from·those | 170 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 201 | internal·servers. | 171 | internal·servers. |
| 202 | <br><br> | 172 | <br><br> |
| 203 | More·information·on·how·to·configure·the·NTP·server·software, | 173 | More·information·on·how·to·configure·the·NTP·server·software, |
| 204 | including·configuration·of·cryptographic·authentication·for | 174 | including·configuration·of·cryptographic·authentication·for |
| 205 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29 | 175 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29861"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 206 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 176 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 207 | ·········· | 177 | ·········· |
| 208 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 178 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 209 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 179 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| Max diff block lines reached; 1486134/1511605 bytes (98.31%) of diff not shown. | |||
| Offset 55, 23 lines modified | Offset 55, 52 lines modified | ||
| 55 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 55 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 56 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 56 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 57 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 57 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 58 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 58 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 59 | quality,·reliability,·or·any·other·characteristic. | 59 | quality,·reliability,·or·any·other·characteristic. |
| 60 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>DISA·STIG·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel6-disa</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 60 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>DISA·STIG·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel6-disa</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 61 | ····························(as·of·2018-07-26) | 61 | ····························(as·of·2018-07-26) |
| 62 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 62 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xc[·...·truncated·by·diffoscope;·len:·910,·SHA:·dfe52403ca27039c6fd60778f9cb46d9343b9cfec43f048aeacec9a362dd7410·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·250·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 63 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 63 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 64 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 64 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 65 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 65 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 66 | ones·can·be·safely·disabled. | 66 | ones·can·be·safely·disabled. |
| 67 | <br><br> | 67 | <br><br> |
| 68 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 68 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 69 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 69 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 70 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·57·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 70 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·57·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 71 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to | ||
| 72 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | ||
| 73 | that·passwords·and·other·data·transmitted·during·the·session·can·be | ||
| 74 | captured·and·that·the·session·is·vulnerable·to·hijacking. | ||
| 75 | Therefore,·running·the·FTP·server·software·is·not·recommended. | ||
| 76 | <br><br> | ||
| 77 | However,·there·are·some·FTP·server·configurations·which·may | ||
| 78 | be·appropriate·for·some·environments,·particularly·those·which | ||
| 79 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | ||
| 80 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary | ||
| 81 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is | ||
| 82 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or | ||
| 83 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29019"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions | ||
| 84 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> | ||
| 85 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | ||
| 86 | <pre>xferlog_enable=YES | ||
| 87 | xferlog_std_format=NO | ||
| 88 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to | ||
| 89 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log | ||
| 90 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 91 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 92 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27142-9">CCE-27142-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 93 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000339</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29043"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users | ||
| 94 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 95 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 96 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 97 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27145-2">CCE-27145-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 99 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000348</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server | ||
| 71 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows | 100 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows |
| 72 | Linux·systems·to·provide·file·and·print·sharing·to·Microsoft | 101 | Linux·systems·to·provide·file·and·print·sharing·to·Microsoft |
| 73 | Windows·systems.·There·are·two·software·packages·that·provide | 102 | Windows·systems.·There·are·two·software·packages·that·provide |
| 74 | Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of | 103 | Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of |
| 75 | command·line·tools·that·enable·a·client·system·to·access·Samba | 104 | command·line·tools·that·enable·a·client·system·to·access·Samba |
| 76 | shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba | 105 | shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba |
| 77 | service.·It·is·this·second·package·that·allows·a·Linux·system·to | 106 | service.·It·is·this·second·package·that·allows·a·Linux·system·to |
| Offset 81, 40 lines modified | Offset 110, 40 lines modified | ||
| 81 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in | 110 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in |
| 82 | <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a | 111 | <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a |
| 83 | <code>[global]</code>·configuration·section·and·a·series·of·user | 112 | <code>[global]</code>·configuration·section·and·a·series·of·user |
| 84 | created·share·definition·sections·meant·to·describe·file·or·print | 113 | created·share·definition·sections·meant·to·describe·file·or·print |
| 85 | shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode | 114 | shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode |
| 86 | and·allow·client·systems·to·access·local·home·directories·and | 115 | and·allow·client·systems·to·access·local·home·directories·and |
| 87 | printers.·It·is·recommended·that·these·settings·be·changed·or·that | 116 | printers.·It·is·recommended·that·these·settings·be·changed·or·that |
| 88 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29 | 117 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29711"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient |
| 89 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | 118 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use |
| 90 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | 119 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section |
| 91 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | 120 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: |
| 92 | <pre>client·signing·=·mandatory</pre> | 121 | <pre>client·signing·=·mandatory</pre> |
| 93 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | 122 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet |
| 94 | signing·ensures·they·can | 123 | signing·ensures·they·can |
| 95 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | 124 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent |
| 96 | man-in-the-middle·attacks·which·modify·SMB·packets·in | 125 | man-in-the-middle·attacks·which·modify·SMB·packets·in |
| 97 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 126 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 98 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 127 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 99 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26328-5">CCE-26328-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 128 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26328-5">CCE-26328-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 100 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000272</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 129 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000272</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29724">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29724"><pre><code>###################################################################### |
| 101 | #By·Luke·"Brisk-OH"·Brisk | 130 | #By·Luke·"Brisk-OH"·Brisk |
| 102 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com | 131 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com |
| 103 | ###################################################################### | 132 | ###################################################################### |
| 104 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) | 133 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) |
| 105 | if·[·"$CLIENTSIGNING"·-eq·0·];··then | 134 | if·[·"$CLIENTSIGNING"·-eq·0·];··then |
| 106 | » #·Add·to·global·section | 135 | » #·Add·to·global·section |
| 107 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf | 136 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 108 | else | 137 | else |
| 109 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf | 138 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 110 | fi | 139 | fi |
| 111 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 140 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29725">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29725"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists |
| 112 | ··stat: | 141 | ··stat: |
| 113 | ····path:·/etc/samba/smb.conf | 142 | ····path:·/etc/samba/smb.conf |
| 114 | ··register:·st_smb | 143 | ··register:·st_smb |
| 115 | ··tags: | 144 | ··tags: |
| 116 | ····-·require_smb_client_signing | 145 | ····-·require_smb_client_signing |
| 117 | ····-·unknown_severity | 146 | ····-·unknown_severity |
| 118 | ····-·configure_strategy | 147 | ····-·configure_strategy |
| Offset 134, 75 lines modified | Offset 163, 195 lines modified | ||
| 134 | ····-·require_smb_client_signing | 163 | ····-·require_smb_client_signing |
| 135 | ····-·unknown_severity | 164 | ····-·unknown_severity |
| 136 | ····-·configure_strategy | 165 | ····-·configure_strategy |
| 137 | ····-·low_complexity | 166 | ····-·low_complexity |
| 138 | ····-·medium_disruption | 167 | ····-·medium_disruption |
| 139 | ····-·CCE-26328-5 | 168 | ····-·CCE-26328-5 |
| 140 | ····-·DISA-STIG-RHEL-06-000272 | 169 | ····-·DISA-STIG-RHEL-06-000272 |
| 141 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29 | 170 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29730"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs |
| 142 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba | 171 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba |
| 143 | shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares | 172 | shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares |
| 144 | in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either | 173 | in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either |
| 145 | <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used. | 174 | <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used. |
| 146 | <br><br> | 175 | <br><br> |
| 147 | See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba | 176 | See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba |
| 148 | client·should·only·communicate·with·servers·who·can·support·SMB | 177 | client·should·only·communicate·with·servers·who·can·support·SMB |
| 149 | packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle | 178 | packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle |
| 150 | attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 179 | attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 151 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 180 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 152 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26792-2">CCE-26792-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 181 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26792-2">CCE-26792-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 153 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000273</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 182 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000273</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 154 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 183 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 155 | 184 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | |
| 156 | t | 185 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 157 | 186 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | |
| 158 | an | 187 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 188 | outside·world. | ||
| 159 | <br><br> | 189 | <br><br> |
| 160 | 190 | If·every·system·on·a·network·reliably·reports·the·same·time,·then·it·is·much | |
| 161 | 191 | easier·to·correlate·log·messages·in·case·of·an·attack.·In·addition,·a·number·of | |
| 162 | 192 | cryptographic·protocols·(such·as·Kerberos)·use·timestamps·to·prevent·certain | |
| 163 | 193 | types·of·attacks.·If·your·network·does·not·have·synchronized·time,·these | |
| 164 | 194 | protocols·may·be·unreliable·or·even·unusable. | |
| 165 | Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from | ||
| Max diff block lines reached; 2008145/2036763 bytes (98.59%) of diff not shown. | |||
| Offset 49, 46 lines modified | Offset 49, 46 lines modified | ||
| 49 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 49 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 50 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 50 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 51 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 51 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 52 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 52 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 53 | quality,·reliability,·or·any·other·characteristic. | 53 | quality,·reliability,·or·any·other·characteristic. |
| 54 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>United·States·Government·Configuration·Baseline·(USGCB)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_usgcb-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 54 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>United·States·Government·Configuration·Baseline·(USGCB)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_usgcb-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 55 | ····························(as·of·2018-07-26) | 55 | ····························(as·of·2018-07-26) |
| 56 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 56 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·1135,·SHA:·21de240d343fbd223cf68c70c59d884c3ee65c2748e12911430648c71044dd8d·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·223·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 58 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 58 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 60 | ones·can·be·safely·disabled. | 60 | ones·can·be·safely·disabled. |
| 61 | <br><br> | 61 | <br><br> |
| 62 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 62 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 63 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 63 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 64 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·56·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 64 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·56·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 66 | 66 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 67 | 67 | that·passwords·and·other·data·transmitted·during·the·session·can·be | |
| 68 | 68 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 69 | 69 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 70 | 70 | <br><br> | |
| 71 | 71 | However,·there·are·some·FTP·server·configurations·which·may | |
| 72 | 72 | be·appropriate·for·some·environments,·particularly·those·which | |
| 73 | 73 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 74 | de | 74 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible |
| 75 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_s | 75 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 76 | 76 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service | |
| 77 | a | 77 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 78 | sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_smb_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_smb_disabled"·id="guide-tree-leaf-idm28973"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_smb_disabled">Disable·Samba | ||
| 79 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_smb_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | ||
| 80 | ············ | 78 | ············ |
| 81 | ········The·<code>s | 79 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: |
| 82 | ········<pre>$·sudo·chkconfig·s | 80 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> |
| 83 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running· | 81 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue |
| 84 | 82 | of·attack,·and·should·be·disabled·if·not·needed. | |
| 83 | Furthermore,·the·FTP·protocol·is·unencrypted·and·creates | ||
| 84 | a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 85 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 85 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 86 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-2 | 86 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26948-0">CCE-26948-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 87 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm2 | 87 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29088">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29088"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 88 | # | 88 | # |
| 89 | #·Example·Call(s): | 89 | #·Example·Call(s): |
| 90 | # | 90 | # |
| 91 | #·····service_command·enable·bluetooth | 91 | #·····service_command·enable·bluetooth |
| 92 | #·····service_command·disable·bluetooth.service | 92 | #·····service_command·disable·bluetooth.service |
| 93 | # | 93 | # |
| 94 | #·····Using·xinetd: | 94 | #·····Using·xinetd: |
| Offset 155, 127 lines modified | Offset 155, 125 lines modified | ||
| 155 | ··else | 155 | ··else |
| 156 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 156 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 157 | ··fi | 157 | ··fi |
| 158 | fi | 158 | fi |
| 159 | } | 159 | } |
| 160 | service_command·disable·s | 160 | service_command·disable·vsftpd |
| 161 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm2 | 161 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29090"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·vsftpd |
| 162 | ··service: | 162 | ··service: |
| 163 | ····name="{{item}}" | 163 | ····name="{{item}}" |
| 164 | ····enabled="no" | 164 | ····enabled="no" |
| 165 | ····state="stopped" | 165 | ····state="stopped" |
| 166 | ··register:·service_result | 166 | ··register:·service_result |
| 167 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 167 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 168 | ··with_items: | 168 | ··with_items: |
| 169 | ····-·s | 169 | ····-·vsftpd |
| 170 | ··tags: | 170 | ··tags: |
| 171 | ····-·service_s | 171 | ····-·service_vsftpd_disabled |
| 172 | ····-·unknown_severity | 172 | ····-·unknown_severity |
| 173 | ····-·disable_strategy | 173 | ····-·disable_strategy |
| 174 | ····-·low_complexity | 174 | ····-·low_complexity |
| 175 | ····-·low_disruption | 175 | ····-·low_disruption |
| 176 | ····-·CCE-2 | 176 | ····-·CCE-26948-0 |
| 177 | 177 | ····-·NIST-800-53-CM-7 | |
| 178 | · | 178 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29095"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package |
| 179 | 179 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | |
| 180 | 180 | ············ | |
| 181 | 181 | ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command: | |
| 182 | 182 | ········<pre>$·sudo·yum·erase·vsftpd</pre> | |
| 183 | an | 183 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its |
| 184 | 184 | accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 185 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29054"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient | ||
| 186 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | ||
| 187 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | ||
| 188 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | ||
| 189 | <pre>client·signing·=·mandatory</pre> | ||
| 190 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | ||
| 191 | signing·ensures·they·can | ||
| 192 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | ||
| 193 | man-in-the-middle·attacks·which·modify·SMB·packets·in | ||
| 194 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 195 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 185 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 196 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26 | 186 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26687-4">CCE-26687-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 197 | ············<a·href="http://iase.disa.mil/stigs/ | 187 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 198 | # | 188 | # |
| 199 | # | 189 | #·Example·Call(s): |
| 200 | # | 190 | # |
| 191 | #·····package_remove·telnet-server | ||
| 192 | # | ||
| 193 | function·package_remove·{ | ||
| 201 | 194 | #·Load·function·arguments·into·local·variables | |
| 195 | local·package="$1" | ||
| 202 | 196 | #·Check·sanity·of·the·input | |
| 203 | 197 | if·[·$#·-ne·"1"·] | |
| 204 | 198 | then | |
| 199 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 200 | ··echo·"Aborting." | ||
| 201 | ··exit·1 | ||
| 202 | fi | ||
| 203 | if·which·dnf·;·then | ||
| 204 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 205 | ····dnf·remove·-y·"$package" | ||
| 206 | ··fi | ||
| 207 | elif·which·yum·;·then | ||
| 208 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 209 | ····yum·remove·-y·"$package" | ||
| 210 | ··fi | ||
| 211 | elif·which·apt-get·;·then | ||
| 212 | ··apt-get·remove·-y·"$package" | ||
| 205 | else | 213 | else |
| 206 | 214 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 215 | ··echo·"Aborting." | ||
| 216 | ··exit·1 | ||
| 207 | fi | 217 | fi |
| Max diff block lines reached; 1906514/1933470 bytes (98.61%) of diff not shown. | |||
| Offset 1345, 37 lines modified | Offset 1345, 30 lines modified | ||
| 1345 | ····-·medium_disruption | 1345 | ····-·medium_disruption |
| 1346 | ····-·CCE-80111-8 | 1346 | ····-·CCE-80111-8 |
| 1347 | ····-·NIST-800-53-AC-11(a) | 1347 | ····-·NIST-800-53-AC-11(a) |
| 1348 | ····-·NIST-800-171-3.1.10 | 1348 | ····-·NIST-800-171-3.1.10 |
| 1349 | ····-·PCI-DSS-Req-8.1.8 | 1349 | ····-·PCI-DSS-Req-8.1.8 |
| 1350 | ····-·CJIS-5.5.5 | 1350 | ····-·CJIS-5.5.5 |
| 1351 | ····-·DISA-STIG-RHEL-07-010100 | 1351 | ····-·DISA-STIG-RHEL-07-010100 |
| 1352 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_ | 1352 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank"·id="guide-tree-leaf-idm95666"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.1.8"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank">Implement·Blank·Screensaver |
| 1353 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_ | 1353 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·set·the·screensaver·mode·in·the·GNOME3·desktop·to·a·blank·screen, |
| 1354 | 1354 | add·or·set·<code>picture-uri</code>·to·<code>string·''</code>·in | |
| 1355 | 1355 | <code>/etc/dconf/db/local.d/00-security-settings</code>.·For·example: | |
| 1356 | < | 1356 | <pre>[org/gnome/desktop/screensaver] |
| 1357 | 1357 | picture-uri=string·'' | |
| 1358 | < | 1358 | </pre> |
| 1359 | 1359 | Once·the·settings·have·been·added,·add·a·lock·to | |
| 1360 | idle-delay='uint32·900'</pre> | ||
| 1361 | Once·the·setting·has·been·added,·add·a·lock·to | ||
| 1362 | <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code>·to·prevent·user·modification. | 1360 | <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code>·to·prevent·user·modification. |
| 1363 | For·example: | 1361 | For·example: |
| 1364 | <pre>/org/gnome/desktop/ses | 1362 | <pre>/org/gnome/desktop/screensaver/picture-uri</pre> |
| 1365 | After·the·settings·have·been·set,·run·<code>dconf·update</code>.</p><span·class="label·label-primary">Rationale:</span><p> | 1363 | After·the·settings·have·been·set,·run·<code>dconf·update</code>.</p><span·class="label·label-primary">Rationale:</span><p>Setting·the·screensaver·mode·to·blank-only·conceals·the |
| 1366 | t | 1364 | contents·of·the·display·from·passersby.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 1367 | te | 1365 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 1368 | s | 1366 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80113-4">CCE-80113-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 1369 | a· | 1367 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000060</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(b)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm95684">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm95684"><pre><code>function·include_dconf_settings·{ |
| 1370 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 1371 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80110-0">CCE-80110-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 1372 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010070</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86517r4_rule</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000057</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000029-GPOS-00010</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm95714">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm95714"><pre><code> | ||
| 1373 | inactivity_timeout_value="<abbr·title="Substitution·failed:·xccdf_org.ssgproject.content_value_inactivity_timeout_value">(N/A)</abbr>" | ||
| 1374 | function·include_dconf_settings·{ | ||
| 1375 | » : | 1368 | » : |
| 1376 | } | 1369 | } |
| 1377 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. | 1370 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. |
| 1378 | # | 1371 | # |
| 1379 | #·Example·Call(s): | 1372 | #·Example·Call(s): |
| 1380 | # | 1373 | # |
| Offset 1442, 76 lines modified | Offset 1435, 75 lines modified | ||
| 1442 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" | 1435 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" |
| 1443 | » fi | 1436 | » fi |
| 1444 | } | 1437 | } |
| 1445 | include_dconf_settings | 1438 | include_dconf_settings |
| 1446 | dconf_settings·'org/gnome/desktop/s | 1439 | dconf_settings·'org/gnome/desktop/screensaver'·'picture-uri'·"string·''"·'local.d'·'00-security-settings' |
| 1447 | dconf_lock·'org/gnome/desktop/ses | 1440 | dconf_lock·'org/gnome/desktop/screensaver'·'picture-uri'·'local.d'·'00-security-settings-lock' |
| 1448 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm95 | 1441 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm95686">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm95686"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr></table><pre><code>-·name:·"Implement·Blank·Screensaver" |
| 1449 | ··set_fact: | ||
| 1450 | ····inactivity_timeout_value:·<abbr·title="Substitution·failed:·xccdf_org.ssgproject.content_value_inactivity_timeout_value">(N/A)</abbr> | ||
| 1451 | ··tags: | ||
| 1452 | ····-·always | ||
| 1453 | -·name:·"Set·GNOME3·Screensaver·Inactivity·Timeout" | ||
| 1454 | ··ini_file: | 1442 | ··ini_file: |
| 1455 | ····dest:·"/etc/dconf/db/local.d/00-security-settings" | 1443 | ····dest:·"/etc/dconf/db/local.d/00-security-settings" |
| 1456 | ····section:·"org/gnome/desktop/screensaver" | 1444 | ····section:·"org/gnome/desktop/screensaver" |
| 1457 | ····option:·i | 1445 | ····option:·picture-uri |
| 1458 | ····value:· | 1446 | ····value:·string·'' |
| 1459 | ····create:·yes | 1447 | ····create:·yes |
| 1460 | ··tags: | 1448 | ··tags: |
| 1461 | ····-·dconf_gnome_screensaver_ | 1449 | ····-·dconf_gnome_screensaver_mode_blank |
| 1462 | ····-· | 1450 | ····-·unknown_severity |
| 1463 | ····-·unknown_strategy | 1451 | ····-·unknown_strategy |
| 1464 | ····-·low_complexity | 1452 | ····-·low_complexity |
| 1465 | ····-·medium_disruption | 1453 | ····-·medium_disruption |
| 1466 | ····-·CCE-8011 | 1454 | ····-·CCE-80113-4 |
| 1467 | ····-·NIST-800-53-AC-11( | 1455 | ····-·NIST-800-53-AC-11(b) |
| 1468 | ····-·NIST-800-171-3.1.10 | 1456 | ····-·NIST-800-171-3.1.10 |
| 1469 | ····-·PCI-DSS-Req-8.1.8 | 1457 | ····-·PCI-DSS-Req-8.1.8 |
| 1470 | ····-·CJIS-5.5.5 | 1458 | ····-·CJIS-5.5.5 |
| 1471 | ····-·DISA-STIG-RHEL-07-010070 | ||
| 1472 | -·name:·"Prevent·user·modification·of·GNOME·i | 1459 | -·name:·"Prevent·user·modification·of·GNOME·picture-uri" |
| 1473 | ··lineinfile: | 1460 | ··lineinfile: |
| 1474 | ····path:·/etc/dconf/db/local.d/locks/00-security-settings-lock | 1461 | ····path:·/etc/dconf/db/local.d/locks/00-security-settings-lock |
| 1475 | ····regexp:·'^/org/gnome/desktop/screensaver/i | 1462 | ····regexp:·'^/org/gnome/desktop/screensaver/picture-uri' |
| 1476 | ····line:·'/org/gnome/desktop/screensaver/i | 1463 | ····line:·'/org/gnome/desktop/screensaver/picture-uri' |
| 1477 | ····create:·yes | 1464 | ····create:·yes |
| 1478 | ··tags: | 1465 | ··tags: |
| 1479 | ····-·dconf_gnome_screensaver_ | 1466 | ····-·dconf_gnome_screensaver_mode_blank |
| 1480 | ····-· | 1467 | ····-·unknown_severity |
| 1481 | ····-·unknown_strategy | 1468 | ····-·unknown_strategy |
| 1482 | ····-·low_complexity | 1469 | ····-·low_complexity |
| 1483 | ····-·medium_disruption | 1470 | ····-·medium_disruption |
| 1484 | ····-·CCE-8011 | 1471 | ····-·CCE-80113-4 |
| 1485 | ····-·NIST-800-53-AC-11( | 1472 | ····-·NIST-800-53-AC-11(b) |
| 1486 | ····-·NIST-800-171-3.1.10 | 1473 | ····-·NIST-800-171-3.1.10 |
| 1487 | ····-·PCI-DSS-Req-8.1.8 | 1474 | ····-·PCI-DSS-Req-8.1.8 |
| 1488 | ····-·CJIS-5.5.5 | 1475 | ····-·CJIS-5.5.5 |
| 1489 | ····-· | 1476 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay"·id="guide-tree-leaf-idm95691"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.1.8"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay">Set·GNOME3·Screensaver·Inactivity·Timeout |
| 1490 | 1477 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·idle·time-out·value·for·inactivity·in·the·GNOME3·desktop·is·configured·via·the·<code>idle-delay</code> | |
| 1491 | 1478 | setting·must·be·set·under·an·appropriate·configuration·file(s)·in·the·<code>/etc/dconf/db/local.d</code>·directory | |
| 1492 | a | 1479 | and·locked·in·<code>/etc/dconf/db/local.d/locks</code>·directory·to·prevent·user·modification. |
| 1493 | < | 1480 | <br><br> |
| 1494 | 1481 | For·example,·to·configure·the·system·for·a·15·minute·delay,·add·the·following·to | |
| 1495 | 1482 | <code>/etc/dconf/db/local.d/00-security-settings</code>: | |
| 1496 | </p | 1483 | <pre>[org/gnome/desktop/session] |
| 1497 | 1484 | idle-delay='uint32·900'</pre> | |
| 1485 | Once·the·setting·has·been·added,·add·a·lock·to | ||
| 1498 | <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code>·to·prevent·user·modification. | 1486 | <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code>·to·prevent·user·modification. |
| 1499 | For·example: | 1487 | For·example: |
| 1500 | <pre>/org/gnome/desktop/s | 1488 | <pre>/org/gnome/desktop/session/idle-delay</pre> |
| 1501 | After·the·settings·have·been·set,·run·<code>dconf·update</code>.</p><span·class="label·label-primary">Rationale:</span><p> | 1489 | After·the·settings·have·been·set,·run·<code>dconf·update</code>.</p><span·class="label·label-primary">Rationale:</span><p>A·session·time-out·lock·is·a·temporary·action·taken·when·a·user·stops·work·and·moves·away·from |
| 1502 | 1490 | the·immediate·physical·vicinity·of·the·information·system·but·does·not·logout·because·of·the | |
| 1503 | 1491 | temporary·nature·of·the·absence.·Rather·than·relying·on·the·user·to·manually·lock·their·operating | |
| 1504 | 1492 | system·session·prior·to·vacating·the·vicinity,·GNOME3·can·be·configured·to·identify·when | |
| 1505 | 1493 | a·user's·session·has·idled·and·take·action·to·initiate·a·session·lock.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 1494 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 1495 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80110-0">CCE-80110-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 1496 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010070</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86517r4_rule</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000057</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000029-GPOS-00010</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm95715">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm95715"><pre><code> | ||
| 1497 | inactivity_timeout_value="<abbr·title="Substitution·failed:·xccdf_org.ssgproject.content_value_inactivity_timeout_value">(N/A)</abbr>" | ||
| 1498 | function·include_dconf_settings·{ | ||
| 1506 | » : | 1499 | » : |
| 1507 | } | 1500 | } |
| 1508 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. | 1501 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. |
| 1509 | # | 1502 | # |
| 1510 | #·Example·Call(s): | 1503 | #·Example·Call(s): |
| 1511 | # | 1504 | # |
| Offset 1578, 52 lines modified | Offset 1570, 60 lines modified | ||
| 1578 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" | 1570 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" |
| 1579 | » fi | 1571 | » fi |
| 1580 | } | 1572 | } |
| 1581 | include_dconf_settings | 1573 | include_dconf_settings |
| Max diff block lines reached; 287856/305326 bytes (94.28%) of diff not shown. | |||
| Offset 58, 15 lines modified | Offset 58, 15 lines modified | ||
| 58 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 58 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 59 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 59 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 60 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 60 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 61 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 61 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 62 | quality,·reliability,·or·any·other·characteristic. | 62 | quality,·reliability,·or·any·other·characteristic. |
| 63 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·7</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 63 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·7</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 64 | ····························(as·of·2018-07-26) | 64 | ····························(as·of·2018-07-26) |
| 65 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Serv | 65 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·39,·SHA:·71531d2cb5e45bf87276058ffe0a5eac9722a5944d366562dfd03b1cc8832d7f·...·]</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·0px"><small>contains·213·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 66 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 66 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 67 | the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 67 | the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 68 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which | 68 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which |
| 69 | ones·can·be·safely·disabled. | 69 | ones·can·be·safely·disabled. |
| 70 | <br><br> | 70 | <br><br> |
| 71 | Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 71 | Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 72 | system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 72 | system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 84, 25 lines modified | Offset 84, 25 lines modified | ||
| 84 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict | 84 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict |
| 85 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 85 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 86 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 86 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 87 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 87 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 88 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·14·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec | 88 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·14·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec |
| 89 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which | 89 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which |
| 90 | allow·cleartext·remote·access·and·have·an·insecure·trust | 90 | allow·cleartext·remote·access·and·have·an·insecure·trust |
| 91 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm359 | 91 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35969"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package |
| 92 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands | 92 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands |
| 93 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have | 93 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have |
| 94 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, | 94 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, |
| 95 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from | 95 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from |
| 96 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing | 96 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing |
| 97 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes | 97 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes |
| 98 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 98 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 99 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 99 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 100 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27274-0">CCE-27274-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 100 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27274-0">CCE-27274-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 101 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm3 | 101 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm35993">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35993"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 102 | # | 102 | # |
| 103 | #·Example·Call(s): | 103 | #·Example·Call(s): |
| 104 | # | 104 | # |
| 105 | #·····package_remove·telnet-server | 105 | #·····package_remove·telnet-server |
| 106 | # | 106 | # |
| 107 | function·package_remove·{ | 107 | function·package_remove·{ |
| Offset 132, 63 lines modified | Offset 132, 63 lines modified | ||
| 132 | ··echo·"Aborting." | 132 | ··echo·"Aborting." |
| 133 | ··exit·1 | 133 | ··exit·1 |
| 134 | fi | 134 | fi |
| 135 | } | 135 | } |
| 136 | package_remove·rsh | 136 | package_remove·rsh |
| 137 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm3 | 137 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm35995">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35995"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed |
| 138 | ··package: | 138 | ··package: |
| 139 | ····name="{{item}}" | 139 | ····name="{{item}}" |
| 140 | ····state=absent | 140 | ····state=absent |
| 141 | ··with_items: | 141 | ··with_items: |
| 142 | ····-·rsh | 142 | ····-·rsh |
| 143 | ··tags: | 143 | ··tags: |
| 144 | ····-·package_rsh_removed | 144 | ····-·package_rsh_removed |
| 145 | ····-·unknown_severity | 145 | ····-·unknown_severity |
| 146 | ····-·disable_strategy | 146 | ····-·disable_strategy |
| 147 | ····-·low_complexity | 147 | ····-·low_complexity |
| 148 | ····-·low_disruption | 148 | ····-·low_disruption |
| 149 | ····-·CCE-27274-0 | 149 | ····-·CCE-27274-0 |
| 150 | ····-·NIST-800-171-3.1.13 | 150 | ····-·NIST-800-171-3.1.13 |
| 151 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm3 | 151 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm35996">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35996"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh |
| 152 | class·remove_rsh·{ | 152 | class·remove_rsh·{ |
| 153 | ··package·{·'rsh': | 153 | ··package·{·'rsh': |
| 154 | ····ensure·=>·'purged', | 154 | ····ensure·=>·'purged', |
| 155 | ··} | 155 | ··} |
| 156 | } | 156 | } |
| 157 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm3 | 157 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm35997">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35997"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 158 | package·--remove=rsh | 158 | package·--remove=rsh |
| 159 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm360 | 159 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36002"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service |
| 160 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with | 160 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with |
| 161 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 161 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 162 | as·a·systemd·socket,·should·be·disabled. | 162 | as·a·systemd·socket,·should·be·disabled. |
| 163 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. | 163 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. |
| 164 | If·using·systemd,· | 164 | If·using·systemd,· |
| 165 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: | 165 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: |
| 166 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which | 166 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which |
| 167 | means·that·data·from·the·login·session,·including·passwords·and | 167 | means·that·data·from·the·login·session,·including·passwords·and |
| 168 | all·other·information·transmitted·during·the·session,·can·be | 168 | all·other·information·transmitted·during·the·session,·can·be |
| 169 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 169 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 170 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 170 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 171 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27336-7">CCE-27336-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 171 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27336-7">CCE-27336-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 172 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 172 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36027">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36027"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&&·\ |
| 173 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin | 173 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin |
| 174 | # | 174 | # |
| 175 | #·Disable·rlogin.socket·for·all·systemd·targets | 175 | #·Disable·rlogin.socket·for·all·systemd·targets |
| 176 | # | 176 | # |
| 177 | systemctl·disable·rlogin.socket | 177 | systemctl·disable·rlogin.socket |
| 178 | # | 178 | # |
| 179 | #·Stop·rlogin.socket·if·currently·running | 179 | #·Stop·rlogin.socket·if·currently·running |
| 180 | # | 180 | # |
| 181 | systemctl·stop·rlogin.socket | 181 | systemctl·stop·rlogin.socket |
| 182 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 182 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36028">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36028"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin |
| 183 | ··service: | 183 | ··service: |
| 184 | ····name="{{item}}" | 184 | ····name="{{item}}" |
| 185 | ····enabled="no" | 185 | ····enabled="no" |
| 186 | ····state="stopped" | 186 | ····state="stopped" |
| 187 | ··register:·service_result | 187 | ··register:·service_result |
| 188 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 188 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 189 | ··with_items: | 189 | ··with_items: |
| Offset 201, 40 lines modified | Offset 201, 40 lines modified | ||
| 201 | ····-·low_disruption | 201 | ····-·low_disruption |
| 202 | ····-·CCE-27336-7 | 202 | ····-·CCE-27336-7 |
| 203 | ····-·NIST-800-53-AC-17(8) | 203 | ····-·NIST-800-53-AC-17(8) |
| 204 | ····-·NIST-800-53-CM-7 | 204 | ····-·NIST-800-53-CM-7 |
| 205 | ····-·NIST-800-53-IA-5(1)(c) | 205 | ····-·NIST-800-53-IA-5(1)(c) |
| 206 | ····-·NIST-800-171-3.1.13 | 206 | ····-·NIST-800-171-3.1.13 |
| 207 | ····-·NIST-800-171-3.4.7 | 207 | ····-·NIST-800-171-3.4.7 |
| 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm360 | 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36033"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with | 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 210 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 210 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 211 | as·a·systemd·socket,·should·be·disabled. | 211 | as·a·systemd·socket,·should·be·disabled. |
| 212 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· | 212 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 213 | If·using·systemd,· | 213 | If·using·systemd,· |
| 214 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: | 214 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 215 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which | 215 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 216 | means·that·data·from·the·login·session,·including·passwords·and | 216 | means·that·data·from·the·login·session,·including·passwords·and |
| 217 | all·other·information·transmitted·during·the·session,·can·be | 217 | all·other·information·transmitted·during·the·session,·can·be |
| 218 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 218 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 219 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 219 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 220 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 220 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 221 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 221 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36058">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36058"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| Max diff block lines reached; 1085672/1119403 bytes (96.99%) of diff not shown. | |||
| Offset 74, 27 lines modified | Offset 74, 27 lines modified | ||
| 74 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program· | 74 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program· |
| 75 | is·called·<code>sshd</code>·and·provided·by·the·RPM·package | 75 | is·called·<code>sshd</code>·and·provided·by·the·RPM·package |
| 76 | <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary | 76 | <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary |
| 77 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 77 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 78 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 78 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 79 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 79 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 80 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 80 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 81 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm399 | 81 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm39943"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords |
| 82 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·SSH·login·from·accounts·with | 82 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·SSH·login·from·accounts·with |
| 83 | empty·passwords,·add·or·correct·the·following·line·in·<code>/etc/ssh/sshd_config</code>: | 83 | empty·passwords,·add·or·correct·the·following·line·in·<code>/etc/ssh/sshd_config</code>: |
| 84 | <br> | 84 | <br> |
| 85 | <pre>PermitEmptyPasswords·no</pre> | 85 | <pre>PermitEmptyPasswords·no</pre> |
| 86 | <br> | 86 | <br> |
| 87 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration | 87 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration |
| 88 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that | 88 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that |
| 89 | remote·login·via·SSH·will·require·a·password,·even·in·the·event·of· | 89 | remote·login·via·SSH·will·require·a·password,·even·in·the·event·of· |
| 90 | misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 90 | misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 91 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 91 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 92 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27471-2">CCE-27471-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 92 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27471-2">CCE-27471-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 93 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010300</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86563r2_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.9</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm399 | 93 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010300</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86563r2_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.9</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm39970">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39970"><pre><code>#·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 94 | #·it·does·not·exist. | 94 | #·it·does·not·exist. |
| 95 | # | 95 | # |
| 96 | #·Expects·arguments: | 96 | #·Expects·arguments: |
| 97 | # | 97 | # |
| 98 | #·config_file:» » Configuration·file·that·will·be·modified | 98 | #·config_file:» » Configuration·file·that·will·be·modified |
| 99 | #·key:» » » Configuration·option·to·change | 99 | #·key:» » » Configuration·option·to·change |
| 100 | #·value:»»Value·of·the·configuration·option·to·change | 100 | #·value:»»Value·of·the·configuration·option·to·change |
| Offset 165, 15 lines modified | Offset 165, 15 lines modified | ||
| 165 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 165 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 166 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 166 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 167 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 167 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 168 | ··fi | 168 | ··fi |
| 169 | } | 169 | } |
| 170 | replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s' | 170 | replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s' |
| 171 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm399 | 171 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm39972">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39972"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Disable·SSH·Access·via·Empty·Passwords |
| 172 | ··lineinfile: | 172 | ··lineinfile: |
| 173 | ····create:·yes | 173 | ····create:·yes |
| 174 | ····dest:·/etc/ssh/sshd_config | 174 | ····dest:·/etc/ssh/sshd_config |
| 175 | ····regexp:·^PermitEmptyPasswords | 175 | ····regexp:·^PermitEmptyPasswords |
| 176 | ····line:·PermitEmptyPasswords·no | 176 | ····line:·PermitEmptyPasswords·no |
| 177 | ····validate:·sshd·-t·-f·%s | 177 | ····validate:·sshd·-t·-f·%s |
| 178 | ··tags: | 178 | ··tags: |
| Offset 186, 22 lines modified | Offset 186, 22 lines modified | ||
| 186 | ····-·NIST-800-53-AC-3 | 186 | ····-·NIST-800-53-AC-3 |
| 187 | ····-·NIST-800-53-AC-6 | 187 | ····-·NIST-800-53-AC-6 |
| 188 | ····-·NIST-800-53-CM-6(b) | 188 | ····-·NIST-800-53-CM-6(b) |
| 189 | ····-·NIST-800-171-3.1.1 | 189 | ····-·NIST-800-171-3.1.1 |
| 190 | ····-·NIST-800-171-3.1.5 | 190 | ····-·NIST-800-171-3.1.5 |
| 191 | ····-·CJIS-5.5.6 | 191 | ····-·CJIS-5.5.6 |
| 192 | ····-·DISA-STIG-RHEL-07-010300 | 192 | ····-·DISA-STIG-RHEL-07-010300 |
| 193 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm399 | 193 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm39978"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count |
| 194 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, | 194 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, |
| 195 | edit·<code>/etc/ssh/sshd_config</code>·as·follows: | 195 | edit·<code>/etc/ssh/sshd_config</code>·as·follows: |
| 196 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> | 196 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> |
| 197 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 197 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 198 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 198 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 199 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27082-7">CCE-27082-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 199 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27082-7">CCE-27082-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 200 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040340</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86865r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm | 200 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040340</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86865r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm40005">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40005"><pre><code>#·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 201 | #·it·does·not·exist. | 201 | #·it·does·not·exist. |
| 202 | # | 202 | # |
| 203 | #·Expects·arguments: | 203 | #·Expects·arguments: |
| 204 | # | 204 | # |
| 205 | #·config_file:» » Configuration·file·that·will·be·modified | 205 | #·config_file:» » Configuration·file·that·will·be·modified |
| 206 | #·key:» » » Configuration·option·to·change | 206 | #·key:» » » Configuration·option·to·change |
| 207 | #·value:»»Value·of·the·configuration·option·to·change | 207 | #·value:»»Value·of·the·configuration·option·to·change |
| Offset 272, 15 lines modified | Offset 272, 15 lines modified | ||
| 272 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 272 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 273 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 273 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 274 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 274 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 275 | ··fi | 275 | ··fi |
| 276 | } | 276 | } |
| 277 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' | 277 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' |
| 278 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm | 278 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm40007">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40007"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Set·SSH·Client·Alive·Count |
| 279 | ··lineinfile: | 279 | ··lineinfile: |
| 280 | ····create:·yes | 280 | ····create:·yes |
| 281 | ····dest:·/etc/ssh/sshd_config | 281 | ····dest:·/etc/ssh/sshd_config |
| 282 | ····regexp:·^ClientAliveCountMax | 282 | ····regexp:·^ClientAliveCountMax |
| 283 | ····line:·ClientAliveCountMax·0 | 283 | ····line:·ClientAliveCountMax·0 |
| 284 | ····validate:·sshd·-t·-f·%s | 284 | ····validate:·sshd·-t·-f·%s |
| 285 | ··#notify:·restart·sshd | 285 | ··#notify:·restart·sshd |
| Offset 293, 26 lines modified | Offset 293, 36 lines modified | ||
| 293 | ····-·CCE-27082-7 | 293 | ····-·CCE-27082-7 |
| 294 | ····-·NIST-800-53-AC-2(5) | 294 | ····-·NIST-800-53-AC-2(5) |
| 295 | ····-·NIST-800-53-SA-8 | 295 | ····-·NIST-800-53-SA-8 |
| 296 | ····-·NIST-800-53-AC-12 | 296 | ····-·NIST-800-53-AC-12 |
| 297 | ····-·NIST-800-171-3.1.11 | 297 | ····-·NIST-800-171-3.1.11 |
| 298 | ····-·CJIS-5.5.6 | 298 | ····-·CJIS-5.5.6 |
| 299 | ····-·DISA-STIG-RHEL-07-040340 | 299 | ····-·DISA-STIG-RHEL-07-040340 |
| 300 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_e | 300 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm40013"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 301 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_e | 301 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout |
| 302 | 302 | interval. | |
| 303 | 303 | After·this·interval·has·passed,·the·idle·user·will·be | |
| 304 | 304 | automatically·logged·out. | |
| 305 | 305 | <br><br> | |
| 306 | 306 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | |
| 307 | 307 | follows: | |
| 308 | 308 | <pre>ClientAliveInterval·<b>interval</b></pre> | |
| 309 | 309 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout | |
| 310 | 310 | of·10·minutes,·set·<b>interval</b>·to·600. | |
| 311 | 311 | <br><br> | |
| 312 | If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will· | ||
| 313 | preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | ||
| 314 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of | ||
| 315 | opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session | ||
| 316 | enabled·on·the·console·or·console·port·that·has·been·let·unattended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 317 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | ||
| 318 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27433-2">CCE-27433-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 319 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040320</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm40040">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40040"><pre><code> | ||
| 320 | sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">1800</abbr>" | ||
| 321 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | ||
| 312 | #·it·does·not·exist. | 322 | #·it·does·not·exist. |
| 313 | # | 323 | # |
| 314 | #·Expects·arguments: | 324 | #·Expects·arguments: |
| 315 | # | 325 | # |
| 316 | #·config_file:» » Configuration·file·that·will·be·modified | 326 | #·config_file:» » Configuration·file·that·will·be·modified |
| 317 | #·key:» » » Configuration·option·to·change | 327 | #·key:» » » Configuration·option·to·change |
| 318 | #·value:»»Value·of·the·configuration·option·to·change | 328 | #·value:»»Value·of·the·configuration·option·to·change |
| Offset 382, 46 lines modified | Offset 392, 55 lines modified | ||
| 382 | ··else | 392 | ··else |
| 383 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 393 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 384 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 394 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 385 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 395 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 386 | ··fi | 396 | ··fi |
| 387 | } | 397 | } |
| Max diff block lines reached; 493160/522900 bytes (94.31%) of diff not shown. | |||
| Offset 48, 27 lines modified | Offset 48, 24 lines modified | ||
| 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 48 | </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 49 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 50 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 51 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 52 | quality,·reliability,·or·any·other·characteristic. | 52 | quality,·reliability,·or·any·other·characteristic. |
| 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 53 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 54 | ····························(as·of·2018-07-26) | 54 | ····························(as·of·2018-07-26) |
| 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 55 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_openstack">OpenStack</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_routing">Network·Routing</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="[·...·truncated·by·diffoscope;·len:·1045,·SHA:·34a457b90e6dfc8c26555d3cb2e11b5b3c1823d634243e7c52f3554b7bfc3eae·...·]</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project |
| 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services | 56 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 57 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 58 | the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 58 | the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which | 59 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which |
| 60 | ones·can·be·safely·disabled. | 60 | ones·can·be·safely·disabled. |
| 61 | <br><br> | 61 | <br><br> |
| 62 | Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 62 | Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 63 | system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 63 | system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 64 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 64 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_docker">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·docker·service·is·necessary·to·create·containers,·which·are | ||
| 66 | ··self-sufficient·and·self-contained·applications·using·the·resource | ||
| 67 | ··isolation·features·of·the·kernel.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services | ||
| 68 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible |
| 69 | services·which·have·historically·caused·problems·for·system | 66 | services·which·have·historically·caused·problems·for·system |
| 70 | security,·and·for·which·disabling·or·severely·limiting·the·service | 67 | security,·and·for·which·disabling·or·severely·limiting·the·service |
| 71 | has·been·the·best·available·guidance·for·some·time.·As·a·result·of | 68 | has·been·the·best·available·guidance·for·some·time.·As·a·result·of |
| 72 | this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·7 | 69 | this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·7 |
| 73 | by·default. | 70 | by·default. |
| 74 | <br><br> | 71 | <br><br> |
| Offset 102, 15 lines modified | Offset 99, 51 lines modified | ||
| 102 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd | 99 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd |
| 103 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some | 100 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some |
| 104 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 101 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 105 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 102 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 106 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 103 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 107 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services | 104 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services |
| 108 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages | 105 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages |
| 109 | across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 106 | across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_imap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server |
| 107 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_imap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·provides·IMAP·and·POP3·services.·It·is·not | ||
| 108 | installed·by·default.·The·project·page·at·<a·href="http://www.dovecot.org">http://www.dovecot.org</a> | ||
| 109 | contains·more·detailed·information·about·Dovecot | ||
| 110 | configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configure_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configure_dovecot">Configure·Dovecot·if·Necessary | ||
| 111 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configure_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·will·operate·as·an·IMAP·or | ||
| 112 | POP3·server,·the·dovecot·software·should·be·configured·securely·by·following | ||
| 113 | the·recommendations·below.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">Enable·SSL·Support | ||
| 114 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>SSL·should·be·used·to·encrypt·network·traffic·between·the· | ||
| 115 | Dovecot·server·and·its·clients.·Users·must·authenticate·to·the·Dovecot· | ||
| 116 | server·in·order·to·read·their·mail,·and·passwords·should·never·be· | ||
| 117 | transmitted·in·clear·text.·In·addition,·protecting·mail·as·it·is· | ||
| 118 | downloaded·is·a·privacy·measure,·and·clients·may·use·SSL·certificates· | ||
| 119 | to·authenticate·the·server,·preventing·another·system·from·impersonating· | ||
| 120 | the·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">Allow·IMAP·Clients·to·Access·the·Server | ||
| 121 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·default·<code>firewalld</code>·configuration·does·not·allow·inbound | ||
| 122 | access·to·any·services.·This·modification·will·allow·remote·hosts·to | ||
| 123 | initiate·connections·to·the·IMAP·daemon,·while·keeping·all·other·ports | ||
| 124 | on·the·server·in·their·default·protected·state. | ||
| 125 | ········To·configure·<code>firewalld</code>·to·allow·access,·run·the·following·command(s): | ||
| 126 | ········<code>firewall-cmd·--permanent·--add-port=143/tcp</code>·and | ||
| 127 | ········</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">Support·Only·the·Necessary·Protocols | ||
| 128 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·supports·the·IMAP·and·POP3·protocols,·as·well·as· | ||
| 129 | SSL-protected·versions·of·those·protocols.·Configure·the·Dovecot·server· | ||
| 130 | to·support·only·the·protocols·needed·by·your·site.·Edit·<code>/etc/dovecot/dovecot.conf</code>.· | ||
| 131 | Add·or·correct·the·following·lines,·replacing·<code>PROTOCOL</code>·with· | ||
| 132 | only·the·subset·of·protocols·(<code>imap</code>,·<code>imaps</code>,· | ||
| 133 | <code>pop3</code>,·<code>pop3s</code>)·required: | ||
| 134 | <pre>protocols·=·PROTOCOL</pre> | ||
| 135 | If·possible,·require·SSL·protection·for·all·transactions.·The·SSL· | ||
| 136 | protocol·variants·listen·on·alternate·ports·(995·instead·of·110·for· | ||
| 137 | pop3s,·and·993·instead·of·143·for·imaps),·and·require·SSL-aware·clients.· | ||
| 138 | An·alternate·approach·is·to·listen·on·the·standard·port·and·require·the· | ||
| 139 | client·to·use·the·STARTTLS·command·before·authenticating.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dovecot">Disable·Dovecot | ||
| 140 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·does·not·need·to·operate·as·an·IMAP·or | ||
| 141 | POP3·server,·the·dovecot·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack | ||
| 110 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server | 142 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 111 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to | 143 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 112 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | 144 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means |
| 113 | that·passwords·and·other·data·transmitted·during·the·session·can·be | 145 | that·passwords·and·other·data·transmitted·during·the·session·can·be |
| 114 | captured·and·that·the·session·is·vulnerable·to·hijacking. | 146 | captured·and·that·the·session·is·vulnerable·to·hijacking. |
| 115 | Therefore,·running·the·FTP·server·software·is·not·recommended. | 147 | Therefore,·running·the·FTP·server·software·is·not·recommended. |
| 116 | <br><br> | 148 | <br><br> |
| Offset 866, 51 lines modified | Offset 899, 18 lines modified | ||
| 866 | supersede·domain-name-servers·192.168.1.2; | 899 | supersede·domain-name-servers·192.168.1.2; |
| 867 | supersede·nis-domain·""; | 900 | supersede·nis-domain·""; |
| 868 | supersede·nis-servers·""; | 901 | supersede·nis-servers·""; |
| 869 | supersede·ntp-servers·"ntp.example.com·"; | 902 | supersede·ntp-servers·"ntp.example.com·"; |
| 870 | supersede·routers·192.168.1.1; | 903 | supersede·routers·192.168.1.1; |
| 871 | supersede·time-offset·-18000; | 904 | supersede·time-offset·-18000; |
| 872 | request·subnet-mask; | 905 | request·subnet-mask; |
| 873 | require·subnet-mask;</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_restrict_options"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 906 | require·subnet-mask;</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_restrict_options"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_docker"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_docker">Docker·Service |
| 874 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 907 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_docker">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·docker·service·is·necessary·to·create·containers,·which·are |
| 875 | 908 | ··self-sufficient·and·self-contained·applications·using·the·resource | |
| 876 | contains | 909 | ··isolation·features·of·the·kernel.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC |
| 877 | configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configure_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configure_dovecot">Configure·Dovecot·if·Necessary | ||
| 878 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configure_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·will·operate·as·an·IMAP·or | ||
| 879 | POP3·server,·the·dovecot·software·should·be·configured·securely·by·following | ||
| 880 | the·recommendations·below.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">Enable·SSL·Support | ||
| 881 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>SSL·should·be·used·to·encrypt·network·traffic·between·the· | ||
| 882 | Dovecot·server·and·its·clients.·Users·must·authenticate·to·the·Dovecot· | ||
| 883 | server·in·order·to·read·their·mail,·and·passwords·should·never·be· | ||
| 884 | transmitted·in·clear·text.·In·addition,·protecting·mail·as·it·is· | ||
| 885 | downloaded·is·a·privacy·measure,·and·clients·may·use·SSL·certificates· | ||
| 886 | to·authenticate·the·server,·preventing·another·system·from·impersonating· | ||
| 887 | the·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">Allow·IMAP·Clients·to·Access·the·Server | ||
| 888 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·default·<code>firewalld</code>·configuration·does·not·allow·inbound | ||
| 889 | access·to·any·services.·This·modification·will·allow·remote·hosts·to | ||
| 890 | initiate·connections·to·the·IMAP·daemon,·while·keeping·all·other·ports | ||
| 891 | on·the·server·in·their·default·protected·state. | ||
| 892 | ········To·configure·<code>firewalld</code>·to·allow·access,·run·the·following·command(s): | ||
| 893 | ········<code>firewall-cmd·--permanent·--add-port=143/tcp</code>·and | ||
| 894 | ········</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">Support·Only·the·Necessary·Protocols | ||
| 895 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·supports·the·IMAP·and·POP3·protocols,·as·well·as· | ||
| 896 | SSL-protected·versions·of·those·protocols.·Configure·the·Dovecot·server· | ||
| 897 | to·support·only·the·protocols·needed·by·your·site.·Edit·<code>/etc/dovecot/dovecot.conf</code>.· | ||
| 898 | Add·or·correct·the·following·lines,·replacing·<code>PROTOCOL</code>·with· | ||
| 899 | only·the·subset·of·protocols·(<code>imap</code>,·<code>imaps</code>,· | ||
| 900 | <code>pop3</code>,·<code>pop3s</code>)·required: | ||
| 901 | <pre>protocols·=·PROTOCOL</pre> | ||
| 902 | If·possible,·require·SSL·protection·for·all·transactions.·The·SSL· | ||
| 903 | protocol·variants·listen·on·alternate·ports·(995·instead·of·110·for· | ||
| 904 | pop3s,·and·993·instead·of·143·for·imaps),·and·require·SSL-aware·clients.· | ||
| 905 | An·alternate·approach·is·to·listen·on·the·standard·port·and·require·the· | ||
| 906 | client·to·use·the·STARTTLS·command·before·authenticating.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dovecot">Disable·Dovecot | ||
| 907 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·does·not·need·to·operate·as·an·IMAP·or | ||
| 908 | POP3·server,·the·dovecot·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC | ||
| 909 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·File·System·is·a·popular·distributed·filesystem·for | 910 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·File·System·is·a·popular·distributed·filesystem·for |
| 910 | the·Unix·environment,·and·is·very·widely·deployed.··This·section·discusses·the | 911 | the·Unix·environment,·and·is·very·widely·deployed.··This·section·discusses·the |
| 911 | circumstances·under·which·it·is·possible·to·disable·NFS·and·its·dependencies, | 912 | circumstances·under·which·it·is·possible·to·disable·NFS·and·its·dependencies, |
| Max diff block lines reached; 84025/117952 bytes (71.24%) of diff not shown. | |||
| Offset 82, 25 lines modified | Offset 82, 25 lines modified | ||
| 82 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict | 82 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict |
| 83 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 83 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 84 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 84 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 85 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 85 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 86 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec | 86 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec |
| 87 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which | 87 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which |
| 88 | allow·cleartext·remote·access·and·have·an·insecure·trust | 88 | allow·cleartext·remote·access·and·have·an·insecure·trust |
| 89 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm359 | 89 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35969"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package |
| 90 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands | 90 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands |
| 91 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have | 91 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have |
| 92 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, | 92 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, |
| 93 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from | 93 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from |
| 94 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing | 94 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing |
| 95 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes | 95 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes |
| 96 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 96 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 97 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 97 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27274-0">CCE-27274-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 98 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27274-0">CCE-27274-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 99 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm3 | 99 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm35993">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35993"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 100 | # | 100 | # |
| 101 | #·Example·Call(s): | 101 | #·Example·Call(s): |
| 102 | # | 102 | # |
| 103 | #·····package_remove·telnet-server | 103 | #·····package_remove·telnet-server |
| 104 | # | 104 | # |
| 105 | function·package_remove·{ | 105 | function·package_remove·{ |
| Offset 130, 63 lines modified | Offset 130, 63 lines modified | ||
| 130 | ··echo·"Aborting." | 130 | ··echo·"Aborting." |
| 131 | ··exit·1 | 131 | ··exit·1 |
| 132 | fi | 132 | fi |
| 133 | } | 133 | } |
| 134 | package_remove·rsh | 134 | package_remove·rsh |
| 135 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm3 | 135 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm35995">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35995"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed |
| 136 | ··package: | 136 | ··package: |
| 137 | ····name="{{item}}" | 137 | ····name="{{item}}" |
| 138 | ····state=absent | 138 | ····state=absent |
| 139 | ··with_items: | 139 | ··with_items: |
| 140 | ····-·rsh | 140 | ····-·rsh |
| 141 | ··tags: | 141 | ··tags: |
| 142 | ····-·package_rsh_removed | 142 | ····-·package_rsh_removed |
| 143 | ····-·unknown_severity | 143 | ····-·unknown_severity |
| 144 | ····-·disable_strategy | 144 | ····-·disable_strategy |
| 145 | ····-·low_complexity | 145 | ····-·low_complexity |
| 146 | ····-·low_disruption | 146 | ····-·low_disruption |
| 147 | ····-·CCE-27274-0 | 147 | ····-·CCE-27274-0 |
| 148 | ····-·NIST-800-171-3.1.13 | 148 | ····-·NIST-800-171-3.1.13 |
| 149 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm3 | 149 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm35996">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35996"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh |
| 150 | class·remove_rsh·{ | 150 | class·remove_rsh·{ |
| 151 | ··package·{·'rsh': | 151 | ··package·{·'rsh': |
| 152 | ····ensure·=>·'purged', | 152 | ····ensure·=>·'purged', |
| 153 | ··} | 153 | ··} |
| 154 | } | 154 | } |
| 155 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm3 | 155 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm35997">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35997"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 156 | package·--remove=rsh | 156 | package·--remove=rsh |
| 157 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm360 | 157 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36002"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service |
| 158 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with | 158 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with |
| 159 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 159 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 160 | as·a·systemd·socket,·should·be·disabled. | 160 | as·a·systemd·socket,·should·be·disabled. |
| 161 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. | 161 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. |
| 162 | If·using·systemd,· | 162 | If·using·systemd,· |
| 163 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: | 163 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: |
| 164 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which | 164 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which |
| 165 | means·that·data·from·the·login·session,·including·passwords·and | 165 | means·that·data·from·the·login·session,·including·passwords·and |
| 166 | all·other·information·transmitted·during·the·session,·can·be | 166 | all·other·information·transmitted·during·the·session,·can·be |
| 167 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 167 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 168 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 168 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 169 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27336-7">CCE-27336-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 169 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27336-7">CCE-27336-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 170 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 170 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36027">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36027"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&&·\ |
| 171 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin | 171 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin |
| 172 | # | 172 | # |
| 173 | #·Disable·rlogin.socket·for·all·systemd·targets | 173 | #·Disable·rlogin.socket·for·all·systemd·targets |
| 174 | # | 174 | # |
| 175 | systemctl·disable·rlogin.socket | 175 | systemctl·disable·rlogin.socket |
| 176 | # | 176 | # |
| 177 | #·Stop·rlogin.socket·if·currently·running | 177 | #·Stop·rlogin.socket·if·currently·running |
| 178 | # | 178 | # |
| 179 | systemctl·stop·rlogin.socket | 179 | systemctl·stop·rlogin.socket |
| 180 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 180 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36028">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36028"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin |
| 181 | ··service: | 181 | ··service: |
| 182 | ····name="{{item}}" | 182 | ····name="{{item}}" |
| 183 | ····enabled="no" | 183 | ····enabled="no" |
| 184 | ····state="stopped" | 184 | ····state="stopped" |
| 185 | ··register:·service_result | 185 | ··register:·service_result |
| 186 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 186 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 187 | ··with_items: | 187 | ··with_items: |
| Offset 199, 40 lines modified | Offset 199, 40 lines modified | ||
| 199 | ····-·low_disruption | 199 | ····-·low_disruption |
| 200 | ····-·CCE-27336-7 | 200 | ····-·CCE-27336-7 |
| 201 | ····-·NIST-800-53-AC-17(8) | 201 | ····-·NIST-800-53-AC-17(8) |
| 202 | ····-·NIST-800-53-CM-7 | 202 | ····-·NIST-800-53-CM-7 |
| 203 | ····-·NIST-800-53-IA-5(1)(c) | 203 | ····-·NIST-800-53-IA-5(1)(c) |
| 204 | ····-·NIST-800-171-3.1.13 | 204 | ····-·NIST-800-171-3.1.13 |
| 205 | ····-·NIST-800-171-3.4.7 | 205 | ····-·NIST-800-171-3.4.7 |
| 206 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm360 | 206 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36033"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 207 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with | 207 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 208 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 208 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 209 | as·a·systemd·socket,·should·be·disabled. | 209 | as·a·systemd·socket,·should·be·disabled. |
| 210 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· | 210 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 211 | If·using·systemd,· | 211 | If·using·systemd,· |
| 212 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: | 212 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 213 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which | 213 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 214 | means·that·data·from·the·login·session,·including·passwords·and | 214 | means·that·data·from·the·login·session,·including·passwords·and |
| 215 | all·other·information·transmitted·during·the·session,·can·be | 215 | all·other·information·transmitted·during·the·session,·can·be |
| 216 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 216 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 217 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 217 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 218 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 218 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 219 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 219 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36058">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36058"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 220 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec | 220 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 221 | # | 221 | # |
| 222 | #·Disable·rexec.socket·for·all·systemd·targets | 222 | #·Disable·rexec.socket·for·all·systemd·targets |
| 223 | # | 223 | # |
| 224 | systemctl·disable·rexec.socket | 224 | systemctl·disable·rexec.socket |
| 225 | # | 225 | # |
| 226 | #·Stop·rexec.socket·if·currently·running | 226 | #·Stop·rexec.socket·if·currently·running |
| 227 | # | 227 | # |
| 228 | systemctl·stop·rexec.socket | 228 | systemctl·stop·rexec.socket |
| 229 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 229 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36059">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36059"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 230 | ··service: | 230 | ··service: |
| 231 | ····name="{{item}}" | 231 | ····name="{{item}}" |
| 232 | ····enabled="no" | 232 | ····enabled="no" |
| 233 | ····state="stopped" | 233 | ····state="stopped" |
| Max diff block lines reached; 903645/930099 bytes (97.16%) of diff not shown. | |||
| Offset 90, 25 lines modified | Offset 90, 25 lines modified | ||
| 90 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict | 90 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict |
| 91 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 91 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 92 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 92 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 93 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 93 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 94 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec | 94 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec |
| 95 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which | 95 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which |
| 96 | allow·cleartext·remote·access·and·have·an·insecure·trust | 96 | allow·cleartext·remote·access·and·have·an·insecure·trust |
| 97 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm359 | 97 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35969"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package |
| 98 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands | 98 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands |
| 99 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have | 99 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have |
| 100 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, | 100 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, |
| 101 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from | 101 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from |
| 102 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing | 102 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing |
| 103 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes | 103 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes |
| 104 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 104 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 105 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 105 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 106 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27274-0">CCE-27274-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 106 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27274-0">CCE-27274-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 107 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm3 | 107 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm35993">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35993"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 108 | # | 108 | # |
| 109 | #·Example·Call(s): | 109 | #·Example·Call(s): |
| 110 | # | 110 | # |
| 111 | #·····package_remove·telnet-server | 111 | #·····package_remove·telnet-server |
| 112 | # | 112 | # |
| 113 | function·package_remove·{ | 113 | function·package_remove·{ |
| Offset 138, 63 lines modified | Offset 138, 63 lines modified | ||
| 138 | ··echo·"Aborting." | 138 | ··echo·"Aborting." |
| 139 | ··exit·1 | 139 | ··exit·1 |
| 140 | fi | 140 | fi |
| 141 | } | 141 | } |
| 142 | package_remove·rsh | 142 | package_remove·rsh |
| 143 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm3 | 143 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm35995">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35995"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed |
| 144 | ··package: | 144 | ··package: |
| 145 | ····name="{{item}}" | 145 | ····name="{{item}}" |
| 146 | ····state=absent | 146 | ····state=absent |
| 147 | ··with_items: | 147 | ··with_items: |
| 148 | ····-·rsh | 148 | ····-·rsh |
| 149 | ··tags: | 149 | ··tags: |
| 150 | ····-·package_rsh_removed | 150 | ····-·package_rsh_removed |
| 151 | ····-·unknown_severity | 151 | ····-·unknown_severity |
| 152 | ····-·disable_strategy | 152 | ····-·disable_strategy |
| 153 | ····-·low_complexity | 153 | ····-·low_complexity |
| 154 | ····-·low_disruption | 154 | ····-·low_disruption |
| 155 | ····-·CCE-27274-0 | 155 | ····-·CCE-27274-0 |
| 156 | ····-·NIST-800-171-3.1.13 | 156 | ····-·NIST-800-171-3.1.13 |
| 157 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm3 | 157 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm35996">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35996"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh |
| 158 | class·remove_rsh·{ | 158 | class·remove_rsh·{ |
| 159 | ··package·{·'rsh': | 159 | ··package·{·'rsh': |
| 160 | ····ensure·=>·'purged', | 160 | ····ensure·=>·'purged', |
| 161 | ··} | 161 | ··} |
| 162 | } | 162 | } |
| 163 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm3 | 163 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm35997">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35997"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 164 | package·--remove=rsh | 164 | package·--remove=rsh |
| 165 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm360 | 165 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36002"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service |
| 166 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with | 166 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with |
| 167 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 167 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 168 | as·a·systemd·socket,·should·be·disabled. | 168 | as·a·systemd·socket,·should·be·disabled. |
| 169 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. | 169 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. |
| 170 | If·using·systemd,· | 170 | If·using·systemd,· |
| 171 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: | 171 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: |
| 172 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which | 172 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which |
| 173 | means·that·data·from·the·login·session,·including·passwords·and | 173 | means·that·data·from·the·login·session,·including·passwords·and |
| 174 | all·other·information·transmitted·during·the·session,·can·be | 174 | all·other·information·transmitted·during·the·session,·can·be |
| 175 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 175 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 176 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 176 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 177 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27336-7">CCE-27336-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 177 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27336-7">CCE-27336-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 178 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 178 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36027">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36027"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&&·\ |
| 179 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin | 179 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin |
| 180 | # | 180 | # |
| 181 | #·Disable·rlogin.socket·for·all·systemd·targets | 181 | #·Disable·rlogin.socket·for·all·systemd·targets |
| 182 | # | 182 | # |
| 183 | systemctl·disable·rlogin.socket | 183 | systemctl·disable·rlogin.socket |
| 184 | # | 184 | # |
| 185 | #·Stop·rlogin.socket·if·currently·running | 185 | #·Stop·rlogin.socket·if·currently·running |
| 186 | # | 186 | # |
| 187 | systemctl·stop·rlogin.socket | 187 | systemctl·stop·rlogin.socket |
| 188 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 188 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36028">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36028"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin |
| 189 | ··service: | 189 | ··service: |
| 190 | ····name="{{item}}" | 190 | ····name="{{item}}" |
| 191 | ····enabled="no" | 191 | ····enabled="no" |
| 192 | ····state="stopped" | 192 | ····state="stopped" |
| 193 | ··register:·service_result | 193 | ··register:·service_result |
| 194 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 194 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 195 | ··with_items: | 195 | ··with_items: |
| Offset 207, 40 lines modified | Offset 207, 40 lines modified | ||
| 207 | ····-·low_disruption | 207 | ····-·low_disruption |
| 208 | ····-·CCE-27336-7 | 208 | ····-·CCE-27336-7 |
| 209 | ····-·NIST-800-53-AC-17(8) | 209 | ····-·NIST-800-53-AC-17(8) |
| 210 | ····-·NIST-800-53-CM-7 | 210 | ····-·NIST-800-53-CM-7 |
| 211 | ····-·NIST-800-53-IA-5(1)(c) | 211 | ····-·NIST-800-53-IA-5(1)(c) |
| 212 | ····-·NIST-800-171-3.1.13 | 212 | ····-·NIST-800-171-3.1.13 |
| 213 | ····-·NIST-800-171-3.4.7 | 213 | ····-·NIST-800-171-3.4.7 |
| 214 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm360 | 214 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36033"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 215 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with | 215 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 216 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 216 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 217 | as·a·systemd·socket,·should·be·disabled. | 217 | as·a·systemd·socket,·should·be·disabled. |
| 218 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· | 218 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 219 | If·using·systemd,· | 219 | If·using·systemd,· |
| 220 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: | 220 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 221 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which | 221 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 222 | means·that·data·from·the·login·session,·including·passwords·and | 222 | means·that·data·from·the·login·session,·including·passwords·and |
| 223 | all·other·information·transmitted·during·the·session,·can·be | 223 | all·other·information·transmitted·during·the·session,·can·be |
| 224 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 224 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 225 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 225 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 226 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 226 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 227 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 227 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36058">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36058"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 228 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec | 228 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 229 | # | 229 | # |
| 230 | #·Disable·rexec.socket·for·all·systemd·targets | 230 | #·Disable·rexec.socket·for·all·systemd·targets |
| 231 | # | 231 | # |
| 232 | systemctl·disable·rexec.socket | 232 | systemctl·disable·rexec.socket |
| 233 | # | 233 | # |
| 234 | #·Stop·rexec.socket·if·currently·running | 234 | #·Stop·rexec.socket·if·currently·running |
| 235 | # | 235 | # |
| 236 | systemctl·stop·rexec.socket | 236 | systemctl·stop·rexec.socket |
| 237 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 237 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36059">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36059"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 238 | ··service: | 238 | ··service: |
| 239 | ····name="{{item}}" | 239 | ····name="{{item}}" |
| 240 | ····enabled="no" | 240 | ····enabled="no" |
| 241 | ····state="stopped" | 241 | ····state="stopped" |
| Max diff block lines reached; 1817618/1844072 bytes (98.57%) of diff not shown. | |||
| Offset 101, 25 lines modified | Offset 101, 25 lines modified | ||
| 101 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict | 101 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict |
| 102 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 102 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 103 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 103 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 104 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 104 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 105 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec | 105 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec |
| 106 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which | 106 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which |
| 107 | allow·cleartext·remote·access·and·have·an·insecure·trust | 107 | allow·cleartext·remote·access·and·have·an·insecure·trust |
| 108 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm359 | 108 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35969"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package |
| 109 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands | 109 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands |
| 110 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have | 110 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have |
| 111 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, | 111 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, |
| 112 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from | 112 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from |
| 113 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing | 113 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing |
| 114 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes | 114 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes |
| 115 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 115 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 116 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 116 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 117 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27274-0">CCE-27274-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 117 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27274-0">CCE-27274-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 118 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm3 | 118 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm35993">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35993"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 119 | # | 119 | # |
| 120 | #·Example·Call(s): | 120 | #·Example·Call(s): |
| 121 | # | 121 | # |
| 122 | #·····package_remove·telnet-server | 122 | #·····package_remove·telnet-server |
| 123 | # | 123 | # |
| 124 | function·package_remove·{ | 124 | function·package_remove·{ |
| Offset 149, 63 lines modified | Offset 149, 63 lines modified | ||
| 149 | ··echo·"Aborting." | 149 | ··echo·"Aborting." |
| 150 | ··exit·1 | 150 | ··exit·1 |
| 151 | fi | 151 | fi |
| 152 | } | 152 | } |
| 153 | package_remove·rsh | 153 | package_remove·rsh |
| 154 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm3 | 154 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm35995">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35995"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed |
| 155 | ··package: | 155 | ··package: |
| 156 | ····name="{{item}}" | 156 | ····name="{{item}}" |
| 157 | ····state=absent | 157 | ····state=absent |
| 158 | ··with_items: | 158 | ··with_items: |
| 159 | ····-·rsh | 159 | ····-·rsh |
| 160 | ··tags: | 160 | ··tags: |
| 161 | ····-·package_rsh_removed | 161 | ····-·package_rsh_removed |
| 162 | ····-·unknown_severity | 162 | ····-·unknown_severity |
| 163 | ····-·disable_strategy | 163 | ····-·disable_strategy |
| 164 | ····-·low_complexity | 164 | ····-·low_complexity |
| 165 | ····-·low_disruption | 165 | ····-·low_disruption |
| 166 | ····-·CCE-27274-0 | 166 | ····-·CCE-27274-0 |
| 167 | ····-·NIST-800-171-3.1.13 | 167 | ····-·NIST-800-171-3.1.13 |
| 168 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm3 | 168 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm35996">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35996"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh |
| 169 | class·remove_rsh·{ | 169 | class·remove_rsh·{ |
| 170 | ··package·{·'rsh': | 170 | ··package·{·'rsh': |
| 171 | ····ensure·=>·'purged', | 171 | ····ensure·=>·'purged', |
| 172 | ··} | 172 | ··} |
| 173 | } | 173 | } |
| 174 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm3 | 174 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm35997">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35997"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 175 | package·--remove=rsh | 175 | package·--remove=rsh |
| 176 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm360 | 176 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36002"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service |
| 177 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with | 177 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with |
| 178 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 178 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 179 | as·a·systemd·socket,·should·be·disabled. | 179 | as·a·systemd·socket,·should·be·disabled. |
| 180 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. | 180 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. |
| 181 | If·using·systemd,· | 181 | If·using·systemd,· |
| 182 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: | 182 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: |
| 183 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which | 183 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which |
| 184 | means·that·data·from·the·login·session,·including·passwords·and | 184 | means·that·data·from·the·login·session,·including·passwords·and |
| 185 | all·other·information·transmitted·during·the·session,·can·be | 185 | all·other·information·transmitted·during·the·session,·can·be |
| 186 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 186 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 187 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 187 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 188 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27336-7">CCE-27336-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 188 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27336-7">CCE-27336-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 189 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 189 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36027">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36027"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&&·\ |
| 190 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin | 190 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin |
| 191 | # | 191 | # |
| 192 | #·Disable·rlogin.socket·for·all·systemd·targets | 192 | #·Disable·rlogin.socket·for·all·systemd·targets |
| 193 | # | 193 | # |
| 194 | systemctl·disable·rlogin.socket | 194 | systemctl·disable·rlogin.socket |
| 195 | # | 195 | # |
| 196 | #·Stop·rlogin.socket·if·currently·running | 196 | #·Stop·rlogin.socket·if·currently·running |
| 197 | # | 197 | # |
| 198 | systemctl·stop·rlogin.socket | 198 | systemctl·stop·rlogin.socket |
| 199 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 199 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36028">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36028"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin |
| 200 | ··service: | 200 | ··service: |
| 201 | ····name="{{item}}" | 201 | ····name="{{item}}" |
| 202 | ····enabled="no" | 202 | ····enabled="no" |
| 203 | ····state="stopped" | 203 | ····state="stopped" |
| 204 | ··register:·service_result | 204 | ··register:·service_result |
| 205 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 205 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 206 | ··with_items: | 206 | ··with_items: |
| Offset 218, 40 lines modified | Offset 218, 40 lines modified | ||
| 218 | ····-·low_disruption | 218 | ····-·low_disruption |
| 219 | ····-·CCE-27336-7 | 219 | ····-·CCE-27336-7 |
| 220 | ····-·NIST-800-53-AC-17(8) | 220 | ····-·NIST-800-53-AC-17(8) |
| 221 | ····-·NIST-800-53-CM-7 | 221 | ····-·NIST-800-53-CM-7 |
| 222 | ····-·NIST-800-53-IA-5(1)(c) | 222 | ····-·NIST-800-53-IA-5(1)(c) |
| 223 | ····-·NIST-800-171-3.1.13 | 223 | ····-·NIST-800-171-3.1.13 |
| 224 | ····-·NIST-800-171-3.4.7 | 224 | ····-·NIST-800-171-3.4.7 |
| 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm360 | 225 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36033"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 226 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with | 226 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 227 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 227 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 228 | as·a·systemd·socket,·should·be·disabled. | 228 | as·a·systemd·socket,·should·be·disabled. |
| 229 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· | 229 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 230 | If·using·systemd,· | 230 | If·using·systemd,· |
| 231 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: | 231 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 232 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which | 232 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 233 | means·that·data·from·the·login·session,·including·passwords·and | 233 | means·that·data·from·the·login·session,·including·passwords·and |
| 234 | all·other·information·transmitted·during·the·session,·can·be | 234 | all·other·information·transmitted·during·the·session,·can·be |
| 235 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 235 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 236 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 236 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 237 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 237 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 238 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 238 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36058">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36058"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 239 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec | 239 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 240 | # | 240 | # |
| 241 | #·Disable·rexec.socket·for·all·systemd·targets | 241 | #·Disable·rexec.socket·for·all·systemd·targets |
| 242 | # | 242 | # |
| 243 | systemctl·disable·rexec.socket | 243 | systemctl·disable·rexec.socket |
| 244 | # | 244 | # |
| 245 | #·Stop·rexec.socket·if·currently·running | 245 | #·Stop·rexec.socket·if·currently·running |
| 246 | # | 246 | # |
| 247 | systemctl·stop·rexec.socket | 247 | systemctl·stop·rexec.socket |
| 248 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 248 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36059">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36059"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 249 | ··service: | 249 | ··service: |
| 250 | ····name="{{item}}" | 250 | ····name="{{item}}" |
| 251 | ····enabled="no" | 251 | ····enabled="no" |
| 252 | ····state="stopped" | 252 | ····state="stopped" |
| Max diff block lines reached; 1817620/1844076 bytes (98.57%) of diff not shown. | |||
| Offset 108, 15 lines modified | Offset 108, 15 lines modified | ||
| 108 | <br><br> | 108 | <br><br> |
| 109 | Refer·to·<a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>·for·more·detailed·comparison·of·features·of·<code>chronyd</code> | 109 | Refer·to·<a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>·for·more·detailed·comparison·of·features·of·<code>chronyd</code> |
| 110 | and·<code>ntpd</code>·daemon·features·respectively,·and·for·further·guidance·how·to | 110 | and·<code>ntpd</code>·daemon·features·respectively,·and·for·further·guidance·how·to |
| 111 | choose·between·the·two·NTP·daemons. | 111 | choose·between·the·two·NTP·daemons. |
| 112 | <br><br> | 112 | <br><br> |
| 113 | The·upstream·manual·pages·at·<a·href="http://chrony.tuxfamily.org/manual.html">http://chrony.tuxfamily.org/manual.html</a>·for | 113 | The·upstream·manual·pages·at·<a·href="http://chrony.tuxfamily.org/manual.html">http://chrony.tuxfamily.org/manual.html</a>·for |
| 114 | <code>chronyd</code>·and·<a·href="http://www.ntp.org">http://www.ntp.org</a>·for·<code>ntpd</code>·provide·additional | 114 | <code>chronyd</code>·and·<a·href="http://www.ntp.org">http://www.ntp.org</a>·for·<code>ntpd</code>·provide·additional |
| 115 | information·on·the·capabilities·and·configuration·of·each·of·the·NTP·daemons.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm38 | 115 | information·on·the·capabilities·and·configuration·of·each·of·the·NTP·daemons.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm38651"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers |
| 116 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete | 116 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete |
| 117 | production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be | 117 | production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be |
| 118 | configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the | 118 | configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the |
| 119 | default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to | 119 | default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to |
| 120 | <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a> | 120 | <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a> |
| 121 | for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for | 121 | for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for |
| 122 | further·guidance·how·to·choose·between·the·two·NTP·daemons. | 122 | further·guidance·how·to·choose·between·the·two·NTP·daemons. |
| Offset 130, 15 lines modified | Offset 130, 15 lines modified | ||
| 130 | hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 130 | hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 131 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | 131 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of |
| 132 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | 132 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes |
| 133 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | 133 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for |
| 134 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 134 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 135 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 135 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 136 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27012-4">CCE-27012-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 136 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27012-4">CCE-27012-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 137 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38 | 137 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38672">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38672"><pre><code> |
| 138 | var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>" | 138 | var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>" |
| 139 | #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here. | 139 | #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here. |
| 140 | #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries | 140 | #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries |
| 141 | #·$1:·Path·to·the·config·file | 141 | #·$1:·Path·to·the·config·file |
| 142 | #·$2:·Comma-separated·list·of·servers | 142 | #·$2:·Comma-separated·list·of·servers |
| 143 | function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{ | 143 | function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{ |
| Offset 157, 15 lines modified | Offset 157, 15 lines modified | ||
| 157 | rhel7_ensure_there_are_servers_in_ntp_compatible_config_file | 157 | rhel7_ensure_there_are_servers_in_ntp_compatible_config_file |
| 158 | config_file="/etc/ntp.conf" | 158 | config_file="/etc/ntp.conf" |
| 159 | /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf" | 159 | /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf" |
| 160 | [·"$(grep·-c·'^server'·"$config_file")"·-gt·1·]·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers" | 160 | [·"$(grep·-c·'^server'·"$config_file")"·-gt·1·]·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers" |
| 161 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·id="guide-tree-leaf-idm386 | 161 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·id="guide-tree-leaf-idm38677"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 162 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete | 162 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete |
| 163 | production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be | 163 | production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be |
| 164 | configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the | 164 | configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the |
| 165 | default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to | 165 | default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to |
| 166 | <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a> | 166 | <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a> |
| 167 | for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for | 167 | for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for |
| 168 | further·guidance·how·to·choose·between·the·two·NTP·daemons. | 168 | further·guidance·how·to·choose·between·the·two·NTP·daemons. |
| Offset 178, 15 lines modified | Offset 178, 15 lines modified | ||
| 178 | NTP·server·for·<em>ntpserver</em>: | 178 | NTP·server·for·<em>ntpserver</em>: |
| 179 | <pre>server·<i>ntpserver</i></pre> | 179 | <pre>server·<i>ntpserver</i></pre> |
| 180 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 180 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 181 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible·to·collate·system | 181 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible·to·collate·system |
| 182 | logs·from·multiple·sources·or·correlate·computer·events·with·real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 182 | logs·from·multiple·sources·or·correlate·computer·events·with·real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 183 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 183 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 184 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27278-1">CCE-27278-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 184 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27278-1">CCE-27278-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 185 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38 | 185 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38702">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38702"><pre><code> |
| 186 | var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>" | 186 | var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>" |
| 187 | #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here. | 187 | #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here. |
| 188 | #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries | 188 | #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries |
| 189 | #·$1:·Path·to·the·config·file | 189 | #·$1:·Path·to·the·config·file |
| 190 | #·$2:·Comma-separated·list·of·servers | 190 | #·$2:·Comma-separated·list·of·servers |
| 191 | function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{ | 191 | function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{ |
| Offset 205, 15 lines modified | Offset 205, 15 lines modified | ||
| 205 | rhel7_ensure_there_are_servers_in_ntp_compatible_config_file | 205 | rhel7_ensure_there_are_servers_in_ntp_compatible_config_file |
| 206 | config_file="/etc/ntp.conf" | 206 | config_file="/etc/ntp.conf" |
| 207 | /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf" | 207 | /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf" |
| 208 | grep·-q·^server·"$config_file"·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers" | 208 | grep·-q·^server·"$config_file"·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers" |
| 209 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·id="guide-tree-leaf-idm38 | 209 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·id="guide-tree-leaf-idm38709"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">Enable·the·NTP·Daemon |
| 210 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 210 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 211 | ········The·<code>chronyd</code>·service·can·be·enabled·with·the·following·command: | 211 | ········The·<code>chronyd</code>·service·can·be·enabled·with·the·following·command: |
| 212 | ········<pre>$·sudo·systemctl·enable·chronyd.service</pre> | 212 | ········<pre>$·sudo·systemctl·enable·chronyd.service</pre> |
| 213 | Note:·The·<code>chronyd</code>·daemon·is·enabled·by·default. | 213 | Note:·The·<code>chronyd</code>·daemon·is·enabled·by·default. |
| 214 | <br><br> | 214 | <br><br> |
| 215 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 215 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| Offset 232, 15 lines modified | Offset 232, 15 lines modified | ||
| 232 | <br><br> | 232 | <br><br> |
| 233 | The·<code>chronyd</code>·and·<code>ntpd</code>·NTP·daemons·offer·all·of·the | 233 | The·<code>chronyd</code>·and·<code>ntpd</code>·NTP·daemons·offer·all·of·the |
| 234 | functionality·of·<code>ntpdate</code>,·which·is·now·deprecated.·Additional | 234 | functionality·of·<code>ntpdate</code>,·which·is·now·deprecated.·Additional |
| 235 | information·on·this·is·available·at | 235 | information·on·this·is·available·at |
| 236 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 236 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 237 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 237 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 238 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27444-9">CCE-27444-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 238 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27444-9">CCE-27444-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 239 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38 | 239 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38738">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38738"><pre><code> |
| 240 | if·!·`rpm·-q·--quiet·chrony`·&&·!·`rpm·-q·--quiet·ntp-`;·then | 240 | if·!·`rpm·-q·--quiet·chrony`·&&·!·`rpm·-q·--quiet·ntp-`;·then |
| 241 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 241 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 242 | # | 242 | # |
| 243 | #·Example·Call(s): | 243 | #·Example·Call(s): |
| 244 | # | 244 | # |
| 245 | #·····package_install·aide | 245 | #·····package_install·aide |
| Offset 445, 15 lines modified | Offset 445, 15 lines modified | ||
| 445 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program· | 445 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program· |
| 446 | is·called·<code>sshd</code>·and·provided·by·the·RPM·package | 446 | is·called·<code>sshd</code>·and·provided·by·the·RPM·package |
| 447 | <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary | 447 | <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary |
| 448 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 448 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 449 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 449 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 450 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 450 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 451 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 451 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 452 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm40 | 452 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm40013"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 453 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout | 453 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout |
| 454 | interval. | 454 | interval. |
| 455 | After·this·interval·has·passed,·the·idle·user·will·be | 455 | After·this·interval·has·passed,·the·idle·user·will·be |
| 456 | automatically·logged·out. | 456 | automatically·logged·out. |
| 457 | <br><br> | 457 | <br><br> |
| 458 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 458 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 459 | follows: | 459 | follows: |
| Offset 464, 15 lines modified | Offset 464, 15 lines modified | ||
| 464 | If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will· | 464 | If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will· |
| 465 | preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 465 | preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 466 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of | 466 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of |
| 467 | opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session | 467 | opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session |
| 468 | enabled·on·the·console·or·console·port·that·has·been·let·unattended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 468 | enabled·on·the·console·or·console·port·that·has·been·let·unattended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 469 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 469 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 470 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27433-2">CCE-27433-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 470 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27433-2">CCE-27433-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 471 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040320</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm40 | 471 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040320</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm40040">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40040"><pre><code> |
| 472 | sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>" | 472 | sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>" |
| 473 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 473 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 474 | #·it·does·not·exist. | 474 | #·it·does·not·exist. |
| 475 | # | 475 | # |
| 476 | #·Expects·arguments: | 476 | #·Expects·arguments: |
| 477 | # | 477 | # |
| 478 | #·config_file:» » Configuration·file·that·will·be·modified | 478 | #·config_file:» » Configuration·file·that·will·be·modified |
| Max diff block lines reached; 385778/409115 bytes (94.30%) of diff not shown. | |||
| Offset 75, 24 lines modified | Offset 75, 24 lines modified | ||
| 75 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 75 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 76 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 76 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 77 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 77 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 78 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet | 78 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet |
| 79 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity | 79 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity |
| 80 | for·information·transmitted·on·the·network.·This·includes·authentication | 80 | for·information·transmitted·on·the·network.·This·includes·authentication |
| 81 | information·such·as·passwords.·Organizations·which·use·telnet·should·be | 81 | information·such·as·passwords.·Organizations·which·use·telnet·should·be |
| 82 | actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed"·id="guide-tree-leaf-idm36 | 82 | actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed"·id="guide-tree-leaf-idm36192"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet_removed">Remove·telnet·Clients |
| 83 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·client·allows·users·to·start·connections·to·other· | 83 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·client·allows·users·to·start·connections·to·other· |
| 84 | systems·via·the·telnet·protocol.</p><span·class="label·label-primary">Rationale:</span><p>The·<code>telnet</code>·protocol·is·insecure·and·unencrypted.·The·use | 84 | systems·via·the·telnet·protocol.</p><span·class="label·label-primary">Rationale:</span><p>The·<code>telnet</code>·protocol·is·insecure·and·unencrypted.·The·use |
| 85 | of·an·unencrypted·transmission·medium·could·allow·an·unauthorized·user | 85 | of·an·unencrypted·transmission·medium·could·allow·an·unauthorized·user |
| 86 | to·steal·credentials.·The·<code>ssh</code>·package·provides·an | 86 | to·steal·credentials.·The·<code>ssh</code>·package·provides·an |
| 87 | encrypted·session·and·stronger·security·and·is·included·in·Red·Hat | 87 | encrypted·session·and·stronger·security·and·is·included·in·Red·Hat |
| 88 | Enterprise·Linux.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 88 | Enterprise·Linux.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 89 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 89 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 90 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27305-2">CCE-27305-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 90 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27305-2">CCE-27305-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 91 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm362 | 91 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36213">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36213"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 92 | # | 92 | # |
| 93 | #·Example·Call(s): | 93 | #·Example·Call(s): |
| 94 | # | 94 | # |
| 95 | #·····package_remove·telnet-server | 95 | #·····package_remove·telnet-server |
| 96 | # | 96 | # |
| 97 | function·package_remove·{ | 97 | function·package_remove·{ |
| Offset 122, 38 lines modified | Offset 122, 38 lines modified | ||
| 122 | ··echo·"Aborting." | 122 | ··echo·"Aborting." |
| 123 | ··exit·1 | 123 | ··exit·1 |
| 124 | fi | 124 | fi |
| 125 | } | 125 | } |
| 126 | package_remove·telnet | 126 | package_remove·telnet |
| 127 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm362 | 127 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36215">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36215"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnet·is·removed |
| 128 | ··package: | 128 | ··package: |
| 129 | ····name="{{item}}" | 129 | ····name="{{item}}" |
| 130 | ····state=absent | 130 | ····state=absent |
| 131 | ··with_items: | 131 | ··with_items: |
| 132 | ····-·telnet | 132 | ····-·telnet |
| 133 | ··tags: | 133 | ··tags: |
| 134 | ····-·package_telnet_removed | 134 | ····-·package_telnet_removed |
| 135 | ····-·low_severity | 135 | ····-·low_severity |
| 136 | ····-·disable_strategy | 136 | ····-·disable_strategy |
| 137 | ····-·low_complexity | 137 | ····-·low_complexity |
| 138 | ····-·low_disruption | 138 | ····-·low_disruption |
| 139 | ····-·CCE-27305-2 | 139 | ····-·CCE-27305-2 |
| 140 | ····-·NIST-800-171-3.1.13 | 140 | ····-·NIST-800-171-3.1.13 |
| 141 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm362 | 141 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36216">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36216"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnet |
| 142 | class·remove_telnet·{ | 142 | class·remove_telnet·{ |
| 143 | ··package·{·'telnet': | 143 | ··package·{·'telnet': |
| 144 | ····ensure·=>·'purged', | 144 | ····ensure·=>·'purged', |
| 145 | ··} | 145 | ··} |
| 146 | } | 146 | } |
| 147 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm362 | 147 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36217">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36217"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 148 | package·--remove=telnet | 148 | package·--remove=telnet |
| 149 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_telnet_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_telnet_disabled"·id="guide-tree-leaf-idm362 | 149 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_telnet_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_telnet_disabled"·id="guide-tree-leaf-idm36222"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_telnet_disabled">Disable·telnet·Service |
| 150 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_telnet_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet</code>·service·configuration·file·<code>/etc/xinetd.d/telnet</code> | 150 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_telnet_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet</code>·service·configuration·file·<code>/etc/xinetd.d/telnet</code> |
| 151 | is·not·created·automatically.·If·it·was·created·manually,·check·the | 151 | is·not·created·automatically.·If·it·was·created·manually,·check·the |
| 152 | <code>/etc/xinetd.d/telnet</code>·file·and·ensure·that·<code>disable·=·no</code> | 152 | <code>/etc/xinetd.d/telnet</code>·file·and·ensure·that·<code>disable·=·no</code> |
| 153 | is·changed·to·read·<code>disable·=·yes</code>·as·follows·below: | 153 | is·changed·to·read·<code>disable·=·yes</code>·as·follows·below: |
| 154 | <pre> | 154 | <pre> |
| 155 | #·description:·The·telnet·server·serves·telnet·sessions;·it·uses·\\ | 155 | #·description:·The·telnet·server·serves·telnet·sessions;·it·uses·\\ |
| 156 | #·······unencrypted·username/password·pairs·for·authentication. | 156 | #·······unencrypted·username/password·pairs·for·authentication. |
| Offset 177, 27 lines modified | Offset 177, 27 lines modified | ||
| 177 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·telnet·protocol·uses·unencrypted·network·communication,·which | 177 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·telnet·protocol·uses·unencrypted·network·communication,·which |
| 178 | means·that·data·from·the·login·session,·including·passwords·and | 178 | means·that·data·from·the·login·session,·including·passwords·and |
| 179 | all·other·information·transmitted·during·the·session,·can·be | 179 | all·other·information·transmitted·during·the·session,·can·be |
| 180 | stolen·by·eavesdroppers·on·the·network.·The·telnet·protocol·is·also | 180 | stolen·by·eavesdroppers·on·the·network.·The·telnet·protocol·is·also |
| 181 | subject·to·man-in-the-middle·attacks.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 181 | subject·to·man-in-the-middle·attacks.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 182 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 182 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 183 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27401-9">CCE-27401-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 183 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27401-9">CCE-27401-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 184 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.18</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm362 | 184 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.18</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36249">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36249"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/telnet·&&·\ |
| 185 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/telnet | 185 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/telnet |
| 186 | # | 186 | # |
| 187 | #·Disable·telnet.socket·for·all·systemd·targets | 187 | #·Disable·telnet.socket·for·all·systemd·targets |
| 188 | # | 188 | # |
| 189 | systemctl·disable·telnet.socket | 189 | systemctl·disable·telnet.socket |
| 190 | # | 190 | # |
| 191 | #·Stop·telnet.socket·if·currently·running | 191 | #·Stop·telnet.socket·if·currently·running |
| 192 | # | 192 | # |
| 193 | systemctl·stop·telnet.socket | 193 | systemctl·stop·telnet.socket |
| 194 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm362 | 194 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36250">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36250"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·telnet |
| 195 | ··service: | 195 | ··service: |
| 196 | ····name="{{item}}" | 196 | ····name="{{item}}" |
| 197 | ····enabled="no" | 197 | ····enabled="no" |
| 198 | ····state="stopped" | 198 | ····state="stopped" |
| 199 | ··register:·service_result | 199 | ··register:·service_result |
| 200 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 200 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 201 | ··with_items: | 201 | ··with_items: |
| Offset 210, 30 lines modified | Offset 210, 30 lines modified | ||
| 210 | ····-·low_disruption | 210 | ····-·low_disruption |
| 211 | ····-·CCE-27401-9 | 211 | ····-·CCE-27401-9 |
| 212 | ····-·NIST-800-53-AC-17(8) | 212 | ····-·NIST-800-53-AC-17(8) |
| 213 | ····-·NIST-800-53-CM-7 | 213 | ····-·NIST-800-53-CM-7 |
| 214 | ····-·NIST-800-53-IA-5(1)(c) | 214 | ····-·NIST-800-53-IA-5(1)(c) |
| 215 | ····-·NIST-800-171-3.1.13 | 215 | ····-·NIST-800-171-3.1.13 |
| 216 | ····-·NIST-800-171-3.4.7 | 216 | ····-·NIST-800-171-3.4.7 |
| 217 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm362 | 217 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm36255"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed">Uninstall·telnet-server·Package |
| 218 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with | 218 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with |
| 219 | the·following·command: | 219 | the·following·command: |
| 220 | <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding | 220 | <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding |
| 221 | requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore | 221 | requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore |
| 222 | may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors. | 222 | may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors. |
| 223 | <br> | 223 | <br> |
| 224 | The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the· | 224 | The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the· |
| 225 | confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were | 225 | confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were |
| 226 | to·login·using·this·service,·the·privileged·user·password·could·be·compromised. | 226 | to·login·using·this·service,·the·privileged·user·password·could·be·compromised. |
| 227 | <br> | 227 | <br> |
| 228 | Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental· | 228 | Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental· |
| 229 | (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 229 | (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 230 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 230 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 231 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27165-0">CCE-27165-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 231 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27165-0">CCE-27165-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 232 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021710</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 232 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021710</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36284">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36284"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 233 | # | 233 | # |
| 234 | #·Example·Call(s): | 234 | #·Example·Call(s): |
| 235 | # | 235 | # |
| 236 | #·····package_remove·telnet-server | 236 | #·····package_remove·telnet-server |
| 237 | # | 237 | # |
| 238 | function·package_remove·{ | 238 | function·package_remove·{ |
| Offset 263, 15 lines modified | Offset 263, 15 lines modified | ||
| 263 | ··echo·"Aborting." | 263 | ··echo·"Aborting." |
| 264 | ··exit·1 | 264 | ··exit·1 |
| 265 | fi | 265 | fi |
| Max diff block lines reached; 145186/171623 bytes (84.60%) of diff not shown. | |||
| Offset 63, 29 lines modified | Offset 63, 29 lines modified | ||
| 63 | Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 63 | Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 64 | system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 64 | system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 65 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons | 65 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons |
| 66 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | 66 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to |
| 67 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | 67 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost |
| 68 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | 68 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or |
| 69 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | 69 | may·not·be·required·on·a·given·system.·Both·daemons·should·be |
| 70 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm3 | 70 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm37021"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_atd_disabled">Disable·At·Service·(atd) |
| 71 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to | 71 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to |
| 72 | schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed | 72 | schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed |
| 73 | execution·in·a·manner·similar·to·cron,·except·that·it·is·not | 73 | execution·in·a·manner·similar·to·cron,·except·that·it·is·not |
| 74 | recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via | 74 | recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via |
| 75 | <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time. | 75 | <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time. |
| 76 | ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command: | 76 | ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command: |
| 77 | ········<pre>$·sudo·systemctl·disable·atd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry | 77 | ········<pre>$·sudo·systemctl·disable·atd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry |
| 78 | out·activities·outside·of·a·normal·login·session,·which·could·complicate | 78 | out·activities·outside·of·a·normal·login·session,·which·could·complicate |
| 79 | accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or | 79 | accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or |
| 80 | <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 80 | <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 81 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 81 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 82 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80345-2">CCE-80345-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 82 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80345-2">CCE-80345-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 83 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm3 | 83 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm37038">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm37038"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 84 | # | 84 | # |
| 85 | #·Example·Call(s): | 85 | #·Example·Call(s): |
| 86 | # | 86 | # |
| 87 | #·····service_command·enable·bluetooth | 87 | #·····service_command·enable·bluetooth |
| 88 | #·····service_command·disable·bluetooth.service | 88 | #·····service_command·disable·bluetooth.service |
| 89 | # | 89 | # |
| 90 | #·····Using·xinetd: | 90 | #·····Using·xinetd: |
| Offset 153, 15 lines modified | Offset 153, 15 lines modified | ||
| 153 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 153 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 154 | ··fi | 154 | ··fi |
| 155 | fi | 155 | fi |
| 156 | } | 156 | } |
| 157 | service_command·disable·atd | 157 | service_command·disable·atd |
| 158 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm3 | 158 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm37040">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm37040"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·atd |
| 159 | ··service: | 159 | ··service: |
| 160 | ····name="{{item}}" | 160 | ····name="{{item}}" |
| 161 | ····enabled="no" | 161 | ····enabled="no" |
| 162 | ····state="stopped" | 162 | ····state="stopped" |
| 163 | ··register:·service_result | 163 | ··register:·service_result |
| 164 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 164 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 165 | ··with_items: | 165 | ··with_items: |
| Offset 176, 28 lines modified | Offset 176, 28 lines modified | ||
| 176 | ····-·NIST-800-53-CM-7 | 176 | ····-·NIST-800-53-CM-7 |
| 177 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_base"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_base">Base·Services | 177 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_base"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_base">Base·Services |
| 178 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_base">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·addresses·the·base·services·that·are·installed·on·a | 178 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_base">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·addresses·the·base·services·that·are·installed·on·a |
| 179 | Red·Hat·Enterprise·Linux·7·default·installation·which·are·not·covered·in·other | 179 | Red·Hat·Enterprise·Linux·7·default·installation·which·are·not·covered·in·other |
| 180 | sections.·Some·of·these·services·listen·on·the·network·and | 180 | sections.·Some·of·these·services·listen·on·the·network·and |
| 181 | should·be·treated·with·particular·discretion.·Other·services·are·local | 181 | should·be·treated·with·particular·discretion.·Other·services·are·local |
| 182 | system·utilities·that·may·or·may·not·be·extraneous.·In·general,·system·services | 182 | system·utilities·that·may·or·may·not·be·extraneous.·In·general,·system·services |
| 183 | should·be·disabled·if·not·required.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·id="guide-tree-leaf-idm38 | 183 | should·be·disabled·if·not·required.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·id="guide-tree-leaf-idm38825"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_base"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled">Disable·Network·Router·Discovery·Daemon·(rdisc) |
| 184 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rdisc_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rdisc</code>·service·implements·the·client·side·of·the·ICMP | 184 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rdisc_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rdisc</code>·service·implements·the·client·side·of·the·ICMP |
| 185 | Internet·Router·Discovery·Protocol·(IRDP),·which·allows·discovery·of·routers·on | 185 | Internet·Router·Discovery·Protocol·(IRDP),·which·allows·discovery·of·routers·on |
| 186 | the·local·subnet.·If·a·router·is·discovered·then·the·local·routing·table·is | 186 | the·local·subnet.·If·a·router·is·discovered·then·the·local·routing·table·is |
| 187 | updated·with·a·corresponding·default·route.·By·default·this·daemon·is·disabled. | 187 | updated·with·a·corresponding·default·route.·By·default·this·daemon·is·disabled. |
| 188 | ········The·<code>rdisc</code>·service·can·be·disabled·with·the·following·command: | 188 | ········The·<code>rdisc</code>·service·can·be·disabled·with·the·following·command: |
| 189 | ········<pre>$·sudo·systemctl·disable·rdisc.service</pre></p><span·class="label·label-primary">Rationale:</span><p>General-purpose·systems·typically·have·their·network·and·routing | 189 | ········<pre>$·sudo·systemctl·disable·rdisc.service</pre></p><span·class="label·label-primary">Rationale:</span><p>General-purpose·systems·typically·have·their·network·and·routing |
| 190 | information·configured·statically·by·a·system·administrator.·Workstations·or | 190 | information·configured·statically·by·a·system·administrator.·Workstations·or |
| 191 | some·special-purpose·systems·often·use·DHCP·(instead·of·IRDP)·to·retrieve | 191 | some·special-purpose·systems·often·use·DHCP·(instead·of·IRDP)·to·retrieve |
| 192 | dynamic·network·configuration·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 192 | dynamic·network·configuration·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 193 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 193 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80268-6">CCE-80268-6</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 194 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80268-6">CCE-80268-6</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 195 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38 | 195 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38837">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38837"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 196 | # | 196 | # |
| 197 | #·Example·Call(s): | 197 | #·Example·Call(s): |
| 198 | # | 198 | # |
| 199 | #·····service_command·enable·bluetooth | 199 | #·····service_command·enable·bluetooth |
| 200 | #·····service_command·disable·bluetooth.service | 200 | #·····service_command·disable·bluetooth.service |
| 201 | # | 201 | # |
| 202 | #·····Using·xinetd: | 202 | #·····Using·xinetd: |
| Offset 265, 15 lines modified | Offset 265, 15 lines modified | ||
| 265 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 265 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 266 | ··fi | 266 | ··fi |
| 267 | fi | 267 | fi |
| 268 | } | 268 | } |
| 269 | service_command·disable·rdisc | 269 | service_command·disable·rdisc |
| 270 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm38 | 270 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm38839">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38839"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rdisc |
| 271 | ··service: | 271 | ··service: |
| 272 | ····name="{{item}}" | 272 | ····name="{{item}}" |
| 273 | ····enabled="no" | 273 | ····enabled="no" |
| 274 | ····state="stopped" | 274 | ····state="stopped" |
| 275 | ··register:·service_result | 275 | ··register:·service_result |
| 276 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 276 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 277 | ··with_items: | 277 | ··with_items: |
| Offset 284, 28 lines modified | Offset 284, 28 lines modified | ||
| 284 | ····-·disable_strategy | 284 | ····-·disable_strategy |
| 285 | ····-·low_complexity | 285 | ····-·low_complexity |
| 286 | ····-·low_disruption | 286 | ····-·low_disruption |
| 287 | ····-·CCE-80268-6 | 287 | ····-·CCE-80268-6 |
| 288 | ····-·NIST-800-53-AC-17(8) | 288 | ····-·NIST-800-53-AC-17(8) |
| 289 | ····-·NIST-800-53-AC-4 | 289 | ····-·NIST-800-53-AC-4 |
| 290 | ····-·NIST-800-53-CM-7 | 290 | ····-·NIST-800-53-CM-7 |
| 291 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·id="guide-tree-leaf-idm38 | 291 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·id="guide-tree-leaf-idm38966"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_base"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">Disable·Odd·Job·Daemon·(oddjobd) |
| 292 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>oddjobd</code>·service·exists·to·provide·an·interface·and | 292 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>oddjobd</code>·service·exists·to·provide·an·interface·and |
| 293 | access·control·mechanism·through·which | 293 | access·control·mechanism·through·which |
| 294 | specified·privileged·tasks·can·run·tasks·for·unprivileged·client | 294 | specified·privileged·tasks·can·run·tasks·for·unprivileged·client |
| 295 | applications.·Communication·with·<code>oddjobd</code>·through·the·system·message·bus. | 295 | applications.·Communication·with·<code>oddjobd</code>·through·the·system·message·bus. |
| 296 | ········The·<code>oddjobd</code>·service·can·be·disabled·with·the·following·command: | 296 | ········The·<code>oddjobd</code>·service·can·be·disabled·with·the·following·command: |
| 297 | ········<pre>$·sudo·systemctl·disable·oddjobd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>oddjobd</code>·service·may·provide·necessary·functionality·in | 297 | ········<pre>$·sudo·systemctl·disable·oddjobd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>oddjobd</code>·service·may·provide·necessary·functionality·in |
| 298 | some·environments,·and·can·be·disabled·if·it·is·not·needed.·Execution·of | 298 | some·environments,·and·can·be·disabled·if·it·is·not·needed.·Execution·of |
| 299 | tasks·by·privileged·programs,·on·behalf·of·unprivileged·ones,·has·traditionally | 299 | tasks·by·privileged·programs,·on·behalf·of·unprivileged·ones,·has·traditionally |
| 300 | been·a·source·of·privilege·escalation·security·issues.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 300 | been·a·source·of·privilege·escalation·security·issues.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 301 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 301 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 302 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80263-7">CCE-80263-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 302 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80263-7">CCE-80263-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 303 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm389 | 303 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38978">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38978"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 304 | # | 304 | # |
| 305 | #·Example·Call(s): | 305 | #·Example·Call(s): |
| 306 | # | 306 | # |
| 307 | #·····service_command·enable·bluetooth | 307 | #·····service_command·enable·bluetooth |
| 308 | #·····service_command·disable·bluetooth.service | 308 | #·····service_command·disable·bluetooth.service |
| 309 | # | 309 | # |
| 310 | #·····Using·xinetd: | 310 | #·····Using·xinetd: |
| Offset 373, 15 lines modified | Offset 373, 15 lines modified | ||
| 373 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 373 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 374 | ··fi | 374 | ··fi |
| 375 | fi | 375 | fi |
| 376 | } | 376 | } |
| 377 | service_command·disable·oddjobd | 377 | service_command·disable·oddjobd |
| Max diff block lines reached; 339113/358841 bytes (94.50%) of diff not shown. | |||
| Offset 84, 68 lines modified | Offset 84, 68 lines modified | ||
| 84 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict | 84 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict |
| 85 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 85 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 86 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 86 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 87 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 87 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 88 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·7·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec | 88 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·7·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec |
| 89 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which | 89 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which |
| 90 | allow·cleartext·remote·access·and·have·an·insecure·trust | 90 | allow·cleartext·remote·access·and·have·an·insecure·trust |
| 91 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files"·id="guide-tree-leaf-idm360 | 91 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files"·id="guide-tree-leaf-idm36064"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_host_based_files">Remove·Host-Based·Authentication·Files |
| 92 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>shosts.equiv</code>·file·list·remote·hosts | 92 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>shosts.equiv</code>·file·list·remote·hosts |
| 93 | and·users·that·are·trusted·by·the·local·system. | 93 | and·users·that·are·trusted·by·the·local·system. |
| 94 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any | 94 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any |
| 95 | location: | 95 | location: |
| 96 | <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre></p><span·class="label·label-primary">Rationale:</span><p>The·shosts.equiv·files·are·used·to·configure·host-based·authentication·for·the | 96 | <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre></p><span·class="label·label-primary">Rationale:</span><p>The·shosts.equiv·files·are·used·to·configure·host-based·authentication·for·the |
| 97 | system·via·SSH.·Host-based·authentication·is·not·sufficient·for·preventing | 97 | system·via·SSH.·Host-based·authentication·is·not·sufficient·for·preventing |
| 98 | unauthorized·access·to·the·system,·as·it·does·not·require·interactive | 98 | unauthorized·access·to·the·system,·as·it·does·not·require·interactive |
| 99 | identification·and·authentication·of·a·connection·request,·or·for·the·use·of | 99 | identification·and·authentication·of·a·connection·request,·or·for·the·use·of |
| 100 | two-factor·authentication.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 100 | two-factor·authentication.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 101 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 101 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 102 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80513-5">CCE-80513-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 102 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80513-5">CCE-80513-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 103 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040550</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 103 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040550</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36075">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36075"><pre><code> |
| 104 | #·Identify·local·mounts | 104 | #·Identify·local·mounts |
| 105 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | 105 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· |
| 106 | #·Find·file·on·each·listed·mount·point | 106 | #·Find·file·on·each·listed·mount·point |
| 107 | for·cur_mount·in·${MOUNT_LIST} | 107 | for·cur_mount·in·${MOUNT_LIST} |
| 108 | do | 108 | do |
| 109 | » find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\; | 109 | » find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\; |
| 110 | done | 110 | done |
| 111 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files"·id="guide-tree-leaf-idm361 | 111 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files"·id="guide-tree-leaf-idm36112"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_user_host_based_files">Remove·User·Host-Based·Authentication·Files |
| 112 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_user_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files | 112 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_user_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files |
| 113 | list·remote·hosts·and·users·that·are·trusted·by·the | 113 | list·remote·hosts·and·users·that·are·trusted·by·the |
| 114 | local·system.·To·remove·these·files,·run·the·following·command | 114 | local·system.·To·remove·these·files,·run·the·following·command |
| 115 | to·delete·them·from·any·location: | 115 | to·delete·them·from·any·location: |
| 116 | <pre>$·sudo·rm·~/.shosts</pre></p><span·class="label·label-primary">Rationale:</span><p>The·.shosts·files·are·used·to·configure·host-based·authentication·for | 116 | <pre>$·sudo·rm·~/.shosts</pre></p><span·class="label·label-primary">Rationale:</span><p>The·.shosts·files·are·used·to·configure·host-based·authentication·for |
| 117 | individual·users·or·the·system·via·SSH.·Host-based·authentication·is·not | 117 | individual·users·or·the·system·via·SSH.·Host-based·authentication·is·not |
| 118 | sufficient·for·preventing·unauthorized·access·to·the·system,·as·it·does·not | 118 | sufficient·for·preventing·unauthorized·access·to·the·system,·as·it·does·not |
| 119 | require·interactive·identification·and·authentication·of·a·connection·request, | 119 | require·interactive·identification·and·authentication·of·a·connection·request, |
| 120 | or·for·the·use·of·two-factor·authentication.false</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 120 | or·for·the·use·of·two-factor·authentication.false</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 121 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 121 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 122 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80514-3">CCE-80514-3</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 122 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80514-3">CCE-80514-3</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 123 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040540</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm361 | 123 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040540</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36123"><pre><code> |
| 124 | #·Identify·local·mounts | 124 | #·Identify·local·mounts |
| 125 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | 125 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· |
| 126 | #·Find·file·on·each·listed·mount·point | 126 | #·Find·file·on·each·listed·mount·point |
| 127 | for·cur_mount·in·${MOUNT_LIST} | 127 | for·cur_mount·in·${MOUNT_LIST} |
| 128 | do | 128 | do |
| 129 | » find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\; | 129 | » find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\; |
| 130 | done | 130 | done |
| 131 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm361 | 131 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36128"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package |
| 132 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with | 132 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with |
| 133 | the·following·command: | 133 | the·following·command: |
| 134 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not | 134 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not |
| 135 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak | 135 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak |
| 136 | authentication.·If·a·privileged·user·were·to·login·using·this·service,·the·privileged·user·password | 136 | authentication.·If·a·privileged·user·were·to·login·using·this·service,·the·privileged·user·password |
| 137 | could·be·compromised.·The·<code>rsh-server</code>·package·provides·several·obsolete·and·insecure | 137 | could·be·compromised.·The·<code>rsh-server</code>·package·provides·several·obsolete·and·insecure |
| 138 | network·services.·Removing·it·decreases·the·risk·of·those·services'·accidental·(or·intentional) | 138 | network·services.·Removing·it·decreases·the·risk·of·those·services'·accidental·(or·intentional) |
| 139 | activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 139 | activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 140 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 140 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 141 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27342-5">CCE-27342-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 141 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27342-5">CCE-27342-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 142 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020000</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86591r1_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm361 | 142 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020000</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86591r1_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36155">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36155"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 143 | # | 143 | # |
| 144 | #·Example·Call(s): | 144 | #·Example·Call(s): |
| 145 | # | 145 | # |
| 146 | #·····package_remove·telnet-server | 146 | #·····package_remove·telnet-server |
| 147 | # | 147 | # |
| 148 | function·package_remove·{ | 148 | function·package_remove·{ |
| Offset 175, 15 lines modified | Offset 175, 15 lines modified | ||
| 175 | ··echo·"Aborting." | 175 | ··echo·"Aborting." |
| 176 | ··exit·1 | 176 | ··exit·1 |
| 177 | fi | 177 | fi |
| 178 | } | 178 | } |
| 179 | package_remove·rsh-server | 179 | package_remove·rsh-server |
| 180 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm361 | 180 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36157">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36157"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh-server·is·removed |
| 181 | ··package: | 181 | ··package: |
| 182 | ····name="{{item}}" | 182 | ····name="{{item}}" |
| 183 | ····state=absent | 183 | ····state=absent |
| 184 | ··with_items: | 184 | ··with_items: |
| 185 | ····-·rsh-server | 185 | ····-·rsh-server |
| 186 | ··tags: | 186 | ··tags: |
| 187 | ····-·package_rsh-server_removed | 187 | ····-·package_rsh-server_removed |
| Offset 191, 43 lines modified | Offset 191, 43 lines modified | ||
| 191 | ····-·disable_strategy | 191 | ····-·disable_strategy |
| 192 | ····-·low_complexity | 192 | ····-·low_complexity |
| 193 | ····-·low_disruption | 193 | ····-·low_disruption |
| 194 | ····-·CCE-27342-5 | 194 | ····-·CCE-27342-5 |
| 195 | ····-·NIST-800-53-AC-17(8) | 195 | ····-·NIST-800-53-AC-17(8) |
| 196 | ····-·NIST-800-53-CM-7(a) | 196 | ····-·NIST-800-53-CM-7(a) |
| 197 | ····-·DISA-STIG-RHEL-07-020000 | 197 | ····-·DISA-STIG-RHEL-07-020000 |
| 198 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm361 | 198 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36158">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36158"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh-server |
| 199 | class·remove_rsh-server·{ | 199 | class·remove_rsh-server·{ |
| 200 | ··package·{·'rsh-server': | 200 | ··package·{·'rsh-server': |
| 201 | ····ensure·=>·'purged', | 201 | ····ensure·=>·'purged', |
| 202 | ··} | 202 | ··} |
| 203 | } | 203 | } |
| 204 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm361 | 204 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36159">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36159"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 205 | package·--remove=rsh-server | 205 | package·--remove=rsh-server |
| 206 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet | 206 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet |
| 207 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity | 207 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity |
| 208 | for·information·transmitted·on·the·network.·This·includes·authentication | 208 | for·information·transmitted·on·the·network.·This·includes·authentication |
| 209 | information·such·as·passwords.·Organizations·which·use·telnet·should·be | 209 | information·such·as·passwords.·Organizations·which·use·telnet·should·be |
| 210 | actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm362 | 210 | actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm36255"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed">Uninstall·telnet-server·Package |
| 211 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with | 211 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with |
| 212 | the·following·command: | 212 | the·following·command: |
| 213 | <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding | 213 | <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding |
| 214 | requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore | 214 | requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore |
| 215 | may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors. | 215 | may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors. |
| 216 | <br> | 216 | <br> |
| 217 | The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the· | 217 | The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the· |
| 218 | confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were | 218 | confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were |
| 219 | to·login·using·this·service,·the·privileged·user·password·could·be·compromised. | 219 | to·login·using·this·service,·the·privileged·user·password·could·be·compromised. |
| 220 | <br> | 220 | <br> |
| 221 | Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental· | 221 | Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental· |
| 222 | (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 222 | (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 223 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> | 223 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> |
| 224 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27165-0">CCE-27165-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 224 | ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27165-0">CCE-27165-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 225 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021710</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 225 | ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021710</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36284">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36284"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 226 | # | 226 | # |
| 227 | #·Example·Call(s): | 227 | #·Example·Call(s): |
| 228 | # | 228 | # |
| 229 | #·····package_remove·telnet-server | 229 | #·····package_remove·telnet-server |
| 230 | # | 230 | # |
| 231 | function·package_remove·{ | 231 | function·package_remove·{ |
| Max diff block lines reached; 1012116/1040524 bytes (97.27%) of diff not shown. | |||
| Offset 65, 45 lines modified | Offset 65, 43 lines modified | ||
| 65 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 65 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 66 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 66 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 67 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 67 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 68 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 68 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 69 | quality,·reliability,·or·any·other·characteristic. | 69 | quality,·reliability,·or·any·other·characteristic. |
| 70 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 70 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 71 | ····························(as·of·2018-07-26) | 71 | ····························(as·of·2018-07-26) |
| 72 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 72 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xcc[·...·truncated·by·diffoscope;·len:·1198,·SHA:·bdda777e798c14415249d64418047c1cc9cd8c85417860e53ddf05c3b92b2b1b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·188·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 74 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 74 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 75 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 75 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 76 | ones·can·be·safely·disabled. | 76 | ones·can·be·safely·disabled. |
| 77 | <br><br> | 77 | <br><br> |
| 78 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 78 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 79 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 79 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 80 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·45·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 80 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·45·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 81 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 81 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 82 | 82 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 83 | 83 | that·passwords·and·other·data·transmitted·during·the·session·can·be | |
| 84 | 84 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 85 | 85 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 86 | 86 | <br><br> | |
| 87 | 87 | However,·there·are·some·FTP·server·configurations·which·may | |
| 88 | 88 | be·appropriate·for·some·environments,·particularly·those·which | |
| 89 | 89 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 90 | de | 90 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible |
| 91 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_s | 91 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 92 | 92 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29115"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package | |
| 93 | a | 93 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 94 | sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_samba_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_samba_removed"·id="guide-tree-leaf-idm29016"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_samba_removed">Uninstall·samba·Package | ||
| 95 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_samba_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | ||
| 96 | ············ | 94 | ············ |
| 97 | ········The·<code>s | 95 | ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command: |
| 98 | ········<pre>$·sudo·yum·erase·s | 96 | ········<pre>$·sudo·yum·erase·vsftpd</pre> |
| 99 | ··········</p><span·class="label·label-primary">Rationale:</span><p> | 97 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its |
| 100 | 98 | accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 101 | 99 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | |
| 102 | ············· | 100 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 103 | # | 101 | # |
| 104 | #·Example·Call(s): | 102 | #·Example·Call(s): |
| 105 | # | 103 | # |
| 106 | #·····package_remove·telnet-server | 104 | #·····package_remove·telnet-server |
| 107 | # | 105 | # |
| 108 | function·package_remove·{ | 106 | function·package_remove·{ |
| Offset 132, 59 lines modified | Offset 130, 60 lines modified | ||
| 132 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 130 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 133 | ··echo·"Aborting." | 131 | ··echo·"Aborting." |
| 134 | ··exit·1 | 132 | ··exit·1 |
| 135 | fi | 133 | fi |
| 136 | } | 134 | } |
| 137 | package_remove·s | 135 | package_remove·vsftpd |
| 138 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 136 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29125">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29125"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·vsftpd·is·removed |
| 139 | ··package: | 137 | ··package: |
| 140 | ····name="{{item}}" | 138 | ····name="{{item}}" |
| 141 | ····state=absent | 139 | ····state=absent |
| 142 | ··with_items: | 140 | ··with_items: |
| 143 | ····-·s | 141 | ····-·vsftpd |
| 144 | ··tags: | 142 | ··tags: |
| 145 | ····-·package_s | 143 | ····-·package_vsftpd_removed |
| 146 | ····-·unknown_severity | 144 | ····-·unknown_severity |
| 147 | ····-·disable_strategy | 145 | ····-·disable_strategy |
| 148 | ····-·low_complexity | 146 | ····-·low_complexity |
| 149 | ····-·low_disruption | 147 | ····-·low_disruption |
| 150 | ····-·CCE-2 | 148 | ····-·CCE-26687-4 |
| 151 | 149 | ····-·NIST-800-53-CM-7 | |
| 150 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29126">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29126"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_vsftpd | ||
| 152 | class·remove_s | 151 | class·remove_vsftpd·{ |
| 153 | ··package·{·'s | 152 | ··package·{·'vsftpd': |
| 154 | ····ensure·=>·'purged', | 153 | ····ensure·=>·'purged', |
| 155 | ··} | 154 | ··} |
| 156 | } | 155 | } |
| 157 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 156 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29127">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29127"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 158 | package·--remove=s | 157 | package·--remove=vsftpd |
| 159 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server | 158 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server |
| 160 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to | 159 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to |
| 161 | content·via·the·HTTP·protocol.·Web·servers·represent·a·significant | 160 | content·via·the·HTTP·protocol.·Web·servers·represent·a·significant |
| 162 | security·risk·because: | 161 | security·risk·because: |
| 163 | <br><br> | 162 | <br><br> |
| 164 | <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long | 163 | <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long |
| 165 | history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive | 164 | history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive |
| 166 | monitoring</li></ul> | 165 | monitoring</li></ul> |
| 167 | <br><br> | 166 | <br><br> |
| 168 | The·system's·default·web·server·software·is·Apache·2·and·is | 167 | The·system's·default·web·server·software·is·Apache·2·and·is |
| 169 | provided·in·the·RPM·package·<code>httpd</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_httpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_httpd">Disable·Apache·if·Possible | 168 | provided·in·the·RPM·package·<code>httpd</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_httpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_httpd">Disable·Apache·if·Possible |
| 170 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_httpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Apache·was·installed·and·activated,·but·the·system | 169 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_httpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Apache·was·installed·and·activated,·but·the·system |
| 171 | does·not·need·to·act·as·a·web·server,·then·it·should·be·disabled | 170 | does·not·need·to·act·as·a·web·server,·then·it·should·be·disabled |
| 172 | and·removed·from·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_httpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_httpd_removed"·id="guide-tree-leaf-idm291 | 171 | and·removed·from·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_httpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_httpd_removed"·id="guide-tree-leaf-idm29176"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_httpd_removed">Uninstall·httpd·Package |
| 173 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_httpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 172 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_httpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 174 | ············ | 173 | ············ |
| 175 | ········The·<code>httpd</code>·package·can·be·removed·with·the·following·command: | 174 | ········The·<code>httpd</code>·package·can·be·removed·with·the·following·command: |
| 176 | ········<pre>$·sudo·yum·erase·httpd</pre> | 175 | ········<pre>$·sudo·yum·erase·httpd</pre> |
| 177 | ··········</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·no·need·to·make·the·web·server·software·available, | 176 | ··········</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·no·need·to·make·the·web·server·software·available, |
| 178 | removing·it·provides·a·safeguard·against·its·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 177 | removing·it·provides·a·safeguard·against·its·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 179 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 178 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 180 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm291 | 179 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29183">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29183"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 181 | # | 180 | # |
| 182 | #·Example·Call(s): | 181 | #·Example·Call(s): |
| 183 | # | 182 | # |
| 184 | #·····package_remove·telnet-server | 183 | #·····package_remove·telnet-server |
| 185 | # | 184 | # |
| 186 | function·package_remove·{ | 185 | function·package_remove·{ |
| Offset 214, 88 lines modified | Offset 213, 54 lines modified | ||
| 214 | ··echo·"Aborting." | 213 | ··echo·"Aborting." |
| 215 | ··exit·1 | 214 | ··exit·1 |
| 216 | fi | 215 | fi |
| 217 | } | 216 | } |
| 218 | package_remove·httpd | 217 | package_remove·httpd |
| 219 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm291 | 218 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29185">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29185"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·httpd·is·removed |
| 220 | ··package: | 219 | ··package: |
| 221 | ····name="{{item}}" | 220 | ····name="{{item}}" |
| 222 | ····state=absent | 221 | ····state=absent |
| 223 | ··with_items: | 222 | ··with_items: |
| 224 | ····-·httpd | 223 | ····-·httpd |
| 225 | ··tags: | 224 | ··tags: |
| 226 | ····-·package_httpd_removed | 225 | ····-·package_httpd_removed |
| 227 | ····-·unknown_severity | 226 | ····-·unknown_severity |
| 228 | ····-·disable_strategy | 227 | ····-·disable_strategy |
| 229 | ····-·low_complexity | 228 | ····-·low_complexity |
| 230 | ····-·low_disruption | 229 | ····-·low_disruption |
| 231 | ····-·CCE-27133-8 | 230 | ····-·CCE-27133-8 |
| Max diff block lines reached; 1491404/1518978 bytes (98.18%) of diff not shown. | |||
| Offset 56, 45 lines modified | Offset 56, 62 lines modified | ||
| 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Example·Server·Profile</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CS2</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Example·Server·Profile</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CS2</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xcc[·...·truncated·by·diffoscope;·len:·1198,·SHA:·bdda777e798c14415249d64418047c1cc9cd8c85417860e53ddf05c3b92b2b1b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·313·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 71 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·124·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 71 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·124·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 72 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 72 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 73 | 73 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 74 | 74 | that·passwords·and·other·data·transmitted·during·the·session·can·be | |
| 75 | 75 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 76 | 76 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 77 | 77 | <br><br> | |
| 78 | 78 | However,·there·are·some·FTP·server·configurations·which·may | |
| 79 | 79 | be·appropriate·for·some·environments,·particularly·those·which | |
| 80 | 80 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 81 | de | 81 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary |
| 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is |
| 83 | 83 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or | |
| 84 | a | 84 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29046"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions |
| 85 | 85 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> | |
| 86 | 86 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | |
| 87 | <pre>xferlog_enable=YES | ||
| 88 | xferlog_std_format=NO | ||
| 89 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to | ||
| 90 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log | ||
| 91 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 92 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 93 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29067"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users | ||
| 94 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 95 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 96 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 97 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 98 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible | ||
| 99 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all | ||
| 100 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29100"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service | ||
| 101 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | ||
| 87 | ············ | 102 | ············ |
| 88 | ········The·<code>s | 103 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: |
| 89 | ········<pre>$·sudo·chkconfig·s | 104 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> |
| 90 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running· | 105 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue |
| 91 | 106 | of·attack,·and·should·be·disabled·if·not·needed. | |
| 107 | Furthermore,·the·FTP·protocol·is·unencrypted·and·creates | ||
| 108 | a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 92 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 109 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 93 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 110 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29108">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29108"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 94 | # | 111 | # |
| 95 | #·Example·Call(s): | 112 | #·Example·Call(s): |
| 96 | # | 113 | # |
| 97 | #·····service_command·enable·bluetooth | 114 | #·····service_command·enable·bluetooth |
| 98 | #·····service_command·disable·bluetooth.service | 115 | #·····service_command·disable·bluetooth.service |
| 99 | # | 116 | # |
| 100 | #·····Using·xinetd: | 117 | #·····Using·xinetd: |
| Offset 161, 135 lines modified | Offset 178, 123 lines modified | ||
| 161 | ··else | 178 | ··else |
| 162 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 179 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 163 | ··fi | 180 | ··fi |
| 164 | fi | 181 | fi |
| 165 | } | 182 | } |
| 166 | service_command·disable·s | 183 | service_command·disable·vsftpd |
| 167 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 184 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29110">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29110"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·vsftpd |
| 168 | ··service: | 185 | ··service: |
| 169 | ····name="{{item}}" | 186 | ····name="{{item}}" |
| 170 | ····enabled="no" | 187 | ····enabled="no" |
| 171 | ····state="stopped" | 188 | ····state="stopped" |
| 172 | ··register:·service_result | 189 | ··register:·service_result |
| 173 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 190 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 174 | ··with_items: | 191 | ··with_items: |
| 175 | ····-·s | 192 | ····-·vsftpd |
| 176 | ··tags: | 193 | ··tags: |
| 177 | ····-·service_s | 194 | ····-·service_vsftpd_disabled |
| 178 | ····-·unknown_severity | 195 | ····-·unknown_severity |
| 179 | ····-·disable_strategy | 196 | ····-·disable_strategy |
| 180 | ····-·low_complexity | 197 | ····-·low_complexity |
| 181 | ····-·low_disruption | 198 | ····-·low_disruption |
| 182 | ····-·CCE-2 | 199 | ····-·CCE-26948-0 |
| 183 | 200 | ····-·NIST-800-53-CM-7 | |
| 184 | · | 201 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29115"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package |
| 185 | 202 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | |
| 186 | 203 | ············ | |
| 187 | 204 | ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command: | |
| 188 | 205 | ········<pre>$·sudo·yum·erase·vsftpd</pre> | |
| 189 | an | 206 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its |
| 190 | 207 | accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 191 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_smb_server_disable_root"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_smb_server_disable_root"·id="guide-tree-leaf-idm29072"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_smb_server_disable_root">Disable·Root·Access·to·SMB·Shares | ||
| 192 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_smb_server_disable_root">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Administrators·should·not·use·administrator·accounts·to·access | ||
| 193 | Samba·file·and·printer·shares.·Disable·the·root·user·and·the·wheel | ||
| 194 | administrator·group: | ||
| 195 | <pre>[<i>share</i>] | ||
| 196 | ··invalid·users·=·root·@wheel</pre> | ||
| 197 | If·administrator·accounts·cannot·be·disabled,·ensure·that·local·system | ||
| 198 | passwords·and·Samba·service·passwords·do·not·match.</p><span·class="label·label-primary">Rationale:</span><p>Typically,·administrator·access·is·required·when·Samba·must·create·user·and | ||
| 199 | system·accounts·and·shares.·Domain·member·servers·and·standalone·servers·may | ||
| 200 | not·need·administrator·access·at·all.·If·that·is·the·case,·add·the·invalid | ||
| 201 | users·parameter·to·<code>[global]</code>·instead.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 202 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient | ||
| 203 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | ||
| 204 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | ||
| 205 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | ||
| 206 | <pre>client·signing·=·mandatory</pre> | ||
| 207 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | ||
| 208 | signing·ensures·they·can | ||
| 209 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | ||
| 210 | man-in-the-middle·attacks·which·modify·SMB·packets·in | ||
| 211 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 212 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 208 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 213 | ············<a·href="http://iase.disa.mil/stigs/ | 209 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 214 | # | 210 | # |
| 215 | # | 211 | #·Example·Call(s): |
| 216 | # | 212 | # |
| 213 | #·····package_remove·telnet-server | ||
| 214 | # | ||
| 215 | function·package_remove·{ | ||
| 217 | 216 | #·Load·function·arguments·into·local·variables | |
| 217 | local·package="$1" | ||
| Max diff block lines reached; 2227557/2257794 bytes (98.66%) of diff not shown. | |||
| Offset 61, 268 lines modified | Offset 61, 146 lines modified | ||
| 61 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 61 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 62 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 62 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 63 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 63 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 64 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 64 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 65 | quality,·reliability,·or·any·other·characteristic. | 65 | quality,·reliability,·or·any·other·characteristic. |
| 66 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CSCF·RHEL6·MLS·Core·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 66 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CSCF·RHEL6·MLS·Core·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 67 | ····························(as·of·2018-07-26) | 67 | ····························(as·of·2018-07-26) |
| 68 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 68 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SS[·...·truncated·by·diffoscope;·len:·769,·SHA:·db505ea275ff2d5c2ba13f068156b97f7fb51fc9aa062d91c74450db7783e2d3·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·215·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 70 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 70 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 71 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 71 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 72 | ones·can·be·safely·disabled. | 72 | ones·can·be·safely·disabled. |
| 73 | <br><br> | 73 | <br><br> |
| 74 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 74 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 75 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 75 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 76 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·62·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 76 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·62·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 77 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 77 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 78 | 78 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 79 | se | 79 | that·passwords·and·other·data·transmitted·during·the·session·can·be |
| 80 | 80 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 81 | 81 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 82 | history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive | ||
| 83 | monitoring</li></ul> | ||
| 84 | <br><br> | ||
| 85 | The·system's·default·web·server·software·is·Apache·2·and·is | ||
| 86 | provided·in·the·RPM·package·<code>httpd</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_securing_httpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_securing_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_securing_httpd">Secure·Apache·Configuration | ||
| 87 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_securing_httpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>httpd</code>·configuration·file·is | ||
| 88 | <code>/etc/httpd/conf/httpd.conf</code>.·Apply·the·recommendations·in·the·remainder | ||
| 89 | of·this·section·to·this·file.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_securing_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage">Restrict·Web·Server·Information·Leakage | ||
| 90 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>ServerTokens</code>·and·<code>ServerSignature</code>·directives·determine·how | ||
| 91 | much·information·the·web·server·discloses·about·the·configuration·of·the | ||
| 92 | system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_servertokens_prod"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_servertokens_prod"·id="guide-tree-leaf-idm29183"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_servertokens_prod">Set·httpd·ServerTokens·Directive·to·Prod | ||
| 93 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_servertokens_prod">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p><code>ServerTokens·Prod</code>·restricts·information·in·page·headers,·returning·only·the·word·"Apache." | ||
| 94 | <br><br> | 82 | <br><br> |
| 95 | 83 | However,·there·are·some·FTP·server·configurations·which·may | |
| 96 | 84 | be·appropriate·for·some·environments,·particularly·those·which | |
| 97 | 85 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 98 | 86 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible | |
| 99 | ············ | 87 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 100 | 88 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29100"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service | |
| 101 | 89 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | |
| 102 | ············ | 90 | ············ |
| 103 | ········ | 91 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: |
| 104 | 92 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> | |
| 105 | 93 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue | |
| 106 | 94 | of·attack,·and·should·be·disabled·if·not·needed. | |
| 107 | 95 | Furthermore,·the·FTP·protocol·is·unencrypted·and·creates | |
| 108 | c | 96 | a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 109 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29249">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29249"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code> | ||
| 110 | -·name:·Find·/etc/httpd/conf/*·file(s) | ||
| 111 | ··find: | ||
| 112 | ····paths:·"{{·'/etc/httpd/conf/*'·|·dirname·}}" | ||
| 113 | ····patterns:·"{{·'/etc/httpd/conf/*'·|·basename·}}" | ||
| 114 | ··register:·files_found | ||
| 115 | ··tags: | ||
| 116 | ····-·file_permissions_httpd_server_conf_files | ||
| 117 | ····-·unknown_severity | ||
| 118 | ····-·configure_strategy | ||
| 119 | ····-·low_complexity | ||
| 120 | ····-·low_disruption | ||
| 121 | ····-·CCE-27316-9 | ||
| 122 | ····-·NIST-800-53-CM-7 | ||
| 123 | -·name:·Set·permissions | ||
| 124 | ··file: | ||
| 125 | ····path:·"{{·item.path·}}" | ||
| 126 | ····mode:·0640 | ||
| 127 | ··with_items: | ||
| 128 | ····-·"{{·files_found.files·}}" | ||
| 129 | ··tags: | ||
| 130 | ····-·file_permissions_httpd_server_conf_files | ||
| 131 | ····-·unknown_severity | ||
| 132 | ····-·configure_strategy | ||
| 133 | ····-·low_complexity | ||
| 134 | ····-·low_disruption | ||
| 135 | ····-·CCE-27316-9 | ||
| 136 | ····-·NIST-800-53-CM-7 | ||
| 137 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·id="guide-tree-leaf-idm29252"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">Set·Permissions·on·the·/var/log/httpd/·Directory | ||
| 138 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Ensure·that·the·permissions·on·the·web·server·log·directory·is·set·to·700: | ||
| 139 | <pre>$·sudo·chmod·700·/var/log/httpd/</pre> | ||
| 140 | This·is·its·default·setting.</p><span·class="label·label-primary">Rationale:</span><p>Access·to·the·web·server's·log·files·may·allow·an·unauthorized·user·or·attacker | ||
| 141 | to·access·information·about·the·web·server·or·alter·the·server's·log·files.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 142 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 97 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 143 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div>< | 98 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29108">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29108"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 144 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network. | ||
| 145 | Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious | ||
| 146 | targets·of·network·attack. | ||
| 147 | Ensure·that·systems·are·not·running·MTAs·unnecessarily, | ||
| 148 | and·configure·needed·MTAs·as·defensively·as·possible. | ||
| 149 | <br><br> | ||
| 150 | Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the | ||
| 151 | network.·Users·should·instead·use·mail·client·programs·to·retrieve·email | ||
| 152 | from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3. | ||
| 153 | However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email, | ||
| 154 | for·instance·so·that·cron·jobs·can·report·output·to·an·administrator. | ||
| 155 | Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from | ||
| 156 | the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), | ||
| 157 | but·the·system·still·cannot·receive·mail·directly·over·a·network. | ||
| 158 | <br><br> | ||
| 159 | The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software | ||
| 160 | (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred. | ||
| 161 | Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by | ||
| 162 | SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions. | ||
| 163 | More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients | ||
| 164 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only | ||
| 165 | e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·id="guide-tree-leaf-idm29524"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">Disable·Postfix·Network·Listening | ||
| 166 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·file·<code>/etc/postfix/main.cf</code>·to·ensure·that·only·the·following | ||
| 167 | <code>inet_interfaces</code>·line·appears: | ||
| 168 | <pre>inet_interfaces·=·localhost</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·<code>postfix</code>·accepts·mail·messages | ||
| 169 | (such·as·cron·job·reports)·from·the·local·system·only, | ||
| 170 | and·not·from·the·network,·which·protects·it·from·network·attack.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 171 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 172 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50423r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_sendmail_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_sendmail_removed"·id="guide-tree-leaf-idm29616"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_sendmail_removed">Uninstall·Sendmail·Package | ||
| 173 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_sendmail_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Sendmail·is·not·the·default·mail·transfer·agent·and·is | ||
| 174 | not·installed·by·default. | ||
| 175 | ········The·<code>sendmail</code>·package·can·be·removed·with·the·following·command: | ||
| 176 | ········<pre>$·sudo·yum·erase·sendmail</pre></p><span·class="label·label-primary">Rationale:</span><p>The·sendmail·software·was·not·developed·with·security·in·mind·and | ||
| 177 | its·design·prevents·it·from·being·effectively·contained·by·SELinux.··Postfix | ||
| 178 | should·be·used·instead.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 179 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 180 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50472r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29625">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29625"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 181 | # | 99 | # |
| 182 | #·Example·Call(s): | 100 | #·Example·Call(s): |
| 183 | # | 101 | # |
| 184 | #····· | 102 | #·····service_command·enable·bluetooth |
| 103 | #·····service_command·disable·bluetooth.service | ||
| Max diff block lines reached; 1505603/1536645 bytes (97.98%) of diff not shown. | |||
| Offset 56, 89 lines modified | Offset 56, 44 lines modified | ||
| 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sssd">System·Security·Services·Daemon</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li[·...·truncated·by·diffoscope;·len:·1394,·SHA:·9a1bfb5c7765341b73597905fe9f3f980e67a77f0272acdc04afd633558c2516·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 74 | 74 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 75 | 75 | that·passwords·and·other·data·transmitted·during·the·session·can·be | |
| 76 | 76 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 77 | 77 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 78 | 78 | <br><br> | |
| 79 | 79 | However,·there·are·some·FTP·server·configurations·which·may | |
| 80 | 80 | be·appropriate·for·some·environments,·particularly·those·which | |
| 81 | 81 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 82 | de | 82 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary |
| 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is |
| 84 | 84 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or | |
| 85 | a | 85 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_restrict_users"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_ftp_restrict_users">Restrict·the·Set·of·Users·Allowed·to·Access·FTP |
| 86 | 86 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_restrict_users">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·describes·how·to·disable·non-anonymous·(password-based)·FTP·logins,·or,·if·it·is·not·possible·to | |
| 87 | 87 | do·this·entirely·due·to·legacy·applications,·how·to·restrict·insecure·FTP·login·to·only·those·users·who·have·an | |
| 88 | <co | 88 | identified·need·for·this·access.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary |
| 89 | <c | 89 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_use_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·your·use-case·requires·FTP·service,·install·and |
| 90 | 90 | set-up·vsftpd·to·provide·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible | |
| 91 | s | 91 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 92 | and·al | 92 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server |
| 93 | printers.·It·is·recommended·that·these·settings·be·changed·or·that | ||
| 94 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb_disable_printing"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb_disable_printing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_smb_disable_printing">Restrict·Printer·Sharing | ||
| 95 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb_disable_printing">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>By·default,·Samba·utilizes·the·CUPS·printing·service·to·enable | ||
| 96 | printer·sharing·with·Microsoft·Windows·workstations.·If·there·are·no·printers | ||
| 97 | on·the·local·system,·or·if·printer·sharing·with·Microsoft·Windows·is·not | ||
| 98 | required,·disable·the·printer·sharing·capability·by·commenting·out·the | ||
| 99 | following·lines,·found·in·<code>/etc/samba/smb.conf</code>: | ||
| 100 | <pre>[global] | ||
| 101 | ··load·printers·=·yes | ||
| 102 | ··cups·options·=·raw | ||
| 103 | [printers] | ||
| 104 | ··comment·=·All·Printers | ||
| 105 | ··path·=·/usr/spool/samba | ||
| 106 | ··browseable·=·no | ||
| 107 | ··guest·ok·=·no | ||
| 108 | ··writable·=·no | ||
| 109 | ··printable·=·yes</pre> | ||
| 110 | There·may·be·other·options·present,·but·these·are·the·only·options·enabled·and | ||
| 111 | uncommented·by·default.·Removing·the·<code>[printers]</code>·share·should·be·enough | ||
| 112 | for·most·users.··If·the·Samba·printer·sharing·capability·is·needed,·consider | ||
| 113 | disabling·the·Samba·network·browsing·capability·or·restricting·access·to·a | ||
| 114 | particular·set·of·users·or·network·addresses.·Set·the·<code>valid·users</code> | ||
| 115 | parameter·to·a·small·subset·of·users·or·restrict·it·to·a·particular·group·of | ||
| 116 | users·with·the·shorthand·<code>@</code>.·Separate·each·user·or·group·of·users·with | ||
| 117 | a·space.·For·example,·under·the·<code>[printers]</code>·share: | ||
| 118 | <pre>[printers] | ||
| 119 | ··valid·users·=·user·@printerusers</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb_disable_printing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb_restrict_file_sharing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing">Restrict·SMB·File·Sharing·to·Configured·Networks | ||
| 120 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb_restrict_file_sharing">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Only·users·with·local·user·accounts·will·be·able·to·log·in·to | ||
| 121 | Samba·shares·by·default.·Shares·can·be·limited·to·particular·users·or·network | ||
| 122 | addresses.·Use·the·<code>hosts·allow</code>·and·<code>hosts·deny</code>·directives | ||
| 123 | accordingly,·and·consider·setting·the·valid·users·directive·to·a·limited·subset | ||
| 124 | of·users·or·to·a·group·of·users.·Separate·each·address,·user,·or·user·group | ||
| 125 | with·a·space·as·follows·for·a·particular·<i>share</i>·or·global: | ||
| 126 | <pre>[<i>share</i>] | ||
| 127 | ··hosts·allow·=·192.168.1.·127.0.0.1 | ||
| 128 | ··valid·users·=·userone·usertwo·@usergroup</pre> | ||
| 129 | It·is·also·possible·to·limit·read·and·write·access·to·particular·users·with·the | ||
| 130 | read·list·and·write·list·options,·though·the·permissions·set·by·the·system | ||
| 131 | itself·will·override·these·settings.·Set·the·read·only·attribute·for·each·share | ||
| 132 | to·ensure·that·global·settings·will·not·accidentally·override·the·individual | ||
| 133 | share·settings.·Then,·as·with·the·valid·users·directive,·separate·each·user·or | ||
| 134 | group·of·users·with·a·space: | ||
| 135 | <pre>[<i>share</i>] | ||
| 136 | ··read·only·=·yes | ||
| 137 | ··write·list·=·userone·usertwo·@usergroup</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb_restrict_file_sharing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server | ||
| 138 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to | 93 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to |
| 139 | content·via·the·HTTP·protocol.·Web·servers·represent·a·significant | 94 | content·via·the·HTTP·protocol.·Web·servers·represent·a·significant |
| 140 | security·risk·because: | 95 | security·risk·because: |
| 141 | <br><br> | 96 | <br><br> |
| 142 | <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long | 97 | <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long |
| 143 | history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive | 98 | history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive |
| 144 | monitoring</li></ul> | 99 | monitoring</li></ul> |
| Offset 351, 165 lines modified | Offset 306, 179 lines modified | ||
| 351 | <pre>#LoadModule·ext_filter_module·modules/mod_ext_filter.so</pre></li><li>User-specified·Cache·Control·and·Expiration | 306 | <pre>#LoadModule·ext_filter_module·modules/mod_ext_filter.so</pre></li><li>User-specified·Cache·Control·and·Expiration |
| 352 | <pre>#LoadModule·expires_module·modules/mod_expires.so</pre></li><li>Compression·Output·Filter·(provides·content·compression·prior·to·client·delivery) | 307 | <pre>#LoadModule·expires_module·modules/mod_expires.so</pre></li><li>Compression·Output·Filter·(provides·content·compression·prior·to·client·delivery) |
| 353 | <pre>#LoadModule·deflate_module·modules/mod_deflate.so</pre></li><li>HTTP·Response/Request·Header·Customization | 308 | <pre>#LoadModule·deflate_module·modules/mod_deflate.so</pre></li><li>HTTP·Response/Request·Header·Customization |
| 354 | <pre>#LoadModule·headers_module·modules/mod_headers.so</pre></li><li>User·activity·monitoring·via·cookies | 309 | <pre>#LoadModule·headers_module·modules/mod_headers.so</pre></li><li>User·activity·monitoring·via·cookies |
| 355 | <pre>#LoadModule·usertrack_module·modules/mod_usertrack.so</pre></li><li>Dynamically·configured·mass·virtual·hosting | 310 | <pre>#LoadModule·usertrack_module·modules/mod_usertrack.so</pre></li><li>Dynamically·configured·mass·virtual·hosting |
| 356 | <pre>#LoadModule·vhost_alias_module·modules/mod_vhost_alias.so</pre></li></ul> | 311 | <pre>#LoadModule·vhost_alias_module·modules/mod_vhost_alias.so</pre></li></ul> |
| 357 | Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk | 312 | Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk |
| 358 | by·limiting·the·capabilities·allowed·by·the·web·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_optional_components"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 313 | by·limiting·the·capabilities·allowed·by·the·web·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_optional_components"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dns">DNS·Server |
| 359 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 314 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Most·organizations·have·an·operational·need·to·run·at |
| 360 | 315 | least·one·nameserver.·However,·there·are·many·common·attacks | |
| 361 | 316 | involving·DNS·server·software,·and·this·server·software·should | |
| 362 | 317 | be·disabled·on·any·system | |
| 363 | and·con | 318 | on·which·it·is·not·needed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_isolation"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_isolation">Isolate·DNS·from·Other·Services |
| 364 | < | 319 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_isolation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·mechanisms·for·preventing·the·DNS·server |
| 365 | 320 | from·interfering·with·other·services.·This·is·done·both·to·protect·the | |
| 366 | ne | 321 | remainder·of·the·network·should·a·nameserver·be·compromised,·and·to·make·direct |
| 367 | fro | 322 | attacks·on·nameservers·more·difficult.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_chroot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_chroot">Run·DNS·Software·in·a·chroot·Jail |
| 368 | 323 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_chroot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Install·the·<code>bind-chroot</code>·package: | |
| 369 | 324 | <pre>$·sudo·yum·install·bind-chroot</pre> | |
| 370 | 325 | Place·a·valid·named.conf·file·inside·the·chroot·jail: | |
| 371 | 326 | <pre>$·sudo·cp·/etc/named.conf·/var/named/chroot/etc/named.conf | |
| 372 | 327 | $·sudo·chown·root:root·/var/named/chroot/etc/named.conf | |
| 373 | 328 | $·sudo·chmod·644·/var/named/chroot/etc/named.conf</pre> | |
| 374 | 329 | Create·and·populate·an·appropriate·zone·directory·within·the·jail,·based·on·the | |
| 375 | 330 | options·directive.·If·your·<code>named.conf</code>·includes: | |
| 376 | 331 | <pre>options·{ | |
| 377 | 332 | directory·"/path/to/DIRNAME·"; | |
| 378 | 333 | ... | |
| 379 | 334 | }</pre> | |
| 380 | 335 | then·copy·that·directory·and·its·contents·from·the·original·zone·directory: | |
| 381 | 336 | <pre>$·sudo·cp·-r·/path/to/DIRNAME·/var/named/chroot/DIRNAME</pre> | |
| 382 | 337 | Add·or·correct·the·following·line·within·<code>/etc/sysconfig/named</code>: | |
| 383 | 338 | <pre>ROOTDIR=/var/named/chroot</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_dedicated"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_dedicated">Run·DNS·Software·on·Dedicated·Servers | |
| 384 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 339 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_dedicated">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Since·DNS·is |
| 385 | 340 | a·high-risk·service·which·must·frequently·be·made·available·to·the·entire | |
| 386 | 341 | Internet,·it·is·strongly·recommended·that·no·other·services·be·offered·by | |
| 387 | 342 | machines·which·act·as·organizational·DNS·servers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_protection"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_protection"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_protection">Protect·DNS·Data·from·Tampering·or·Attack | |
| Max diff block lines reached; 198673/261308 bytes (76.03%) of diff not shown. | |||
| Offset 57, 45 lines modified | Offset 57, 45 lines modified | ||
| 57 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 57 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 61 | quality,·reliability,·or·any·other·characteristic. | 61 | quality,·reliability,·or·any·other·characteristic. |
| 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Desktop·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_desktop</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Desktop·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_desktop</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 63 | ····························(as·of·2018-07-26) | 63 | ····························(as·of·2018-07-26) |
| 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·1034,·SHA:·1b10be6148833f42610be20bd7d90e370d8d04968a079fa39af8874411e4f268·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·206·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·63·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·63·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 74 | 74 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 75 | 75 | that·passwords·and·other·data·transmitted·during·the·session·can·be | |
| 76 | 76 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 77 | 77 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 78 | 78 | <br><br> | |
| 79 | 79 | However,·there·are·some·FTP·server·configurations·which·may | |
| 80 | 80 | be·appropriate·for·some·environments,·particularly·those·which | |
| 81 | 81 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 82 | de | 82 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible |
| 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_s | 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 84 | 84 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29100"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service | |
| 85 | a | 85 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 86 | sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_smb_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_smb_disabled"·id="guide-tree-leaf-idm29002"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_smb_disabled">Disable·Samba | ||
| 87 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_smb_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | ||
| 88 | ············ | 86 | ············ |
| 89 | ········The·<code>s | 87 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: |
| 90 | ········<pre>$·sudo·chkconfig·s | 88 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> |
| 91 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running· | 89 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue |
| 92 | 90 | of·attack,·and·should·be·disabled·if·not·needed. | |
| 91 | Furthermore,·the·FTP·protocol·is·unencrypted·and·creates | ||
| 92 | a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 93 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 93 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 94 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 94 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29108">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29108"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 95 | # | 95 | # |
| 96 | #·Example·Call(s): | 96 | #·Example·Call(s): |
| 97 | # | 97 | # |
| 98 | #·····service_command·enable·bluetooth | 98 | #·····service_command·enable·bluetooth |
| 99 | #·····service_command·disable·bluetooth.service | 99 | #·····service_command·disable·bluetooth.service |
| 100 | # | 100 | # |
| 101 | #·····Using·xinetd: | 101 | #·····Using·xinetd: |
| Offset 162, 124 lines modified | Offset 162, 123 lines modified | ||
| 162 | ··else | 162 | ··else |
| 163 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 163 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 164 | ··fi | 164 | ··fi |
| 165 | fi | 165 | fi |
| 166 | } | 166 | } |
| 167 | service_command·disable·s | 167 | service_command·disable·vsftpd |
| 168 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 168 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29110">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29110"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·vsftpd |
| 169 | ··service: | 169 | ··service: |
| 170 | ····name="{{item}}" | 170 | ····name="{{item}}" |
| 171 | ····enabled="no" | 171 | ····enabled="no" |
| 172 | ····state="stopped" | 172 | ····state="stopped" |
| 173 | ··register:·service_result | 173 | ··register:·service_result |
| 174 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 174 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 175 | ··with_items: | 175 | ··with_items: |
| 176 | ····-·s | 176 | ····-·vsftpd |
| 177 | ··tags: | 177 | ··tags: |
| 178 | ····-·service_s | 178 | ····-·service_vsftpd_disabled |
| 179 | ····-·unknown_severity | 179 | ····-·unknown_severity |
| 180 | ····-·disable_strategy | 180 | ····-·disable_strategy |
| 181 | ····-·low_complexity | 181 | ····-·low_complexity |
| 182 | ····-·low_disruption | 182 | ····-·low_disruption |
| 183 | ····-·CCE-2 | 183 | ····-·CCE-26948-0 |
| 184 | 184 | ····-·NIST-800-53-CM-7 | |
| 185 | · | 185 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29115"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package |
| 186 | 186 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | |
| 187 | 187 | ············ | |
| 188 | 188 | ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command: | |
| 189 | 189 | ········<pre>$·sudo·yum·erase·vsftpd</pre> | |
| 190 | an | 190 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its |
| 191 | 191 | accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 192 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient | ||
| 193 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | ||
| 194 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | ||
| 195 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | ||
| 196 | <pre>client·signing·=·mandatory</pre> | ||
| 197 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | ||
| 198 | signing·ensures·they·can | ||
| 199 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | ||
| 200 | man-in-the-middle·attacks·which·modify·SMB·packets·in | ||
| 201 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 202 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 192 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 203 | ············<a·href="http://iase.disa.mil/stigs/ | 193 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 204 | # | 194 | # |
| 205 | # | 195 | #·Example·Call(s): |
| 206 | # | 196 | # |
| 197 | #·····package_remove·telnet-server | ||
| 198 | # | ||
| 199 | function·package_remove·{ | ||
| 207 | 200 | #·Load·function·arguments·into·local·variables | |
| 201 | local·package="$1" | ||
| 208 | 202 | #·Check·sanity·of·the·input | |
| 209 | 203 | if·[·$#·-ne·"1"·] | |
| 210 | 204 | then | |
| 205 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 206 | ··echo·"Aborting." | ||
| 207 | ··exit·1 | ||
| 208 | fi | ||
| 209 | if·which·dnf·;·then | ||
| 210 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 211 | ····dnf·remove·-y·"$package" | ||
| 212 | ··fi | ||
| 213 | elif·which·yum·;·then | ||
| 214 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 215 | ····yum·remove·-y·"$package" | ||
| 216 | ··fi | ||
| 217 | elif·which·apt-get·;·then | ||
| 218 | ··apt-get·remove·-y·"$package" | ||
| 211 | else | 219 | else |
| 212 | 220 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 221 | ··echo·"Aborting." | ||
| 222 | ··exit·1 | ||
| 213 | fi | 223 | fi |
| 214 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29091">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29091"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists | ||
| 215 | ··stat: | ||
| Max diff block lines reached; 1564541/1590373 bytes (98.38%) of diff not shown. | |||
| Offset 56, 15 lines modified | Offset 56, 15 lines modified | ||
| 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FISMA·Medium·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_fisma-medium-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FISMA·Medium·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_fisma-medium-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_o | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="[·...·truncated·by·diffoscope;·len:·81,·SHA:·4c0efd7fd5ff299a2185037a736930f562109fd8f8ac833d06c44618aa2adc79·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·211·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 91, 15 lines modified | Offset 91, 15 lines modified | ||
| 91 | <br><br> | 91 | <br><br> |
| 92 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 92 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 93 | servers,·and·the·remainder·obtaining·time·information·from·those | 93 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 94 | internal·servers. | 94 | internal·servers. |
| 95 | <br><br> | 95 | <br><br> |
| 96 | More·information·on·how·to·configure·the·NTP·server·software, | 96 | More·information·on·how·to·configure·the·NTP·server·software, |
| 97 | including·configuration·of·cryptographic·authentication·for | 97 | including·configuration·of·cryptographic·authentication·for |
| 98 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm298 | 98 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29837"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 100 | ·········· | 100 | ·········· |
| 101 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 101 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 102 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 102 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 103 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 103 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 104 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 104 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 105 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 105 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 108, 15 lines modified | Offset 108, 15 lines modified | ||
| 108 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate | 108 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate |
| 109 | logs·and·auditing·possible·security·breaches.·· | 109 | logs·and·auditing·possible·security·breaches.·· |
| 110 | <br><br> | 110 | <br><br> |
| 111 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 111 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 112 | deprecated.··Additional·information·on·this·is·available·at· | 112 | deprecated.··Additional·information·on·this·is·available·at· |
| 113 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 113 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 114 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 114 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 115 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 115 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29854">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29854"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 116 | # | 116 | # |
| 117 | #·Example·Call(s): | 117 | #·Example·Call(s): |
| 118 | # | 118 | # |
| 119 | #·····service_command·enable·bluetooth | 119 | #·····service_command·enable·bluetooth |
| 120 | #·····service_command·disable·bluetooth.service | 120 | #·····service_command·disable·bluetooth.service |
| 121 | # | 121 | # |
| 122 | #·····Using·xinetd: | 122 | #·····Using·xinetd: |
| Offset 184, 15 lines modified | Offset 184, 15 lines modified | ||
| 184 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 184 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 185 | ··fi | 185 | ··fi |
| 186 | fi | 186 | fi |
| 187 | } | 187 | } |
| 188 | service_command·enable·ntpd | 188 | service_command·enable·ntpd |
| 189 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 189 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 190 | ··service: | 190 | ··service: |
| 191 | ····name="{{item}}" | 191 | ····name="{{item}}" |
| 192 | ····enabled="yes" | 192 | ····enabled="yes" |
| 193 | ····state="started" | 193 | ····state="started" |
| 194 | ··with_items: | 194 | ··with_items: |
| 195 | ····-·ntpd | 195 | ····-·ntpd |
| 196 | ··tags: | 196 | ··tags: |
| Offset 201, 35 lines modified | Offset 201, 248 lines modified | ||
| 201 | ····-·enable_strategy | 201 | ····-·enable_strategy |
| 202 | ····-·low_complexity | 202 | ····-·low_complexity |
| 203 | ····-·low_disruption | 203 | ····-·low_disruption |
| 204 | ····-·CCE-27093-4 | 204 | ····-·CCE-27093-4 |
| 205 | ····-·NIST-800-53-AU-8(1) | 205 | ····-·NIST-800-53-AU-8(1) |
| 206 | ····-·PCI-DSS-Req-10.4 | 206 | ····-·PCI-DSS-Req-10.4 |
| 207 | ····-·DISA-STIG-RHEL-06-000247 | 207 | ····-·DISA-STIG-RHEL-06-000247 |
| 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29 | 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29861"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers |
| 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization | 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization |
| 210 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | 210 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the |
| 211 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | 211 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for |
| 212 | <em>ntpserver</em>: | 212 | <em>ntpserver</em>: |
| 213 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | 213 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of |
| 214 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | 214 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes |
| 215 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | 215 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for |
| 216 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 216 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 217 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 217 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 218 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29 | 218 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29873"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 219 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit | 219 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit |
| 220 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, | 220 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, |
| 221 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 221 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 222 | <pre>server·<i>ntpserver</i></pre> | 222 | <pre>server·<i>ntpserver</i></pre> |
| 223 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 223 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 224 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible | 224 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible |
| 225 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with | 225 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with |
| 226 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 226 | real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 227 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 227 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 228 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_o | 228 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons |
| 229 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | ||
| 230 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | ||
| 231 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | ||
| 232 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | ||
| 233 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_crond_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_crond_enabled"·id="guide-tree-leaf-idm30086"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_crond_enabled">Enable·cron·Service | ||
| 234 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_crond_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>crond</code>·service·is·used·to·execute·commands·at | ||
| 235 | preconfigured·times.·It·is·required·by·almost·all·systems·to·perform·necessary | ||
| 236 | maintenance·tasks,·such·as·notifying·root·of·system·activity. | ||
| 237 | ········The·<code>crond</code>·service·can·be·enabled·with·the·following·command: | ||
| 238 | ········<pre>$·sudo·chkconfig·--level·2345·crond·on</pre></p><span·class="label·label-primary">Rationale:</span><p>Due·to·its·usage·for·maintenance·and·security-supporting·tasks, | ||
| 239 | enabling·the·cron·daemon·is·essential.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 240 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 241 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50406r2_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm30096">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30096"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 242 | # | ||
| 243 | #·Example·Call(s): | ||
| 244 | # | ||
| 245 | #·····service_command·enable·bluetooth | ||
| 246 | #·····service_command·disable·bluetooth.service | ||
| 247 | # | ||
| 248 | #·····Using·xinetd: | ||
| 249 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 250 | # | ||
| 251 | function·service_command·{ | ||
| 252 | #·Load·function·arguments·into·local·variables | ||
| 253 | local·service_state=$1 | ||
| 254 | local·service=$2 | ||
| 255 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 256 | #·Check·sanity·of·the·input | ||
| 257 | if·[·$#·-lt·"2"·] | ||
| 258 | then | ||
| 259 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 260 | ··echo | ||
| Max diff block lines reached; 1517700/1549558 bytes (97.94%) of diff not shown. | |||
| Offset 56, 23 lines modified | Offset 56, 140 lines modified | ||
| 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FTP·Server·Profile·(vsftpd)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_ftp-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FTP·Server·Profile·(vsftpd)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_ftp-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="[·...·truncated·by·diffoscope;·len:·734,·SHA:·25c03cfca8c8e7566953764cd9421d66561e88aec462809a5f7eec462db2bd40·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·192·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 71 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·51·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 71 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·51·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 72 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to | ||
| 73 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | ||
| 74 | that·passwords·and·other·data·transmitted·during·the·session·can·be | ||
| 75 | captured·and·that·the·session·is·vulnerable·to·hijacking. | ||
| 76 | Therefore,·running·the·FTP·server·software·is·not·recommended. | ||
| 77 | <br><br> | ||
| 78 | However,·there·are·some·FTP·server·configurations·which·may | ||
| 79 | be·appropriate·for·some·environments,·particularly·those·which | ||
| 80 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | ||
| 81 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary | ||
| 82 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is | ||
| 83 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or | ||
| 84 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_restrict_users"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_ftp_restrict_users">Restrict·the·Set·of·Users·Allowed·to·Access·FTP | ||
| 85 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_restrict_users">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·describes·how·to·disable·non-anonymous·(password-based)·FTP·logins,·or,·if·it·is·not·possible·to | ||
| 86 | do·this·entirely·due·to·legacy·applications,·how·to·restrict·insecure·FTP·login·to·only·those·users·who·have·an | ||
| 87 | identified·need·for·this·access.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·id="guide-tree-leaf-idm29006"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">Restrict·Access·to·Anonymous·Users·if·Possible | ||
| 88 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than | ||
| 89 | using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option: | ||
| 90 | <pre>local_enable=NO</pre> | ||
| 91 | If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure | ||
| 92 | these·logins·as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>The·use·of·non-anonymous·FTP·logins·is·strongly·discouraged.·Since·SSH·clients·and·servers·are·widely·available,·and·since·SSH·provides·support·for·a·transfer·mode·which·resembles·FTP·in·user·interface,·there·is·no·good·reason·to·allow·password-based·FTP·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 93 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 94 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_home_partition"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_home_partition"·id="guide-tree-leaf-idm29042"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_home_partition">Place·the·FTP·Home·Directory·on·its·Own·Partition | ||
| 95 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_home_partition">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>By·default,·the·anonymous·FTP·root·is·the·home·directory·of·the·FTP·user·account.·The·df·command·can | ||
| 96 | be·used·to·verify·that·this·directory·is·on·its·own·partition.</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·a·mission-critical·reason·for·anonymous·users·to·upload·files,·precautions·must·be·taken·to·prevent | ||
| 97 | these·users·from·filling·a·disk·used·by·other·services.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 98 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29046"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions | ||
| 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> | ||
| 100 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | ||
| 101 | <pre>xferlog_enable=YES | ||
| 102 | xferlog_std_format=NO | ||
| 103 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to | ||
| 104 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log | ||
| 105 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 106 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 107 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_disable_uploads"·id="guide-tree-leaf-idm29060"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads">Disable·FTP·Uploads·if·Possible | ||
| 108 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_disable_uploads">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·upload·files·via·FTP?·If·not, | ||
| 109 | edit·the·vsftpd·configuration·file·to·add·or·correct·the·following·configuration·options: | ||
| 110 | <pre>write_enable=NO</pre> | ||
| 111 | If·FTP·uploads·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure·these·transactions | ||
| 112 | as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>Anonymous·FTP·can·be·a·convenient·way·to·make·files·available·for·universal·download.·However,·it·is·less | ||
| 113 | common·to·have·a·need·to·allow·unauthenticated·users·to·place·files·on·the·FTP·server.·If·this·must·be·done,·it | ||
| 114 | is·necessary·to·ensure·that·files·cannot·be·uploaded·and·downloaded·from·the·same·directory.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 115 | ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29067"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users | ||
| 116 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 117 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 118 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 119 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 120 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary | ||
| 121 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_use_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·your·use-case·requires·FTP·service,·install·and | ||
| 122 | set-up·vsftpd·to·provide·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·id="guide-tree-leaf-idm29083"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed">Install·vsftpd·Package | ||
| 123 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·this·system·must·operate·as·an·FTP·server,·install·the·<code>vsftpd</code>·package·via·the·standard·channels. | ||
| 124 | <pre>$·sudo·yum·install·vsftpd</pre></p><span·class="label·label-primary">Rationale:</span><p>After·Red·Hat·Enterprise·Linux·2.1,·Red·Hat·switched·from·distributing·wu-ftpd·with·Red·Hat·Enterprise·Linux·to·distributing·vsftpd.·For·security | ||
| 125 | and·for·consistency·with·future·Red·Hat·releases,·the·use·of·vsftpd·is·recommended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 126 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 127 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29090"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 128 | # | ||
| 129 | #·Example·Call(s): | ||
| 130 | # | ||
| 131 | #·····package_install·aide | ||
| 132 | # | ||
| 133 | function·package_install·{ | ||
| 134 | #·Load·function·arguments·into·local·variables | ||
| 135 | local·package="$1" | ||
| 136 | #·Check·sanity·of·the·input | ||
| 137 | if·[·$#·-ne·"1"·] | ||
| 138 | then | ||
| 139 | ··echo·"Usage:·package_install·'package_name'" | ||
| 140 | ··echo·"Aborting." | ||
| 141 | ··exit·1 | ||
| 142 | fi | ||
| 143 | if·which·dnf·;·then | ||
| 144 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 145 | ····dnf·install·-y·"$package" | ||
| 146 | ··fi | ||
| 147 | elif·which·yum·;·then | ||
| 148 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 149 | ····yum·install·-y·"$package" | ||
| 150 | ··fi | ||
| 151 | elif·which·apt-get·;·then | ||
| 152 | ··apt-get·install·-y·"$package" | ||
| 153 | else | ||
| 154 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 155 | ··echo·"Aborting." | ||
| 156 | ··exit·1 | ||
| 157 | fi | ||
| 158 | } | ||
| 159 | package_install·vsftpd | ||
| 160 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29092">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29092"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·vsftpd·is·installed | ||
| 161 | ··package: | ||
| 162 | ····name="{{item}}" | ||
| 163 | ····state=present | ||
| 164 | ··with_items: | ||
| 165 | ····-·vsftpd | ||
| 166 | ··tags: | ||
| 167 | ····-·package_vsftpd_installed | ||
| 168 | ····-·unknown_severity | ||
| 169 | ····-·enable_strategy | ||
| 170 | ····-·low_complexity | ||
| 171 | ····-·low_disruption | ||
| 172 | ····-·CCE-27187-4 | ||
| 173 | ····-·NIST-800-53-CM-7 | ||
| 174 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29093">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29093"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_vsftpd | ||
| 175 | class·install_vsftpd·{ | ||
| 176 | ··package·{·'vsftpd': | ||
| Max diff block lines reached; 1399001/1424926 bytes (98.18%) of diff not shown. | |||
| Offset 61, 125 lines modified | Offset 61, 125 lines modified | ||
| 61 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 61 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 62 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 62 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 63 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 63 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 64 | quality,·reliability,·or·any·other·characteristic. | 64 | quality,·reliability,·or·any·other·characteristic. |
| 65 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CNSSI·1253·Low/Low/Low·Control·Baseline·for·Red·Hat· | 65 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CNSSI·1253·Low/Low/Low·Control·Baseline·for·Red·Hat· |
| 66 | Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_nist-CL-IL-AL</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 66 | Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_nist-CL-IL-AL</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 67 | ····························(as·of·2018-07-26) | 67 | ····························(as·of·2018-07-26) |
| 68 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 68 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org[·...·truncated·by·diffoscope;·len:·879,·SHA:·a9e3098c4894efb85e37b60670bbc0450483217500119b1f1ca43a0e1222a6a3·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·270·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 69 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 70 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 70 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 71 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 71 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 72 | ones·can·be·safely·disabled. | 72 | ones·can·be·safely·disabled. |
| 73 | <br><br> | 73 | <br><br> |
| 74 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 74 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 75 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 75 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 76 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·76·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 76 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·76·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 77 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 77 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 78 | 78 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 79 | 79 | that·passwords·and·other·data·transmitted·during·the·session·can·be | |
| 80 | 80 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 81 | 81 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 82 | 82 | <br><br> | |
| 83 | 83 | However,·there·are·some·FTP·server·configurations·which·may | |
| 84 | 84 | be·appropriate·for·some·environments,·particularly·those·which | |
| 85 | 85 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 86 | de | 86 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible |
| 87 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 87 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 88 | <c | 88 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29115"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package |
| 89 | <c | 89 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 90 | 90 | ············ | |
| 91 | 91 | ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command: | |
| 92 | 92 | ········<pre>$·sudo·yum·erase·vsftpd</pre> | |
| 93 | p | 93 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its |
| 94 | a | 94 | accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 95 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | ||
| 96 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | ||
| 97 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | ||
| 98 | <pre>client·signing·=·mandatory</pre> | ||
| 99 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | ||
| 100 | signing·ensures·they·can | ||
| 101 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | ||
| 102 | man-in-the-middle·attacks·which·modify·SMB·packets·in | ||
| 103 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 104 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 95 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 105 | ············<a·href="http://iase.disa.mil/stigs/ | 96 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 106 | # | 97 | # |
| 107 | # | 98 | #·Example·Call(s): |
| 108 | # | 99 | # |
| 100 | #·····package_remove·telnet-server | ||
| 101 | # | ||
| 102 | function·package_remove·{ | ||
| 109 | 103 | #·Load·function·arguments·into·local·variables | |
| 104 | local·package="$1" | ||
| 110 | 105 | #·Check·sanity·of·the·input | |
| 111 | 106 | if·[·$#·-ne·"1"·] | |
| 112 | 107 | then | |
| 108 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 109 | ··echo·"Aborting." | ||
| 110 | ··exit·1 | ||
| 111 | fi | ||
| 112 | if·which·dnf·;·then | ||
| 113 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 114 | ····dnf·remove·-y·"$package" | ||
| 115 | ··fi | ||
| 116 | elif·which·yum·;·then | ||
| 117 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 118 | ····yum·remove·-y·"$package" | ||
| 119 | ··fi | ||
| 120 | elif·which·apt-get·;·then | ||
| 121 | ··apt-get·remove·-y·"$package" | ||
| 113 | else | 122 | else |
| 114 | 123 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 124 | ··echo·"Aborting." | ||
| 125 | ··exit·1 | ||
| 115 | fi | 126 | fi |
| 116 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29091">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29091"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists | ||
| 117 | ··stat: | ||
| 118 | ····path:·/etc/samba/smb.conf | ||
| 119 | ··register:·st_smb | ||
| 120 | ··tags: | ||
| 121 | ····-·require_smb_client_signing | ||
| 122 | ····-·unknown_severity | ||
| 123 | ····-·configure_strategy | ||
| 124 | ····-·low_complexity | ||
| 125 | ····-·medium_disruption | ||
| 126 | ····-·CCE-26328-5 | ||
| 127 | ····-·DISA-STIG-RHEL-06-000272 | ||
| 128 | 127 | } | |
| 129 | ··lineinfile: | ||
| 130 | 128 | package_remove·vsftpd | |
| 131 | ····line | 129 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29125">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29125"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·vsftpd·is·removed |
| 132 | ·· | 130 | ··package: |
| 133 | ···· | 131 | ····name="{{item}}" |
| 134 | ·· | 132 | ····state=absent |
| 133 | ··with_items: | ||
| 134 | ····-·vsftpd | ||
| 135 | ··tags: | 135 | ··tags: |
| 136 | ····-· | 136 | ····-·package_vsftpd_removed |
| 137 | ····-·unknown_severity | 137 | ····-·unknown_severity |
| 138 | ····-· | 138 | ····-·disable_strategy |
| 139 | ····-·low_complexity | 139 | ····-·low_complexity |
| 140 | ····-· | 140 | ····-·low_disruption |
| 141 | ····-·CCE-26 | 141 | ····-·CCE-26687-4 |
| 142 | ····-· | 142 | ····-·NIST-800-53-CM-7 |
| 143 | </code></pre></div>< | 143 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29126">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29126"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_vsftpd |
| 144 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba | ||
| 145 | 144 | class·remove_vsftpd·{ | |
| 146 | 145 | ··package·{·'vsftpd': | |
| 147 | 146 | ····ensure·=>·'purged', | |
| 148 | 147 | ··} | |
| 149 | 148 | } | |
| 150 | client·sho | 149 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29127">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29127"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 151 | pack | 150 | package·--remove=vsftpd |
| 152 | 151 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server | |
| 153 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 154 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server | ||
| 155 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to | 152 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to |
| 156 | content·via·the·HTTP·protocol.·Web·servers·represent·a·significant | 153 | content·via·the·HTTP·protocol.·Web·servers·represent·a·significant |
| 157 | security·risk·because: | 154 | security·risk·because: |
| 158 | <br><br> | 155 | <br><br> |
| 159 | <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long | 156 | <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long |
| 160 | history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive | 157 | history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive |
| 161 | monitoring</li></ul> | 158 | monitoring</li></ul> |
| Max diff block lines reached; 1979883/2003660 bytes (98.81%) of diff not shown. | |||
| Offset 56, 15 lines modified | Offset 56, 15 lines modified | ||
| 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>PCI-DSS·v3·Control·Baseline·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>PCI-DSS·v3·Control·Baseline·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 91, 15 lines modified | Offset 91, 15 lines modified | ||
| 91 | <br><br> | 91 | <br><br> |
| 92 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 92 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 93 | servers,·and·the·remainder·obtaining·time·information·from·those | 93 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 94 | internal·servers. | 94 | internal·servers. |
| 95 | <br><br> | 95 | <br><br> |
| 96 | More·information·on·how·to·configure·the·NTP·server·software, | 96 | More·information·on·how·to·configure·the·NTP·server·software, |
| 97 | including·configuration·of·cryptographic·authentication·for | 97 | including·configuration·of·cryptographic·authentication·for |
| 98 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm298 | 98 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29837"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 99 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 100 | ·········· | 100 | ·········· |
| 101 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 101 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 102 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 102 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 103 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 103 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 104 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 104 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 105 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 105 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Offset 108, 15 lines modified | Offset 108, 15 lines modified | ||
| 108 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate | 108 | services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate |
| 109 | logs·and·auditing·possible·security·breaches.·· | 109 | logs·and·auditing·possible·security·breaches.·· |
| 110 | <br><br> | 110 | <br><br> |
| 111 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· | 111 | The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now· |
| 112 | deprecated.··Additional·information·on·this·is·available·at· | 112 | deprecated.··Additional·information·on·this·is·available·at· |
| 113 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 113 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 114 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 114 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 115 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 115 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29854">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29854"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 116 | # | 116 | # |
| 117 | #·Example·Call(s): | 117 | #·Example·Call(s): |
| 118 | # | 118 | # |
| 119 | #·····service_command·enable·bluetooth | 119 | #·····service_command·enable·bluetooth |
| 120 | #·····service_command·disable·bluetooth.service | 120 | #·····service_command·disable·bluetooth.service |
| 121 | # | 121 | # |
| 122 | #·····Using·xinetd: | 122 | #·····Using·xinetd: |
| Offset 184, 15 lines modified | Offset 184, 15 lines modified | ||
| 184 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 184 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 185 | ··fi | 185 | ··fi |
| 186 | fi | 186 | fi |
| 187 | } | 187 | } |
| 188 | service_command·enable·ntpd | 188 | service_command·enable·ntpd |
| 189 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 189 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd |
| 190 | ··service: | 190 | ··service: |
| 191 | ····name="{{item}}" | 191 | ····name="{{item}}" |
| 192 | ····enabled="yes" | 192 | ····enabled="yes" |
| 193 | ····state="started" | 193 | ····state="started" |
| 194 | ··with_items: | 194 | ··with_items: |
| 195 | ····-·ntpd | 195 | ····-·ntpd |
| 196 | ··tags: | 196 | ··tags: |
| Offset 201, 25 lines modified | Offset 201, 25 lines modified | ||
| 201 | ····-·enable_strategy | 201 | ····-·enable_strategy |
| 202 | ····-·low_complexity | 202 | ····-·low_complexity |
| 203 | ····-·low_disruption | 203 | ····-·low_disruption |
| 204 | ····-·CCE-27093-4 | 204 | ····-·CCE-27093-4 |
| 205 | ····-·NIST-800-53-AU-8(1) | 205 | ····-·NIST-800-53-AU-8(1) |
| 206 | ····-·PCI-DSS-Req-10.4 | 206 | ····-·PCI-DSS-Req-10.4 |
| 207 | ····-·DISA-STIG-RHEL-06-000247 | 207 | ····-·DISA-STIG-RHEL-06-000247 |
| 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29 | 208 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29861"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers |
| 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization | 209 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization |
| 210 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the | 210 | in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the |
| 211 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for | 211 | following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for |
| 212 | <em>ntpserver</em>: | 212 | <em>ntpserver</em>: |
| 213 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | 213 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of |
| 214 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | 214 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes |
| 215 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | 215 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for |
| 216 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 216 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 217 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 217 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 218 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29 | 218 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29873"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 219 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit | 219 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit |
| 220 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, | 220 | the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines, |
| 221 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 221 | substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 222 | <pre>server·<i>ntpserver</i></pre> | 222 | <pre>server·<i>ntpserver</i></pre> |
| 223 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 223 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 224 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible | 224 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible |
| 225 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with | 225 | to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with |
| Offset 234, 15 lines modified | Offset 234, 15 lines modified | ||
| 234 | detailed·documentation·is·available·from·its·website, | 234 | detailed·documentation·is·available·from·its·website, |
| 235 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·is·called·<code>sshd</code>·and | 235 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·is·called·<code>sshd</code>·and |
| 236 | provided·by·the·RPM·package·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary | 236 | provided·by·the·RPM·package·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary |
| 237 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 237 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 238 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 238 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 239 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 239 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 240 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 240 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 241 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm31 | 241 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm31843"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 242 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout | 242 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout |
| 243 | interval. | 243 | interval. |
| 244 | After·this·interval·has·passed,·the·idle·user·will·be | 244 | After·this·interval·has·passed,·the·idle·user·will·be |
| 245 | automatically·logged·out. | 245 | automatically·logged·out. |
| 246 | <br><br> | 246 | <br><br> |
| 247 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 247 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 248 | follows: | 248 | follows: |
| Offset 253, 23 lines modified | Offset 253, 23 lines modified | ||
| 253 | If·a·shorter·timeout·has·already·been·set·for·the·login | 253 | If·a·shorter·timeout·has·already·been·set·for·the·login |
| 254 | shell,·that·value·will·preempt·any·SSH | 254 | shell,·that·value·will·preempt·any·SSH |
| 255 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 255 | setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 256 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out | 256 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out |
| 257 | guards·against·compromises·one·system·leading·trivially | 257 | guards·against·compromises·one·system·leading·trivially |
| 258 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 258 | to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 259 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 259 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 260 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000879</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50409r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm31 | 260 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000879</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50409r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm31864">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm31864"><pre><code> |
| 261 | sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>" | 261 | sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>" |
| 262 | grep·-q·^ClientAliveInterval·/etc/ssh/sshd_config·&&·\ | 262 | grep·-q·^ClientAliveInterval·/etc/ssh/sshd_config·&&·\ |
| 263 | ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config | 263 | ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config |
| 264 | if·!·[·$?·-eq·0·];·then | 264 | if·!·[·$?·-eq·0·];·then |
| 265 | ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config | 265 | ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config |
| 266 | fi | 266 | fi |
| 267 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm31 | 267 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm31866">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm31866"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·XCCDF·Value·sshd_idle_timeout_value·#·promote·to·variable |
| 268 | ··set_fact: | 268 | ··set_fact: |
| 269 | ····sshd_idle_timeout_value:·<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr> | 269 | ····sshd_idle_timeout_value:·<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr> |
| 270 | ··tags: | 270 | ··tags: |
| 271 | ····-·always | 271 | ····-·always |
| Max diff block lines reached; 764719/788511 bytes (96.98%) of diff not shown. | |||
| Offset 56, 23 lines modified | Offset 56, 135 lines modified | ||
| 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Red·Hat·Corporate·Profile·for·Certified·Cloud·Providers·(RH·CCP)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Red·Hat·Corporate·Profile·for·Certified·Cloud·Providers·(RH·CCP)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_o | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 65 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 66 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 67 | ones·can·be·safely·disabled. | 67 | ones·can·be·safely·disabled. |
| 68 | <br><br> | 68 | <br><br> |
| 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 69 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 70 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 71 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·29·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_o | 71 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·29·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons |
| 72 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | ||
| 73 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | ||
| 74 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | ||
| 75 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | ||
| 76 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm30103"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_atd_disabled">Disable·At·Service·(atd) | ||
| 77 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to | ||
| 78 | schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed | ||
| 79 | execution·in·a·manner·similar·to·cron,·except·that·it·is·not | ||
| 80 | recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via | ||
| 81 | <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time. | ||
| 82 | ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command: | ||
| 83 | ········<pre>$·sudo·chkconfig·atd·off</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry | ||
| 84 | out·activities·outside·of·a·normal·login·session,·which·could·complicate | ||
| 85 | accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or | ||
| 86 | <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 87 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 88 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50442r3_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm30121">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30121"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 89 | # | ||
| 90 | #·Example·Call(s): | ||
| 91 | # | ||
| 92 | #·····service_command·enable·bluetooth | ||
| 93 | #·····service_command·disable·bluetooth.service | ||
| 94 | # | ||
| 95 | #·····Using·xinetd: | ||
| 96 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 97 | # | ||
| 98 | function·service_command·{ | ||
| 99 | #·Load·function·arguments·into·local·variables | ||
| 100 | local·service_state=$1 | ||
| 101 | local·service=$2 | ||
| 102 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 103 | #·Check·sanity·of·the·input | ||
| 104 | if·[·$#·-lt·"2"·] | ||
| 105 | then | ||
| 106 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 107 | ··echo | ||
| 108 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 109 | ··echo·"as·the·last·argument"·· | ||
| 110 | ··echo·"Aborting." | ||
| 111 | ··exit·1 | ||
| 112 | fi | ||
| 113 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 114 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 115 | ··service_util="/usr/bin/systemctl" | ||
| 116 | else | ||
| 117 | ··service_util="/sbin/service" | ||
| 118 | ··chkconfig_util="/sbin/chkconfig" | ||
| 119 | fi | ||
| 120 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 121 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 122 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 123 | ··service_state="enable" | ||
| 124 | ··service_operation="start" | ||
| 125 | ··chkconfig_state="on" | ||
| 126 | else | ||
| 127 | ··service_state="disable" | ||
| 128 | ··service_operation="stop" | ||
| 129 | ··chkconfig_state="off" | ||
| 130 | fi | ||
| 131 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 132 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 133 | ··$service_util·$service·$service_operation | ||
| 134 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 135 | else | ||
| 136 | ··$service_util·$service_operation·$service | ||
| 137 | ··$service_util·$service_state·$service | ||
| 138 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 139 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 140 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 141 | ··$service_util·reset-failed·$service | ||
| 142 | fi | ||
| 143 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 144 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 145 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 146 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 147 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 148 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 149 | ··else | ||
| 150 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 151 | ··fi | ||
| 152 | fi | ||
| 153 | } | ||
| 154 | service_command·disable·atd | ||
| 155 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm30123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·atd | ||
| 156 | ··service: | ||
| 157 | ····name="{{item}}" | ||
| 158 | ····enabled="no" | ||
| 159 | ····state="stopped" | ||
| 160 | ··register:·service_result | ||
| 161 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 162 | ··with_items: | ||
| 163 | ····-·atd | ||
| 164 | ··tags: | ||
| 165 | ····-·service_atd_disabled | ||
| 166 | ····-·unknown_severity | ||
| 167 | ····-·disable_strategy | ||
| 168 | ····-·low_complexity | ||
| 169 | ····-·low_disruption | ||
| 170 | ····-·CCE-27249-2 | ||
| 171 | ····-·NIST-800-53-CM-7 | ||
| 172 | ····-·DISA-STIG-RHEL-06-000262 | ||
| Max diff block lines reached; 582581/597561 bytes (97.49%) of diff not shown. | |||
| Offset 57, 15 lines modified | Offset 57, 15 lines modified | ||
| 57 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 57 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 61 | quality,·reliability,·or·any·other·characteristic. | 61 | quality,·reliability,·or·any·other·characteristic. |
| 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Server·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Server·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 63 | ····························(as·of·2018-07-26) | 63 | ····························(as·of·2018-07-26) |
| 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgpr[·...·truncated·by·diffoscope;·len:·550,·SHA:·57496307fa97d1728004b56852784b91d9d3fe09769ff2b07f1473882fcbec47·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·186·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 83, 39 lines modified | Offset 83, 39 lines modified | ||
| 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in | 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in |
| 84 | <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a | 84 | <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a |
| 85 | <code>[global]</code>·configuration·section·and·a·series·of·user | 85 | <code>[global]</code>·configuration·section·and·a·series·of·user |
| 86 | created·share·definition·sections·meant·to·describe·file·or·print | 86 | created·share·definition·sections·meant·to·describe·file·or·print |
| 87 | shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode | 87 | shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode |
| 88 | and·allow·client·systems·to·access·local·home·directories·and | 88 | and·allow·client·systems·to·access·local·home·directories·and |
| 89 | printers.·It·is·recommended·that·these·settings·be·changed·or·that | 89 | printers.·It·is·recommended·that·these·settings·be·changed·or·that |
| 90 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29 | 90 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29696"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient |
| 91 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | 91 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use |
| 92 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | 92 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section |
| 93 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | 93 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: |
| 94 | <pre>client·signing·=·mandatory</pre> | 94 | <pre>client·signing·=·mandatory</pre> |
| 95 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | 95 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet |
| 96 | signing·ensures·they·can | 96 | signing·ensures·they·can |
| 97 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | 97 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent |
| 98 | man-in-the-middle·attacks·which·modify·SMB·packets·in | 98 | man-in-the-middle·attacks·which·modify·SMB·packets·in |
| 99 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 99 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 100 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 100 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 101 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 101 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29707">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29707"><pre><code>###################################################################### |
| 102 | #By·Luke·"Brisk-OH"·Brisk | 102 | #By·Luke·"Brisk-OH"·Brisk |
| 103 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com | 103 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com |
| 104 | ###################################################################### | 104 | ###################################################################### |
| 105 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) | 105 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) |
| 106 | if·[·"$CLIENTSIGNING"·-eq·0·];··then | 106 | if·[·"$CLIENTSIGNING"·-eq·0·];··then |
| 107 | » #·Add·to·global·section | 107 | » #·Add·to·global·section |
| 108 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf | 108 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 109 | else | 109 | else |
| 110 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf | 110 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 111 | fi | 111 | fi |
| 112 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 112 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29708">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29708"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists |
| 113 | ··stat: | 113 | ··stat: |
| 114 | ····path:·/etc/samba/smb.conf | 114 | ····path:·/etc/samba/smb.conf |
| 115 | ··register:·st_smb | 115 | ··register:·st_smb |
| 116 | ··tags: | 116 | ··tags: |
| 117 | ····-·require_smb_client_signing | 117 | ····-·require_smb_client_signing |
| 118 | ····-·unknown_severity | 118 | ····-·unknown_severity |
| 119 | ····-·configure_strategy | 119 | ····-·configure_strategy |
| Offset 135, 84 lines modified | Offset 135, 26 lines modified | ||
| 135 | ····-·require_smb_client_signing | 135 | ····-·require_smb_client_signing |
| 136 | ····-·unknown_severity | 136 | ····-·unknown_severity |
| 137 | ····-·configure_strategy | 137 | ····-·configure_strategy |
| 138 | ····-·low_complexity | 138 | ····-·low_complexity |
| 139 | ····-·medium_disruption | 139 | ····-·medium_disruption |
| 140 | ····-·CCE-26328-5 | 140 | ····-·CCE-26328-5 |
| 141 | ····-·DISA-STIG-RHEL-06-000272 | 141 | ····-·DISA-STIG-RHEL-06-000272 |
| 142 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29 | 142 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29713"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs |
| 143 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba | 143 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba |
| 144 | shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares | 144 | shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares |
| 145 | in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either | 145 | in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either |
| 146 | <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used. | 146 | <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used. |
| 147 | <br><br> | 147 | <br><br> |
| 148 | See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba | 148 | See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba |
| 149 | client·should·only·communicate·with·servers·who·can·support·SMB | 149 | client·should·only·communicate·with·servers·who·can·support·SMB |
| 150 | packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle | 150 | packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle |
| 151 | attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 151 | attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 152 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 152 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 153 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 153 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 154 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network. | ||
| 155 | Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious | ||
| 156 | targets·of·network·attack. | ||
| 157 | Ensure·that·systems·are·not·running·MTAs·unnecessarily, | ||
| 158 | and·configure·needed·MTAs·as·defensively·as·possible. | ||
| 159 | <br><br> | ||
| 160 | Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the | ||
| 161 | network.·Users·should·instead·use·mail·client·programs·to·retrieve·email | ||
| 162 | from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3. | ||
| 163 | However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email, | ||
| 164 | for·instance·so·that·cron·jobs·can·report·output·to·an·administrator. | ||
| 165 | Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from | ||
| 166 | the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), | ||
| 167 | but·the·system·still·cannot·receive·mail·directly·over·a·network. | ||
| 168 | <br><br> | ||
| 169 | The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software | ||
| 170 | (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred. | ||
| 171 | Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by | ||
| 172 | SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions. | ||
| 173 | More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients | ||
| 174 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only | ||
| 175 | e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·id="guide-tree-leaf-idm29524"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">Disable·Postfix·Network·Listening | ||
| 176 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·file·<code>/etc/postfix/main.cf</code>·to·ensure·that·only·the·following | ||
| 177 | <code>inet_interfaces</code>·line·appears: | ||
| 178 | <pre>inet_interfaces·=·localhost</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·<code>postfix</code>·accepts·mail·messages | ||
| 179 | (such·as·cron·job·reports)·from·the·local·system·only, | ||
| 180 | and·not·from·the·network,·which·protects·it·from·network·attack.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 181 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 182 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50423r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP | ||
| 183 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows | ||
| 184 | systems·to·request·and·obtain·an·IP·address·and·other·configuration | ||
| 185 | parameters·from·a·server. | ||
| 186 | <br><br> | ||
| 187 | This·guide·recommends·configuring·networking·on·clients·by·manually·editing | ||
| 188 | the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· | ||
| 189 | systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· | ||
| 190 | unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· | ||
| 191 | that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client | ||
| 192 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system | ||
| 193 | installer,·and·common·on·many·networks.·Nevertheless,·manual·management | ||
| 194 | of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and | ||
| 195 | accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29753"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client | ||
| 196 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 197 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 198 | following·changes: | ||
| 199 | <ul><li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 200 | <pre>BOOTPROTO=none</pre> | ||
| 201 | </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 202 | values·based·on·your·site's·addressing·scheme: | ||
| 203 | <pre>NETMASK=255.255.255.0 | ||
| 204 | IPADDR=192.168.1.2 | ||
| 205 | GATEWAY=192.168.1.1</pre> | ||
| Max diff block lines reached; 1363993/1390483 bytes (98.09%) of diff not shown. | |||
| Offset 58, 15 lines modified | Offset 58, 15 lines modified | ||
| 58 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 58 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 59 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 59 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 60 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 60 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 61 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 61 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 62 | quality,·reliability,·or·any·other·characteristic. | 62 | quality,·reliability,·or·any·other·characteristic. |
| 63 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 63 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 64 | ····························(as·of·2018-07-26) | 64 | ····························(as·of·2018-07-26) |
| 65 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ | 65 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li>[·...·truncated·by·diffoscope;·len:·399,·SHA:·fbfb410e2703115c5bde514edad124bef19a840feb775eacf478f7e80a5206c7·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·182·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 66 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 66 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 67 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 67 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 68 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 68 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 69 | ones·can·be·safely·disabled. | 69 | ones·can·be·safely·disabled. |
| 70 | <br><br> | 70 | <br><br> |
| 71 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 71 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 72 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 72 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 84, 39 lines modified | Offset 84, 39 lines modified | ||
| 84 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in | 84 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in |
| 85 | <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a | 85 | <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a |
| 86 | <code>[global]</code>·configuration·section·and·a·series·of·user | 86 | <code>[global]</code>·configuration·section·and·a·series·of·user |
| 87 | created·share·definition·sections·meant·to·describe·file·or·print | 87 | created·share·definition·sections·meant·to·describe·file·or·print |
| 88 | shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode | 88 | shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode |
| 89 | and·allow·client·systems·to·access·local·home·directories·and | 89 | and·allow·client·systems·to·access·local·home·directories·and |
| 90 | printers.·It·is·recommended·that·these·settings·be·changed·or·that | 90 | printers.·It·is·recommended·that·these·settings·be·changed·or·that |
| 91 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29 | 91 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29696"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient |
| 92 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | 92 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use |
| 93 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | 93 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section |
| 94 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | 94 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: |
| 95 | <pre>client·signing·=·mandatory</pre> | 95 | <pre>client·signing·=·mandatory</pre> |
| 96 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | 96 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet |
| 97 | signing·ensures·they·can | 97 | signing·ensures·they·can |
| 98 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | 98 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent |
| 99 | man-in-the-middle·attacks·which·modify·SMB·packets·in | 99 | man-in-the-middle·attacks·which·modify·SMB·packets·in |
| 100 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 100 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 101 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 101 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 102 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 102 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29707">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29707"><pre><code>###################################################################### |
| 103 | #By·Luke·"Brisk-OH"·Brisk | 103 | #By·Luke·"Brisk-OH"·Brisk |
| 104 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com | 104 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com |
| 105 | ###################################################################### | 105 | ###################################################################### |
| 106 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) | 106 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) |
| 107 | if·[·"$CLIENTSIGNING"·-eq·0·];··then | 107 | if·[·"$CLIENTSIGNING"·-eq·0·];··then |
| 108 | » #·Add·to·global·section | 108 | » #·Add·to·global·section |
| 109 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf | 109 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 110 | else | 110 | else |
| 111 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf | 111 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 112 | fi | 112 | fi |
| 113 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 113 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29708">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29708"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists |
| 114 | ··stat: | 114 | ··stat: |
| 115 | ····path:·/etc/samba/smb.conf | 115 | ····path:·/etc/samba/smb.conf |
| 116 | ··register:·st_smb | 116 | ··register:·st_smb |
| 117 | ··tags: | 117 | ··tags: |
| 118 | ····-·require_smb_client_signing | 118 | ····-·require_smb_client_signing |
| 119 | ····-·unknown_severity | 119 | ····-·unknown_severity |
| 120 | ····-·configure_strategy | 120 | ····-·configure_strategy |
| Offset 136, 55 lines modified | Offset 136, 26 lines modified | ||
| 136 | ····-·require_smb_client_signing | 136 | ····-·require_smb_client_signing |
| 137 | ····-·unknown_severity | 137 | ····-·unknown_severity |
| 138 | ····-·configure_strategy | 138 | ····-·configure_strategy |
| 139 | ····-·low_complexity | 139 | ····-·low_complexity |
| 140 | ····-·medium_disruption | 140 | ····-·medium_disruption |
| 141 | ····-·CCE-26328-5 | 141 | ····-·CCE-26328-5 |
| 142 | ····-·DISA-STIG-RHEL-06-000272 | 142 | ····-·DISA-STIG-RHEL-06-000272 |
| 143 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29 | 143 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29713"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs |
| 144 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba | 144 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba |
| 145 | shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares | 145 | shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares |
| 146 | in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either | 146 | in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either |
| 147 | <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used. | 147 | <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used. |
| 148 | <br><br> | 148 | <br><br> |
| 149 | See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba | 149 | See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba |
| 150 | client·should·only·communicate·with·servers·who·can·support·SMB | 150 | client·should·only·communicate·with·servers·who·can·support·SMB |
| 151 | packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle | 151 | packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle |
| 152 | attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 152 | attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 153 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 153 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 154 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 154 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 155 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network. | ||
| 156 | Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious | ||
| 157 | targets·of·network·attack. | ||
| 158 | Ensure·that·systems·are·not·running·MTAs·unnecessarily, | ||
| 159 | and·configure·needed·MTAs·as·defensively·as·possible. | ||
| 160 | <br><br> | ||
| 161 | Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the | ||
| 162 | network.·Users·should·instead·use·mail·client·programs·to·retrieve·email | ||
| 163 | from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3. | ||
| 164 | However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email, | ||
| 165 | for·instance·so·that·cron·jobs·can·report·output·to·an·administrator. | ||
| 166 | Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from | ||
| 167 | the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), | ||
| 168 | but·the·system·still·cannot·receive·mail·directly·over·a·network. | ||
| 169 | <br><br> | ||
| 170 | The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software | ||
| 171 | (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred. | ||
| 172 | Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by | ||
| 173 | SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions. | ||
| 174 | More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients | ||
| 175 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only | ||
| 176 | e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·id="guide-tree-leaf-idm29524"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">Disable·Postfix·Network·Listening | ||
| 177 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·file·<code>/etc/postfix/main.cf</code>·to·ensure·that·only·the·following | ||
| 178 | <code>inet_interfaces</code>·line·appears: | ||
| 179 | <pre>inet_interfaces·=·localhost</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·<code>postfix</code>·accepts·mail·messages | ||
| 180 | (such·as·cron·job·reports)·from·the·local·system·only, | ||
| 181 | and·not·from·the·network,·which·protects·it·from·network·attack.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 182 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 183 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50423r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol | ||
| 184 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system | 155 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 185 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | 156 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so |
| 186 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time | 157 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 187 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | 158 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among |
| 188 | a·network·of·systems,·and·that·their·time·is·consistent·with·the | 159 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 189 | outside·world. | 160 | outside·world. |
| 190 | <br><br> | 161 | <br><br> |
| Offset 203, 15 lines modified | Offset 174, 15 lines modified | ||
| 203 | <br><br> | 174 | <br><br> |
| 204 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP | 175 | A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP |
| 205 | servers,·and·the·remainder·obtaining·time·information·from·those | 176 | servers,·and·the·remainder·obtaining·time·information·from·those |
| 206 | internal·servers. | 177 | internal·servers. |
| 207 | <br><br> | 178 | <br><br> |
| 208 | More·information·on·how·to·configure·the·NTP·server·software, | 179 | More·information·on·how·to·configure·the·NTP·server·software, |
| 209 | including·configuration·of·cryptographic·authentication·for | 180 | including·configuration·of·cryptographic·authentication·for |
| 210 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm298 | 181 | time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29837"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon |
| 211 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 182 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 212 | ·········· | 183 | ·········· |
| 213 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 184 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| 214 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> | 185 | ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre> |
| 215 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> | 186 | ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code> |
| 216 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to | 187 | service·will·be·running·and·that·the·system·will·synchronize·its·time·to |
| 217 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be | 188 | any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be |
| Max diff block lines reached; 1337116/1361605 bytes (98.20%) of diff not shown. | |||
| Offset 63, 23 lines modified | Offset 63, 50 lines modified | ||
| 63 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 63 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 64 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 64 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 65 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 65 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 66 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 66 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 67 | quality,·reliability,·or·any·other·characteristic. | 67 | quality,·reliability,·or·any·other·characteristic. |
| 68 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>DISA·STIG·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel6-disa</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 68 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>DISA·STIG·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel6-disa</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 69 | ····························(as·of·2018-07-26) | 69 | ····························(as·of·2018-07-26) |
| 70 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 70 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xc[·...·truncated·by·diffoscope;·len:·910,·SHA:·dfe52403ca27039c6fd60778f9cb46d9343b9cfec43f048aeacec9a362dd7410·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·250·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 71 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 71 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 72 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 72 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 73 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 73 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 74 | ones·can·be·safely·disabled. | 74 | ones·can·be·safely·disabled. |
| 75 | <br><br> | 75 | <br><br> |
| 76 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 76 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 77 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 77 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 78 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·57·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 78 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·57·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 79 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to | ||
| 80 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | ||
| 81 | that·passwords·and·other·data·transmitted·during·the·session·can·be | ||
| 82 | captured·and·that·the·session·is·vulnerable·to·hijacking. | ||
| 83 | Therefore,·running·the·FTP·server·software·is·not·recommended. | ||
| 84 | <br><br> | ||
| 85 | However,·there·are·some·FTP·server·configurations·which·may | ||
| 86 | be·appropriate·for·some·environments,·particularly·those·which | ||
| 87 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | ||
| 88 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary | ||
| 89 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is | ||
| 90 | <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or | ||
| 91 | <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29046"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions | ||
| 92 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> | ||
| 93 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | ||
| 94 | <pre>xferlog_enable=YES | ||
| 95 | xferlog_std_format=NO | ||
| 96 | log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to | ||
| 97 | the·FTP·server·are·logged·using·the·verbose·vsftpd·log | ||
| 98 | format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 99 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 100 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29067"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users | ||
| 101 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 102 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 103 | <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 104 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 105 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server | ||
| 79 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows | 106 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows |
| 80 | Linux·systems·to·provide·file·and·print·sharing·to·Microsoft | 107 | Linux·systems·to·provide·file·and·print·sharing·to·Microsoft |
| 81 | Windows·systems.·There·are·two·software·packages·that·provide | 108 | Windows·systems.·There·are·two·software·packages·that·provide |
| 82 | Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of | 109 | Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of |
| 83 | command·line·tools·that·enable·a·client·system·to·access·Samba | 110 | command·line·tools·that·enable·a·client·system·to·access·Samba |
| 84 | shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba | 111 | shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba |
| 85 | service.·It·is·this·second·package·that·allows·a·Linux·system·to | 112 | service.·It·is·this·second·package·that·allows·a·Linux·system·to |
| Offset 89, 39 lines modified | Offset 116, 39 lines modified | ||
| 89 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in | 116 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in |
| 90 | <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a | 117 | <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a |
| 91 | <code>[global]</code>·configuration·section·and·a·series·of·user | 118 | <code>[global]</code>·configuration·section·and·a·series·of·user |
| 92 | created·share·definition·sections·meant·to·describe·file·or·print | 119 | created·share·definition·sections·meant·to·describe·file·or·print |
| 93 | shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode | 120 | shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode |
| 94 | and·allow·client·systems·to·access·local·home·directories·and | 121 | and·allow·client·systems·to·access·local·home·directories·and |
| 95 | printers.·It·is·recommended·that·these·settings·be·changed·or·that | 122 | printers.·It·is·recommended·that·these·settings·be·changed·or·that |
| 96 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29 | 123 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29696"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient |
| 97 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | 124 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use |
| 98 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | 125 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section |
| 99 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | 126 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: |
| 100 | <pre>client·signing·=·mandatory</pre> | 127 | <pre>client·signing·=·mandatory</pre> |
| 101 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | 128 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet |
| 102 | signing·ensures·they·can | 129 | signing·ensures·they·can |
| 103 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | 130 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent |
| 104 | man-in-the-middle·attacks·which·modify·SMB·packets·in | 131 | man-in-the-middle·attacks·which·modify·SMB·packets·in |
| 105 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 132 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 106 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 133 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 107 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 134 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29707">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29707"><pre><code>###################################################################### |
| 108 | #By·Luke·"Brisk-OH"·Brisk | 135 | #By·Luke·"Brisk-OH"·Brisk |
| 109 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com | 136 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com |
| 110 | ###################################################################### | 137 | ###################################################################### |
| 111 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) | 138 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) |
| 112 | if·[·"$CLIENTSIGNING"·-eq·0·];··then | 139 | if·[·"$CLIENTSIGNING"·-eq·0·];··then |
| 113 | » #·Add·to·global·section | 140 | » #·Add·to·global·section |
| 114 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf | 141 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 115 | else | 142 | else |
| 116 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf | 143 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 117 | fi | 144 | fi |
| 118 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 145 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29708">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29708"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists |
| 119 | ··stat: | 146 | ··stat: |
| 120 | ····path:·/etc/samba/smb.conf | 147 | ····path:·/etc/samba/smb.conf |
| 121 | ··register:·st_smb | 148 | ··register:·st_smb |
| 122 | ··tags: | 149 | ··tags: |
| 123 | ····-·require_smb_client_signing | 150 | ····-·require_smb_client_signing |
| 124 | ····-·unknown_severity | 151 | ····-·unknown_severity |
| 125 | ····-·configure_strategy | 152 | ····-·configure_strategy |
| Offset 141, 71 lines modified | Offset 168, 191 lines modified | ||
| 141 | ····-·require_smb_client_signing | 168 | ····-·require_smb_client_signing |
| 142 | ····-·unknown_severity | 169 | ····-·unknown_severity |
| 143 | ····-·configure_strategy | 170 | ····-·configure_strategy |
| 144 | ····-·low_complexity | 171 | ····-·low_complexity |
| 145 | ····-·medium_disruption | 172 | ····-·medium_disruption |
| 146 | ····-·CCE-26328-5 | 173 | ····-·CCE-26328-5 |
| 147 | ····-·DISA-STIG-RHEL-06-000272 | 174 | ····-·DISA-STIG-RHEL-06-000272 |
| 148 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29 | 175 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29713"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs |
| 149 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba | 176 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba |
| 150 | shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares | 177 | shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares |
| 151 | in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either | 178 | in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either |
| 152 | <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used. | 179 | <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used. |
| 153 | <br><br> | 180 | <br><br> |
| 154 | See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba | 181 | See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba |
| 155 | client·should·only·communicate·with·servers·who·can·support·SMB | 182 | client·should·only·communicate·with·servers·who·can·support·SMB |
| 156 | packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle | 183 | packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle |
| 157 | attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 184 | attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 158 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 185 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 159 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 186 | ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol |
| 160 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 187 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system |
| 161 | 188 | clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so | |
| 162 | t | 189 | time·will·drift·unpredictably·on·unmanaged·systems.·Central·time |
| 163 | 190 | protocols·can·be·used·both·to·ensure·that·time·is·consistent·among | |
| 164 | an | 191 | a·network·of·systems,·and·that·their·time·is·consistent·with·the |
| 192 | outside·world. | ||
| 165 | <br><br> | 193 | <br><br> |
| 166 | 194 | If·every·system·on·a·network·reliably·reports·the·same·time,·then·it·is·much | |
| 167 | 195 | easier·to·correlate·log·messages·in·case·of·an·attack.·In·addition,·a·number·of | |
| 168 | 196 | cryptographic·protocols·(such·as·Kerberos)·use·timestamps·to·prevent·certain | |
| 169 | 197 | types·of·attacks.·If·your·network·does·not·have·synchronized·time,·these | |
| 170 | 198 | protocols·may·be·unreliable·or·even·unusable. | |
| 171 | Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from | ||
| 172 | the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), | ||
| 173 | but·the·system·still·cannot·receive·mail·directly·over·a·network. | ||
| 174 | <br><br> | 199 | <br><br> |
| 175 | 200 | Depending·on·the·specifics·of·the·network,·global·time·accuracy·may·be·just·as | |
| Max diff block lines reached; 1809627/1843908 bytes (98.14%) of diff not shown. | |||
| Offset 57, 45 lines modified | Offset 57, 45 lines modified | ||
| 57 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 57 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 58 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 59 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 60 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 61 | quality,·reliability,·or·any·other·characteristic. | 61 | quality,·reliability,·or·any·other·characteristic. |
| 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>United·States·Government·Configuration·Baseline·(USGCB)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_usgcb-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 62 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>United·States·Government·Configuration·Baseline·(USGCB)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_usgcb-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 63 | ····························(as·of·2018-07-26) | 63 | ····························(as·of·2018-07-26) |
| 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 64 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·1135,·SHA:·21de240d343fbd223cf68c70c59d884c3ee65c2748e12911430648c71044dd8d·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·223·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 71 | system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·56·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·56·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 74 | 74 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | |
| 75 | 75 | that·passwords·and·other·data·transmitted·during·the·session·can·be | |
| 76 | 76 | captured·and·that·the·session·is·vulnerable·to·hijacking. | |
| 77 | 77 | Therefore,·running·the·FTP·server·software·is·not·recommended. | |
| 78 | 78 | <br><br> | |
| 79 | 79 | However,·there·are·some·FTP·server·configurations·which·may | |
| 80 | 80 | be·appropriate·for·some·environments,·particularly·those·which | |
| 81 | 81 | allow·only·read-only·anonymous·access·as·a·means·of·downloading | |
| 82 | de | 82 | data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible |
| 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_s | 83 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all |
| 84 | 84 | possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29100"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service | |
| 85 | a | 85 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 86 | sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_smb_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_smb_disabled"·id="guide-tree-leaf-idm29002"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_smb_disabled">Disable·Samba | ||
| 87 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_smb_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | ||
| 88 | ············ | 86 | ············ |
| 89 | ········The·<code>s | 87 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: |
| 90 | ········<pre>$·sudo·chkconfig·s | 88 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> |
| 91 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running· | 89 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue |
| 92 | 90 | of·attack,·and·should·be·disabled·if·not·needed. | |
| 91 | Furthermore,·the·FTP·protocol·is·unencrypted·and·creates | ||
| 92 | a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 93 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 93 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 94 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29 | 94 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29108">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29108"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 95 | # | 95 | # |
| 96 | #·Example·Call(s): | 96 | #·Example·Call(s): |
| 97 | # | 97 | # |
| 98 | #·····service_command·enable·bluetooth | 98 | #·····service_command·enable·bluetooth |
| 99 | #·····service_command·disable·bluetooth.service | 99 | #·····service_command·disable·bluetooth.service |
| 100 | # | 100 | # |
| 101 | #·····Using·xinetd: | 101 | #·····Using·xinetd: |
| Offset 162, 124 lines modified | Offset 162, 123 lines modified | ||
| 162 | ··else | 162 | ··else |
| 163 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 163 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 164 | ··fi | 164 | ··fi |
| 165 | fi | 165 | fi |
| 166 | } | 166 | } |
| 167 | service_command·disable·s | 167 | service_command·disable·vsftpd |
| 168 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29 | 168 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29110">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29110"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·vsftpd |
| 169 | ··service: | 169 | ··service: |
| 170 | ····name="{{item}}" | 170 | ····name="{{item}}" |
| 171 | ····enabled="no" | 171 | ····enabled="no" |
| 172 | ····state="stopped" | 172 | ····state="stopped" |
| 173 | ··register:·service_result | 173 | ··register:·service_result |
| 174 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 174 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 175 | ··with_items: | 175 | ··with_items: |
| 176 | ····-·s | 176 | ····-·vsftpd |
| 177 | ··tags: | 177 | ··tags: |
| 178 | ····-·service_s | 178 | ····-·service_vsftpd_disabled |
| 179 | ····-·unknown_severity | 179 | ····-·unknown_severity |
| 180 | ····-·disable_strategy | 180 | ····-·disable_strategy |
| 181 | ····-·low_complexity | 181 | ····-·low_complexity |
| 182 | ····-·low_disruption | 182 | ····-·low_disruption |
| 183 | ····-·CCE-2 | 183 | ····-·CCE-26948-0 |
| 184 | 184 | ····-·NIST-800-53-CM-7 | |
| 185 | · | 185 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29115"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package |
| 186 | 186 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | |
| 187 | 187 | ············ | |
| 188 | 188 | ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command: | |
| 189 | 189 | ········<pre>$·sudo·yum·erase·vsftpd</pre> | |
| 190 | an | 190 | ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its |
| 191 | 191 | accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | |
| 192 | additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient | ||
| 193 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use | ||
| 194 | packet·signing,·add·the·following·to·the·<code>[global]</code>·section | ||
| 195 | of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: | ||
| 196 | <pre>client·signing·=·mandatory</pre> | ||
| 197 | Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet | ||
| 198 | signing·ensures·they·can | ||
| 199 | only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent | ||
| 200 | man-in-the-middle·attacks·which·modify·SMB·packets·in | ||
| 201 | transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 202 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 192 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 203 | ············<a·href="http://iase.disa.mil/stigs/ | 193 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm29123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 204 | # | 194 | # |
| 205 | # | 195 | #·Example·Call(s): |
| 206 | # | 196 | # |
| 197 | #·····package_remove·telnet-server | ||
| 198 | # | ||
| 199 | function·package_remove·{ | ||
| 207 | 200 | #·Load·function·arguments·into·local·variables | |
| 201 | local·package="$1" | ||
| 208 | 202 | #·Check·sanity·of·the·input | |
| 209 | 203 | if·[·$#·-ne·"1"·] | |
| 210 | 204 | then | |
| 205 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 206 | ··echo·"Aborting." | ||
| 207 | ··exit·1 | ||
| 208 | fi | ||
| 209 | if·which·dnf·;·then | ||
| 210 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 211 | ····dnf·remove·-y·"$package" | ||
| 212 | ··fi | ||
| 213 | elif·which·yum·;·then | ||
| 214 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 215 | ····yum·remove·-y·"$package" | ||
| 216 | ··fi | ||
| 217 | elif·which·apt-get·;·then | ||
| 218 | ··apt-get·remove·-y·"$package" | ||
| 211 | else | 219 | else |
| 212 | 220 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 221 | ··echo·"Aborting." | ||
| 222 | ··exit·1 | ||
| 213 | fi | 223 | fi |
| 214 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm29091">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29091"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists | ||
| 215 | ··stat: | ||
| Max diff block lines reached; 1705539/1731623 bytes (98.49%) of diff not shown. | |||
| Offset 66, 15 lines modified | Offset 66, 15 lines modified | ||
| 66 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 66 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 67 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 67 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 68 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 68 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 69 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 69 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 70 | quality,·reliability,·or·any·other·characteristic. | 70 | quality,·reliability,·or·any·other·characteristic. |
| 71 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·7</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 71 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·7</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 72 | ····························(as·of·2018-07-26) | 72 | ····························(as·of·2018-07-26) |
| 73 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Serv | 73 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·39,·SHA:·71531d2cb5e45bf87276058ffe0a5eac9722a5944d366562dfd03b1cc8832d7f·...·]</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·0px"><small>contains·213·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 74 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 74 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 75 | the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 75 | the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 76 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which | 76 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which |
| 77 | ones·can·be·safely·disabled. | 77 | ones·can·be·safely·disabled. |
| 78 | <br><br> | 78 | <br><br> |
| 79 | Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 79 | Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 80 | system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 80 | system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| Offset 92, 24 lines modified | Offset 92, 24 lines modified | ||
| 92 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict | 92 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict |
| 93 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 93 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 94 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 94 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 95 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 95 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 96 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·14·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec | 96 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·14·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec |
| 97 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which | 97 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which |
| 98 | allow·cleartext·remote·access·and·have·an·insecure·trust | 98 | allow·cleartext·remote·access·and·have·an·insecure·trust |
| 99 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm3 | 99 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35998"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package |
| 100 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands | 100 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands |
| 101 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have | 101 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have |
| 102 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, | 102 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, |
| 103 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from | 103 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from |
| 104 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing | 104 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing |
| 105 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes | 105 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes |
| 106 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 106 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 107 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 107 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 108 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 108 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 109 | # | 109 | # |
| 110 | #·Example·Call(s): | 110 | #·Example·Call(s): |
| 111 | # | 111 | # |
| 112 | #·····package_remove·telnet-server | 112 | #·····package_remove·telnet-server |
| 113 | # | 113 | # |
| 114 | function·package_remove·{ | 114 | function·package_remove·{ |
| Offset 139, 62 lines modified | Offset 139, 62 lines modified | ||
| 139 | ··echo·"Aborting." | 139 | ··echo·"Aborting." |
| 140 | ··exit·1 | 140 | ··exit·1 |
| 141 | fi | 141 | fi |
| 142 | } | 142 | } |
| 143 | package_remove·rsh | 143 | package_remove·rsh |
| 144 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 144 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36023">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36023"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed |
| 145 | ··package: | 145 | ··package: |
| 146 | ····name="{{item}}" | 146 | ····name="{{item}}" |
| 147 | ····state=absent | 147 | ····state=absent |
| 148 | ··with_items: | 148 | ··with_items: |
| 149 | ····-·rsh | 149 | ····-·rsh |
| 150 | ··tags: | 150 | ··tags: |
| 151 | ····-·package_rsh_removed | 151 | ····-·package_rsh_removed |
| 152 | ····-·unknown_severity | 152 | ····-·unknown_severity |
| 153 | ····-·disable_strategy | 153 | ····-·disable_strategy |
| 154 | ····-·low_complexity | 154 | ····-·low_complexity |
| 155 | ····-·low_disruption | 155 | ····-·low_disruption |
| 156 | ····-·CCE-27274-0 | 156 | ····-·CCE-27274-0 |
| 157 | ····-·NIST-800-171-3.1.13 | 157 | ····-·NIST-800-171-3.1.13 |
| 158 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 158 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36024">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36024"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh |
| 159 | class·remove_rsh·{ | 159 | class·remove_rsh·{ |
| 160 | ··package·{·'rsh': | 160 | ··package·{·'rsh': |
| 161 | ····ensure·=>·'purged', | 161 | ····ensure·=>·'purged', |
| 162 | ··} | 162 | ··} |
| 163 | } | 163 | } |
| 164 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 164 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36025">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36025"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 165 | package·--remove=rsh | 165 | package·--remove=rsh |
| 166 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm360 | 166 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service |
| 167 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with | 167 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with |
| 168 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 168 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 169 | as·a·systemd·socket,·should·be·disabled. | 169 | as·a·systemd·socket,·should·be·disabled. |
| 170 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. | 170 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. |
| 171 | If·using·systemd,· | 171 | If·using·systemd,· |
| 172 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: | 172 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: |
| 173 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which | 173 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which |
| 174 | means·that·data·from·the·login·session,·including·passwords·and | 174 | means·that·data·from·the·login·session,·including·passwords·and |
| 175 | all·other·information·transmitted·during·the·session,·can·be | 175 | all·other·information·transmitted·during·the·session,·can·be |
| 176 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 176 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 177 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 177 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 178 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 178 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36054">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36054"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&&·\ |
| 179 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin | 179 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin |
| 180 | # | 180 | # |
| 181 | #·Disable·rlogin.socket·for·all·systemd·targets | 181 | #·Disable·rlogin.socket·for·all·systemd·targets |
| 182 | # | 182 | # |
| 183 | systemctl·disable·rlogin.socket | 183 | systemctl·disable·rlogin.socket |
| 184 | # | 184 | # |
| 185 | #·Stop·rlogin.socket·if·currently·running | 185 | #·Stop·rlogin.socket·if·currently·running |
| 186 | # | 186 | # |
| 187 | systemctl·stop·rlogin.socket | 187 | systemctl·stop·rlogin.socket |
| 188 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 188 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36055">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36055"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin |
| 189 | ··service: | 189 | ··service: |
| 190 | ····name="{{item}}" | 190 | ····name="{{item}}" |
| 191 | ····enabled="no" | 191 | ····enabled="no" |
| 192 | ····state="stopped" | 192 | ····state="stopped" |
| 193 | ··register:·service_result | 193 | ··register:·service_result |
| 194 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 194 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 195 | ··with_items: | 195 | ··with_items: |
| Offset 207, 39 lines modified | Offset 207, 39 lines modified | ||
| 207 | ····-·low_disruption | 207 | ····-·low_disruption |
| 208 | ····-·CCE-27336-7 | 208 | ····-·CCE-27336-7 |
| 209 | ····-·NIST-800-53-AC-17(8) | 209 | ····-·NIST-800-53-AC-17(8) |
| 210 | ····-·NIST-800-53-CM-7 | 210 | ····-·NIST-800-53-CM-7 |
| 211 | ····-·NIST-800-53-IA-5(1)(c) | 211 | ····-·NIST-800-53-IA-5(1)(c) |
| 212 | ····-·NIST-800-171-3.1.13 | 212 | ····-·NIST-800-171-3.1.13 |
| 213 | ····-·NIST-800-171-3.4.7 | 213 | ····-·NIST-800-171-3.4.7 |
| 214 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm360 | 214 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36060"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 215 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with | 215 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 216 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 216 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 217 | as·a·systemd·socket,·should·be·disabled. | 217 | as·a·systemd·socket,·should·be·disabled. |
| 218 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· | 218 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 219 | If·using·systemd,· | 219 | If·using·systemd,· |
| 220 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: | 220 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 221 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which | 221 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 222 | means·that·data·from·the·login·session,·including·passwords·and | 222 | means·that·data·from·the·login·session,·including·passwords·and |
| 223 | all·other·information·transmitted·during·the·session,·can·be | 223 | all·other·information·transmitted·during·the·session,·can·be |
| 224 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 224 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 225 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 225 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 226 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 226 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36084">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36084"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 227 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec | 227 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 228 | # | 228 | # |
| Max diff block lines reached; 1006940/1040005 bytes (96.82%) of diff not shown. | |||
| Offset 82, 26 lines modified | Offset 82, 26 lines modified | ||
| 82 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program· | 82 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program· |
| 83 | is·called·<code>sshd</code>·and·provided·by·the·RPM·package | 83 | is·called·<code>sshd</code>·and·provided·by·the·RPM·package |
| 84 | <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary | 84 | <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary |
| 85 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 85 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 86 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 86 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 87 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 87 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 88 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 88 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 89 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm39 | 89 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm39706"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords |
| 90 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·SSH·login·from·accounts·with | 90 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·SSH·login·from·accounts·with |
| 91 | empty·passwords,·add·or·correct·the·following·line·in·<code>/etc/ssh/sshd_config</code>: | 91 | empty·passwords,·add·or·correct·the·following·line·in·<code>/etc/ssh/sshd_config</code>: |
| 92 | <br> | 92 | <br> |
| 93 | <pre>PermitEmptyPasswords·no</pre> | 93 | <pre>PermitEmptyPasswords·no</pre> |
| 94 | <br> | 94 | <br> |
| 95 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration | 95 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration |
| 96 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that | 96 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that |
| 97 | remote·login·via·SSH·will·require·a·password,·even·in·the·event·of· | 97 | remote·login·via·SSH·will·require·a·password,·even·in·the·event·of· |
| 98 | misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 98 | misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 99 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 99 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 100 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86563r2_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.9</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm397 | 100 | ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86563r2_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.9</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm39731">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39731"><pre><code>#·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 101 | #·it·does·not·exist. | 101 | #·it·does·not·exist. |
| 102 | # | 102 | # |
| 103 | #·Expects·arguments: | 103 | #·Expects·arguments: |
| 104 | # | 104 | # |
| 105 | #·config_file:» » Configuration·file·that·will·be·modified | 105 | #·config_file:» » Configuration·file·that·will·be·modified |
| 106 | #·key:» » » Configuration·option·to·change | 106 | #·key:» » » Configuration·option·to·change |
| 107 | #·value:»»Value·of·the·configuration·option·to·change | 107 | #·value:»»Value·of·the·configuration·option·to·change |
| Offset 172, 15 lines modified | Offset 172, 15 lines modified | ||
| 172 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 172 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 173 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 173 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 174 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 174 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 175 | ··fi | 175 | ··fi |
| 176 | } | 176 | } |
| 177 | replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s' | 177 | replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s' |
| 178 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm397 | 178 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm39733">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39733"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Disable·SSH·Access·via·Empty·Passwords |
| 179 | ··lineinfile: | 179 | ··lineinfile: |
| 180 | ····create:·yes | 180 | ····create:·yes |
| 181 | ····dest:·/etc/ssh/sshd_config | 181 | ····dest:·/etc/ssh/sshd_config |
| 182 | ····regexp:·^PermitEmptyPasswords | 182 | ····regexp:·^PermitEmptyPasswords |
| 183 | ····line:·PermitEmptyPasswords·no | 183 | ····line:·PermitEmptyPasswords·no |
| 184 | ····validate:·sshd·-t·-f·%s | 184 | ····validate:·sshd·-t·-f·%s |
| 185 | ··tags: | 185 | ··tags: |
| Offset 193, 21 lines modified | Offset 193, 21 lines modified | ||
| 193 | ····-·NIST-800-53-AC-3 | 193 | ····-·NIST-800-53-AC-3 |
| 194 | ····-·NIST-800-53-AC-6 | 194 | ····-·NIST-800-53-AC-6 |
| 195 | ····-·NIST-800-53-CM-6(b) | 195 | ····-·NIST-800-53-CM-6(b) |
| 196 | ····-·NIST-800-171-3.1.1 | 196 | ····-·NIST-800-171-3.1.1 |
| 197 | ····-·NIST-800-171-3.1.5 | 197 | ····-·NIST-800-171-3.1.5 |
| 198 | ····-·CJIS-5.5.6 | 198 | ····-·CJIS-5.5.6 |
| 199 | ····-·DISA-STIG-RHEL-07-010300 | 199 | ····-·DISA-STIG-RHEL-07-010300 |
| 200 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm397 | 200 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm39739"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count |
| 201 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, | 201 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set, |
| 202 | edit·<code>/etc/ssh/sshd_config</code>·as·follows: | 202 | edit·<code>/etc/ssh/sshd_config</code>·as·follows: |
| 203 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> | 203 | <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> |
| 204 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 204 | is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 205 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 205 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 206 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86865r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm397 | 206 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86865r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm39764">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39764"><pre><code>#·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 207 | #·it·does·not·exist. | 207 | #·it·does·not·exist. |
| 208 | # | 208 | # |
| 209 | #·Expects·arguments: | 209 | #·Expects·arguments: |
| 210 | # | 210 | # |
| 211 | #·config_file:» » Configuration·file·that·will·be·modified | 211 | #·config_file:» » Configuration·file·that·will·be·modified |
| 212 | #·key:» » » Configuration·option·to·change | 212 | #·key:» » » Configuration·option·to·change |
| 213 | #·value:»»Value·of·the·configuration·option·to·change | 213 | #·value:»»Value·of·the·configuration·option·to·change |
| Offset 278, 15 lines modified | Offset 278, 15 lines modified | ||
| 278 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 278 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 279 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 279 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 280 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 280 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 281 | ··fi | 281 | ··fi |
| 282 | } | 282 | } |
| 283 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' | 283 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' |
| 284 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm397 | 284 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm39766">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39766"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Set·SSH·Client·Alive·Count |
| 285 | ··lineinfile: | 285 | ··lineinfile: |
| 286 | ····create:·yes | 286 | ····create:·yes |
| 287 | ····dest:·/etc/ssh/sshd_config | 287 | ····dest:·/etc/ssh/sshd_config |
| 288 | ····regexp:·^ClientAliveCountMax | 288 | ····regexp:·^ClientAliveCountMax |
| 289 | ····line:·ClientAliveCountMax·0 | 289 | ····line:·ClientAliveCountMax·0 |
| 290 | ····validate:·sshd·-t·-f·%s | 290 | ····validate:·sshd·-t·-f·%s |
| 291 | ··#notify:·restart·sshd | 291 | ··#notify:·restart·sshd |
| Offset 299, 25 lines modified | Offset 299, 35 lines modified | ||
| 299 | ····-·CCE-27082-7 | 299 | ····-·CCE-27082-7 |
| 300 | ····-·NIST-800-53-AC-2(5) | 300 | ····-·NIST-800-53-AC-2(5) |
| 301 | ····-·NIST-800-53-SA-8 | 301 | ····-·NIST-800-53-SA-8 |
| 302 | ····-·NIST-800-53-AC-12 | 302 | ····-·NIST-800-53-AC-12 |
| 303 | ····-·NIST-800-171-3.1.11 | 303 | ····-·NIST-800-171-3.1.11 |
| 304 | ····-·CJIS-5.5.6 | 304 | ····-·CJIS-5.5.6 |
| 305 | ····-·DISA-STIG-RHEL-07-040340 | 305 | ····-·DISA-STIG-RHEL-07-040340 |
| 306 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_e | 306 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm39772"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 307 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_e | 307 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout |
| 308 | 308 | interval. | |
| 309 | 309 | After·this·interval·has·passed,·the·idle·user·will·be | |
| 310 | 310 | automatically·logged·out. | |
| 311 | 311 | <br><br> | |
| 312 | 312 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | |
| 313 | 313 | follows: | |
| 314 | 314 | <pre>ClientAliveInterval·<b>interval</b></pre> | |
| 315 | 315 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout | |
| 316 | 316 | of·10·minutes,·set·<b>interval</b>·to·600. | |
| 317 | <br><br> | ||
| 318 | If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will· | ||
| 319 | preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | ||
| 320 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of | ||
| 321 | opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session | ||
| 322 | enabled·on·the·console·or·console·port·that·has·been·let·unattended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | ||
| 323 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | ||
| 324 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm39797">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39797"><pre><code> | ||
| 325 | sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">1800</abbr>" | ||
| 326 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | ||
| 317 | #·it·does·not·exist. | 327 | #·it·does·not·exist. |
| 318 | # | 328 | # |
| 319 | #·Expects·arguments: | 329 | #·Expects·arguments: |
| 320 | # | 330 | # |
| 321 | #·config_file:» » Configuration·file·that·will·be·modified | 331 | #·config_file:» » Configuration·file·that·will·be·modified |
| 322 | #·key:» » » Configuration·option·to·change | 332 | #·key:» » » Configuration·option·to·change |
| 323 | #·value:»»Value·of·the·configuration·option·to·change | 333 | #·value:»»Value·of·the·configuration·option·to·change |
| Offset 387, 45 lines modified | Offset 397, 54 lines modified | ||
| 387 | ··else | 397 | ··else |
| 388 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 398 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 389 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 399 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 390 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 400 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 391 | ··fi | 401 | ··fi |
| 392 | } | 402 | } |
| 393 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 403 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s' |
| 394 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm398 | 404 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm39800">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39800"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·XCCDF·Value·sshd_idle_timeout_value·#·promote·to·variable |
| 405 | ··set_fact: | ||
| Max diff block lines reached; 456402/483650 bytes (94.37%) of diff not shown. | |||
| Offset 56, 27 lines modified | Offset 56, 24 lines modified | ||
| 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in | 56 | <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in |
| 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The | 57 | this·guide·without·first·testing·them·in·a·non-operational·environment.·The |
| 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by | 58 | creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by |
| 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its | 59 | other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its |
| 60 | quality,·reliability,·or·any·other·characteristic. | 60 | quality,·reliability,·or·any·other·characteristic. |
| 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> | 61 | </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong> |
| 62 | ····························(as·of·2018-07-26) | 62 | ····························(as·of·2018-07-26) |
| 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ | 63 | ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_openstack">OpenStack</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_routing">Network·Routing</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="[·...·truncated·by·diffoscope;·len:·1045,·SHA:·34a457b90e6dfc8c26555d3cb2e11b5b3c1823d634243e7c52f3554b7bfc3eae·...·]</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·<tt>auditd</tt></a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project |
| 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services | 64 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services |
| 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review | 65 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review |
| 66 | the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It | 66 | the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It |
| 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which | 67 | then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which |
| 68 | ones·can·be·safely·disabled. | 68 | ones·can·be·safely·disabled. |
| 69 | <br><br> | 69 | <br><br> |
| 70 | Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 70 | Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 71 | system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 71 | system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 72 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services |
| 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_docker">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·docker·service·is·necessary·to·create·containers,·which·are | ||
| 74 | ··self-sufficient·and·self-contained·applications·using·the·resource | ||
| 75 | ··isolation·features·of·the·kernel.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services | ||
| 76 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible | 73 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible |
| 77 | services·which·have·historically·caused·problems·for·system | 74 | services·which·have·historically·caused·problems·for·system |
| 78 | security,·and·for·which·disabling·or·severely·limiting·the·service | 75 | security,·and·for·which·disabling·or·severely·limiting·the·service |
| 79 | has·been·the·best·available·guidance·for·some·time.·As·a·result·of | 76 | has·been·the·best·available·guidance·for·some·time.·As·a·result·of |
| 80 | this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·7 | 77 | this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·7 |
| 81 | by·default. | 78 | by·default. |
| 82 | <br><br> | 79 | <br><br> |
| Offset 110, 15 lines modified | Offset 107, 51 lines modified | ||
| 110 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd | 107 | found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd |
| 111 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some | 108 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some |
| 112 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access | 109 | network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access |
| 113 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other | 110 | controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other |
| 114 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service | 111 | features,·and·it·is·not·installed·by·default.·The·older·Inetd·service |
| 115 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services | 112 | is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services |
| 116 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages | 113 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages |
| 117 | across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 114 | across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_imap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server |
| 115 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_imap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·provides·IMAP·and·POP3·services.·It·is·not | ||
| 116 | installed·by·default.·The·project·page·at·<a·href="http://www.dovecot.org">http://www.dovecot.org</a> | ||
| 117 | contains·more·detailed·information·about·Dovecot | ||
| 118 | configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configure_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configure_dovecot">Configure·Dovecot·if·Necessary | ||
| 119 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configure_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·will·operate·as·an·IMAP·or | ||
| 120 | POP3·server,·the·dovecot·software·should·be·configured·securely·by·following | ||
| 121 | the·recommendations·below.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">Enable·SSL·Support | ||
| 122 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>SSL·should·be·used·to·encrypt·network·traffic·between·the· | ||
| 123 | Dovecot·server·and·its·clients.·Users·must·authenticate·to·the·Dovecot· | ||
| 124 | server·in·order·to·read·their·mail,·and·passwords·should·never·be· | ||
| 125 | transmitted·in·clear·text.·In·addition,·protecting·mail·as·it·is· | ||
| 126 | downloaded·is·a·privacy·measure,·and·clients·may·use·SSL·certificates· | ||
| 127 | to·authenticate·the·server,·preventing·another·system·from·impersonating· | ||
| 128 | the·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">Allow·IMAP·Clients·to·Access·the·Server | ||
| 129 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·default·<code>firewalld</code>·configuration·does·not·allow·inbound | ||
| 130 | access·to·any·services.·This·modification·will·allow·remote·hosts·to | ||
| 131 | initiate·connections·to·the·IMAP·daemon,·while·keeping·all·other·ports | ||
| 132 | on·the·server·in·their·default·protected·state. | ||
| 133 | ········To·configure·<code>firewalld</code>·to·allow·access,·run·the·following·command(s): | ||
| 134 | ········<code>firewall-cmd·--permanent·--add-port=143/tcp</code>·and | ||
| 135 | ········</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">Support·Only·the·Necessary·Protocols | ||
| 136 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·supports·the·IMAP·and·POP3·protocols,·as·well·as· | ||
| 137 | SSL-protected·versions·of·those·protocols.·Configure·the·Dovecot·server· | ||
| 138 | to·support·only·the·protocols·needed·by·your·site.·Edit·<code>/etc/dovecot/dovecot.conf</code>.· | ||
| 139 | Add·or·correct·the·following·lines,·replacing·<code>PROTOCOL</code>·with· | ||
| 140 | only·the·subset·of·protocols·(<code>imap</code>,·<code>imaps</code>,· | ||
| 141 | <code>pop3</code>,·<code>pop3s</code>)·required: | ||
| 142 | <pre>protocols·=·PROTOCOL</pre> | ||
| 143 | If·possible,·require·SSL·protection·for·all·transactions.·The·SSL· | ||
| 144 | protocol·variants·listen·on·alternate·ports·(995·instead·of·110·for· | ||
| 145 | pop3s,·and·993·instead·of·143·for·imaps),·and·require·SSL-aware·clients.· | ||
| 146 | An·alternate·approach·is·to·listen·on·the·standard·port·and·require·the· | ||
| 147 | client·to·use·the·STARTTLS·command·before·authenticating.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dovecot">Disable·Dovecot | ||
| 148 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·does·not·need·to·operate·as·an·IMAP·or | ||
| 149 | POP3·server,·the·dovecot·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack | ||
| 118 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server | 150 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server |
| 119 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to | 151 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to |
| 120 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means | 152 | files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means |
| 121 | that·passwords·and·other·data·transmitted·during·the·session·can·be | 153 | that·passwords·and·other·data·transmitted·during·the·session·can·be |
| 122 | captured·and·that·the·session·is·vulnerable·to·hijacking. | 154 | captured·and·that·the·session·is·vulnerable·to·hijacking. |
| 123 | Therefore,·running·the·FTP·server·software·is·not·recommended. | 155 | Therefore,·running·the·FTP·server·software·is·not·recommended. |
| 124 | <br><br> | 156 | <br><br> |
| Offset 874, 51 lines modified | Offset 907, 18 lines modified | ||
| 874 | supersede·domain-name-servers·192.168.1.2; | 907 | supersede·domain-name-servers·192.168.1.2; |
| 875 | supersede·nis-domain·""; | 908 | supersede·nis-domain·""; |
| 876 | supersede·nis-servers·""; | 909 | supersede·nis-servers·""; |
| 877 | supersede·ntp-servers·"ntp.example.com·"; | 910 | supersede·ntp-servers·"ntp.example.com·"; |
| 878 | supersede·routers·192.168.1.1; | 911 | supersede·routers·192.168.1.1; |
| 879 | supersede·time-offset·-18000; | 912 | supersede·time-offset·-18000; |
| 880 | request·subnet-mask; | 913 | request·subnet-mask; |
| 881 | require·subnet-mask;</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_restrict_options"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ | 914 | require·subnet-mask;</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_restrict_options"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_docker"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_docker">Docker·Service |
| 882 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ | 915 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_docker">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·docker·service·is·necessary·to·create·containers,·which·are |
| 883 | 916 | ··self-sufficient·and·self-contained·applications·using·the·resource | |
| 884 | contains | 917 | ··isolation·features·of·the·kernel.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC |
| 885 | configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configure_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configure_dovecot">Configure·Dovecot·if·Necessary | ||
| 886 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_configure_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·will·operate·as·an·IMAP·or | ||
| 887 | POP3·server,·the·dovecot·software·should·be·configured·securely·by·following | ||
| 888 | the·recommendations·below.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">Enable·SSL·Support | ||
| 889 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>SSL·should·be·used·to·encrypt·network·traffic·between·the· | ||
| 890 | Dovecot·server·and·its·clients.·Users·must·authenticate·to·the·Dovecot· | ||
| 891 | server·in·order·to·read·their·mail,·and·passwords·should·never·be· | ||
| 892 | transmitted·in·clear·text.·In·addition,·protecting·mail·as·it·is· | ||
| 893 | downloaded·is·a·privacy·measure,·and·clients·may·use·SSL·certificates· | ||
| 894 | to·authenticate·the·server,·preventing·another·system·from·impersonating· | ||
| 895 | the·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">Allow·IMAP·Clients·to·Access·the·Server | ||
| 896 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·default·<code>firewalld</code>·configuration·does·not·allow·inbound | ||
| 897 | access·to·any·services.·This·modification·will·allow·remote·hosts·to | ||
| 898 | initiate·connections·to·the·IMAP·daemon,·while·keeping·all·other·ports | ||
| 899 | on·the·server·in·their·default·protected·state. | ||
| 900 | ········To·configure·<code>firewalld</code>·to·allow·access,·run·the·following·command(s): | ||
| 901 | ········<code>firewall-cmd·--permanent·--add-port=143/tcp</code>·and | ||
| 902 | ········</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">Support·Only·the·Necessary·Protocols | ||
| 903 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·supports·the·IMAP·and·POP3·protocols,·as·well·as· | ||
| 904 | SSL-protected·versions·of·those·protocols.·Configure·the·Dovecot·server· | ||
| 905 | to·support·only·the·protocols·needed·by·your·site.·Edit·<code>/etc/dovecot/dovecot.conf</code>.· | ||
| 906 | Add·or·correct·the·following·lines,·replacing·<code>PROTOCOL</code>·with· | ||
| 907 | only·the·subset·of·protocols·(<code>imap</code>,·<code>imaps</code>,· | ||
| 908 | <code>pop3</code>,·<code>pop3s</code>)·required: | ||
| 909 | <pre>protocols·=·PROTOCOL</pre> | ||
| 910 | If·possible,·require·SSL·protection·for·all·transactions.·The·SSL· | ||
| 911 | protocol·variants·listen·on·alternate·ports·(995·instead·of·110·for· | ||
| 912 | pop3s,·and·993·instead·of·143·for·imaps),·and·require·SSL-aware·clients.· | ||
| 913 | An·alternate·approach·is·to·listen·on·the·standard·port·and·require·the· | ||
| 914 | client·to·use·the·STARTTLS·command·before·authenticating.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dovecot">Disable·Dovecot | ||
| 915 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·does·not·need·to·operate·as·an·IMAP·or | ||
| 916 | POP3·server,·the·dovecot·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC | ||
| 917 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·File·System·is·a·popular·distributed·filesystem·for | 918 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·File·System·is·a·popular·distributed·filesystem·for |
| 918 | the·Unix·environment,·and·is·very·widely·deployed.··This·section·discusses·the | 919 | the·Unix·environment,·and·is·very·widely·deployed.··This·section·discusses·the |
| 919 | circumstances·under·which·it·is·possible·to·disable·NFS·and·its·dependencies, | 920 | circumstances·under·which·it·is·possible·to·disable·NFS·and·its·dependencies, |
| Max diff block lines reached; 84025/118707 bytes (70.78%) of diff not shown. | |||
| Offset 90, 24 lines modified | Offset 90, 24 lines modified | ||
| 90 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict | 90 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict |
| 91 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 91 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 92 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 92 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 93 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 93 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 94 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec | 94 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec |
| 95 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which | 95 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which |
| 96 | allow·cleartext·remote·access·and·have·an·insecure·trust | 96 | allow·cleartext·remote·access·and·have·an·insecure·trust |
| 97 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm3 | 97 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35998"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package |
| 98 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands | 98 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands |
| 99 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have | 99 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have |
| 100 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, | 100 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, |
| 101 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from | 101 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from |
| 102 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing | 102 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing |
| 103 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes | 103 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes |
| 104 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 104 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 105 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 105 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 106 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 106 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 107 | # | 107 | # |
| 108 | #·Example·Call(s): | 108 | #·Example·Call(s): |
| 109 | # | 109 | # |
| 110 | #·····package_remove·telnet-server | 110 | #·····package_remove·telnet-server |
| 111 | # | 111 | # |
| 112 | function·package_remove·{ | 112 | function·package_remove·{ |
| Offset 137, 62 lines modified | Offset 137, 62 lines modified | ||
| 137 | ··echo·"Aborting." | 137 | ··echo·"Aborting." |
| 138 | ··exit·1 | 138 | ··exit·1 |
| 139 | fi | 139 | fi |
| 140 | } | 140 | } |
| 141 | package_remove·rsh | 141 | package_remove·rsh |
| 142 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 142 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36023">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36023"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed |
| 143 | ··package: | 143 | ··package: |
| 144 | ····name="{{item}}" | 144 | ····name="{{item}}" |
| 145 | ····state=absent | 145 | ····state=absent |
| 146 | ··with_items: | 146 | ··with_items: |
| 147 | ····-·rsh | 147 | ····-·rsh |
| 148 | ··tags: | 148 | ··tags: |
| 149 | ····-·package_rsh_removed | 149 | ····-·package_rsh_removed |
| 150 | ····-·unknown_severity | 150 | ····-·unknown_severity |
| 151 | ····-·disable_strategy | 151 | ····-·disable_strategy |
| 152 | ····-·low_complexity | 152 | ····-·low_complexity |
| 153 | ····-·low_disruption | 153 | ····-·low_disruption |
| 154 | ····-·CCE-27274-0 | 154 | ····-·CCE-27274-0 |
| 155 | ····-·NIST-800-171-3.1.13 | 155 | ····-·NIST-800-171-3.1.13 |
| 156 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 156 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36024">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36024"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh |
| 157 | class·remove_rsh·{ | 157 | class·remove_rsh·{ |
| 158 | ··package·{·'rsh': | 158 | ··package·{·'rsh': |
| 159 | ····ensure·=>·'purged', | 159 | ····ensure·=>·'purged', |
| 160 | ··} | 160 | ··} |
| 161 | } | 161 | } |
| 162 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 162 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36025">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36025"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 163 | package·--remove=rsh | 163 | package·--remove=rsh |
| 164 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm360 | 164 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service |
| 165 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with | 165 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with |
| 166 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 166 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 167 | as·a·systemd·socket,·should·be·disabled. | 167 | as·a·systemd·socket,·should·be·disabled. |
| 168 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. | 168 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. |
| 169 | If·using·systemd,· | 169 | If·using·systemd,· |
| 170 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: | 170 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: |
| 171 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which | 171 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which |
| 172 | means·that·data·from·the·login·session,·including·passwords·and | 172 | means·that·data·from·the·login·session,·including·passwords·and |
| 173 | all·other·information·transmitted·during·the·session,·can·be | 173 | all·other·information·transmitted·during·the·session,·can·be |
| 174 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 174 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 175 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 175 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 176 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 176 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36054">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36054"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&&·\ |
| 177 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin | 177 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin |
| 178 | # | 178 | # |
| 179 | #·Disable·rlogin.socket·for·all·systemd·targets | 179 | #·Disable·rlogin.socket·for·all·systemd·targets |
| 180 | # | 180 | # |
| 181 | systemctl·disable·rlogin.socket | 181 | systemctl·disable·rlogin.socket |
| 182 | # | 182 | # |
| 183 | #·Stop·rlogin.socket·if·currently·running | 183 | #·Stop·rlogin.socket·if·currently·running |
| 184 | # | 184 | # |
| 185 | systemctl·stop·rlogin.socket | 185 | systemctl·stop·rlogin.socket |
| 186 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 186 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36055">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36055"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin |
| 187 | ··service: | 187 | ··service: |
| 188 | ····name="{{item}}" | 188 | ····name="{{item}}" |
| 189 | ····enabled="no" | 189 | ····enabled="no" |
| 190 | ····state="stopped" | 190 | ····state="stopped" |
| 191 | ··register:·service_result | 191 | ··register:·service_result |
| 192 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 192 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 193 | ··with_items: | 193 | ··with_items: |
| Offset 205, 39 lines modified | Offset 205, 39 lines modified | ||
| 205 | ····-·low_disruption | 205 | ····-·low_disruption |
| 206 | ····-·CCE-27336-7 | 206 | ····-·CCE-27336-7 |
| 207 | ····-·NIST-800-53-AC-17(8) | 207 | ····-·NIST-800-53-AC-17(8) |
| 208 | ····-·NIST-800-53-CM-7 | 208 | ····-·NIST-800-53-CM-7 |
| 209 | ····-·NIST-800-53-IA-5(1)(c) | 209 | ····-·NIST-800-53-IA-5(1)(c) |
| 210 | ····-·NIST-800-171-3.1.13 | 210 | ····-·NIST-800-171-3.1.13 |
| 211 | ····-·NIST-800-171-3.4.7 | 211 | ····-·NIST-800-171-3.4.7 |
| 212 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm360 | 212 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36060"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 213 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with | 213 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 214 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 214 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 215 | as·a·systemd·socket,·should·be·disabled. | 215 | as·a·systemd·socket,·should·be·disabled. |
| 216 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· | 216 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 217 | If·using·systemd,· | 217 | If·using·systemd,· |
| 218 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: | 218 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 219 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which | 219 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 220 | means·that·data·from·the·login·session,·including·passwords·and | 220 | means·that·data·from·the·login·session,·including·passwords·and |
| 221 | all·other·information·transmitted·during·the·session,·can·be | 221 | all·other·information·transmitted·during·the·session,·can·be |
| 222 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 222 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 223 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 223 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 224 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 224 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36084">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36084"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 225 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec | 225 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 226 | # | 226 | # |
| 227 | #·Disable·rexec.socket·for·all·systemd·targets | 227 | #·Disable·rexec.socket·for·all·systemd·targets |
| 228 | # | 228 | # |
| 229 | systemctl·disable·rexec.socket | 229 | systemctl·disable·rexec.socket |
| 230 | # | 230 | # |
| 231 | #·Stop·rexec.socket·if·currently·running | 231 | #·Stop·rexec.socket·if·currently·running |
| 232 | # | 232 | # |
| 233 | systemctl·stop·rexec.socket | 233 | systemctl·stop·rexec.socket |
| 234 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36 | 234 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36085">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36085"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 235 | ··service: | 235 | ··service: |
| 236 | ····name="{{item}}" | 236 | ····name="{{item}}" |
| 237 | ····enabled="no" | 237 | ····enabled="no" |
| 238 | ····state="stopped" | 238 | ····state="stopped" |
| 239 | ··register:·service_result | 239 | ··register:·service_result |
| 240 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 240 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 241 | ··with_items: | 241 | ··with_items: |
| Max diff block lines reached; 838078/863207 bytes (97.09%) of diff not shown. | |||
| Offset 98, 24 lines modified | Offset 98, 24 lines modified | ||
| 98 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict | 98 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict |
| 99 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 99 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 100 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 100 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 101 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 101 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 102 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec | 102 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec |
| 103 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which | 103 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which |
| 104 | allow·cleartext·remote·access·and·have·an·insecure·trust | 104 | allow·cleartext·remote·access·and·have·an·insecure·trust |
| 105 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm3 | 105 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35998"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package |
| 106 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands | 106 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands |
| 107 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have | 107 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have |
| 108 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, | 108 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, |
| 109 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from | 109 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from |
| 110 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing | 110 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing |
| 111 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes | 111 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes |
| 112 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 112 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 113 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 113 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 114 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 114 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 115 | # | 115 | # |
| 116 | #·Example·Call(s): | 116 | #·Example·Call(s): |
| 117 | # | 117 | # |
| 118 | #·····package_remove·telnet-server | 118 | #·····package_remove·telnet-server |
| 119 | # | 119 | # |
| 120 | function·package_remove·{ | 120 | function·package_remove·{ |
| Offset 145, 62 lines modified | Offset 145, 62 lines modified | ||
| 145 | ··echo·"Aborting." | 145 | ··echo·"Aborting." |
| 146 | ··exit·1 | 146 | ··exit·1 |
| 147 | fi | 147 | fi |
| 148 | } | 148 | } |
| 149 | package_remove·rsh | 149 | package_remove·rsh |
| 150 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 150 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36023">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36023"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed |
| 151 | ··package: | 151 | ··package: |
| 152 | ····name="{{item}}" | 152 | ····name="{{item}}" |
| 153 | ····state=absent | 153 | ····state=absent |
| 154 | ··with_items: | 154 | ··with_items: |
| 155 | ····-·rsh | 155 | ····-·rsh |
| 156 | ··tags: | 156 | ··tags: |
| 157 | ····-·package_rsh_removed | 157 | ····-·package_rsh_removed |
| 158 | ····-·unknown_severity | 158 | ····-·unknown_severity |
| 159 | ····-·disable_strategy | 159 | ····-·disable_strategy |
| 160 | ····-·low_complexity | 160 | ····-·low_complexity |
| 161 | ····-·low_disruption | 161 | ····-·low_disruption |
| 162 | ····-·CCE-27274-0 | 162 | ····-·CCE-27274-0 |
| 163 | ····-·NIST-800-171-3.1.13 | 163 | ····-·NIST-800-171-3.1.13 |
| 164 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 164 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36024">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36024"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh |
| 165 | class·remove_rsh·{ | 165 | class·remove_rsh·{ |
| 166 | ··package·{·'rsh': | 166 | ··package·{·'rsh': |
| 167 | ····ensure·=>·'purged', | 167 | ····ensure·=>·'purged', |
| 168 | ··} | 168 | ··} |
| 169 | } | 169 | } |
| 170 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 170 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36025">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36025"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 171 | package·--remove=rsh | 171 | package·--remove=rsh |
| 172 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm360 | 172 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service |
| 173 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with | 173 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with |
| 174 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 174 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 175 | as·a·systemd·socket,·should·be·disabled. | 175 | as·a·systemd·socket,·should·be·disabled. |
| 176 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. | 176 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. |
| 177 | If·using·systemd,· | 177 | If·using·systemd,· |
| 178 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: | 178 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: |
| 179 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which | 179 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which |
| 180 | means·that·data·from·the·login·session,·including·passwords·and | 180 | means·that·data·from·the·login·session,·including·passwords·and |
| 181 | all·other·information·transmitted·during·the·session,·can·be | 181 | all·other·information·transmitted·during·the·session,·can·be |
| 182 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 182 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 183 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 183 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 184 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 184 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36054">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36054"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&&·\ |
| 185 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin | 185 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin |
| 186 | # | 186 | # |
| 187 | #·Disable·rlogin.socket·for·all·systemd·targets | 187 | #·Disable·rlogin.socket·for·all·systemd·targets |
| 188 | # | 188 | # |
| 189 | systemctl·disable·rlogin.socket | 189 | systemctl·disable·rlogin.socket |
| 190 | # | 190 | # |
| 191 | #·Stop·rlogin.socket·if·currently·running | 191 | #·Stop·rlogin.socket·if·currently·running |
| 192 | # | 192 | # |
| 193 | systemctl·stop·rlogin.socket | 193 | systemctl·stop·rlogin.socket |
| 194 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 194 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36055">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36055"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin |
| 195 | ··service: | 195 | ··service: |
| 196 | ····name="{{item}}" | 196 | ····name="{{item}}" |
| 197 | ····enabled="no" | 197 | ····enabled="no" |
| 198 | ····state="stopped" | 198 | ····state="stopped" |
| 199 | ··register:·service_result | 199 | ··register:·service_result |
| 200 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 200 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 201 | ··with_items: | 201 | ··with_items: |
| Offset 213, 39 lines modified | Offset 213, 39 lines modified | ||
| 213 | ····-·low_disruption | 213 | ····-·low_disruption |
| 214 | ····-·CCE-27336-7 | 214 | ····-·CCE-27336-7 |
| 215 | ····-·NIST-800-53-AC-17(8) | 215 | ····-·NIST-800-53-AC-17(8) |
| 216 | ····-·NIST-800-53-CM-7 | 216 | ····-·NIST-800-53-CM-7 |
| 217 | ····-·NIST-800-53-IA-5(1)(c) | 217 | ····-·NIST-800-53-IA-5(1)(c) |
| 218 | ····-·NIST-800-171-3.1.13 | 218 | ····-·NIST-800-171-3.1.13 |
| 219 | ····-·NIST-800-171-3.4.7 | 219 | ····-·NIST-800-171-3.4.7 |
| 220 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm360 | 220 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36060"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 221 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with | 221 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 222 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 222 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 223 | as·a·systemd·socket,·should·be·disabled. | 223 | as·a·systemd·socket,·should·be·disabled. |
| 224 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· | 224 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 225 | If·using·systemd,· | 225 | If·using·systemd,· |
| 226 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: | 226 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 227 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which | 227 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 228 | means·that·data·from·the·login·session,·including·passwords·and | 228 | means·that·data·from·the·login·session,·including·passwords·and |
| 229 | all·other·information·transmitted·during·the·session,·can·be | 229 | all·other·information·transmitted·during·the·session,·can·be |
| 230 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 230 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 231 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 231 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 232 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 232 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36084">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36084"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 233 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec | 233 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 234 | # | 234 | # |
| 235 | #·Disable·rexec.socket·for·all·systemd·targets | 235 | #·Disable·rexec.socket·for·all·systemd·targets |
| 236 | # | 236 | # |
| 237 | systemctl·disable·rexec.socket | 237 | systemctl·disable·rexec.socket |
| 238 | # | 238 | # |
| 239 | #·Stop·rexec.socket·if·currently·running | 239 | #·Stop·rexec.socket·if·currently·running |
| 240 | # | 240 | # |
| 241 | systemctl·stop·rexec.socket | 241 | systemctl·stop·rexec.socket |
| 242 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36 | 242 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36085">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36085"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 243 | ··service: | 243 | ··service: |
| 244 | ····name="{{item}}" | 244 | ····name="{{item}}" |
| 245 | ····enabled="no" | 245 | ····enabled="no" |
| 246 | ····state="stopped" | 246 | ····state="stopped" |
| 247 | ··register:·service_result | 247 | ··register:·service_result |
| 248 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 248 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 249 | ··with_items: | 249 | ··with_items: |
| Max diff block lines reached; 1663737/1688866 bytes (98.51%) of diff not shown. | |||
| Offset 109, 24 lines modified | Offset 109, 24 lines modified | ||
| 109 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict | 109 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict |
| 110 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 110 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 111 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 111 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 112 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 112 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 113 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec | 113 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec |
| 114 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which | 114 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which |
| 115 | allow·cleartext·remote·access·and·have·an·insecure·trust | 115 | allow·cleartext·remote·access·and·have·an·insecure·trust |
| 116 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm3 | 116 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35998"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package |
| 117 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands | 117 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands |
| 118 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have | 118 | for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have |
| 119 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, | 119 | been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed, |
| 120 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from | 120 | it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from |
| 121 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing | 121 | inadvertently·attempting·to·use·these·commands·and·therefore·exposing |
| 122 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes | 122 | their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes |
| 123 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 123 | the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 124 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 124 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 125 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 125 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 126 | # | 126 | # |
| 127 | #·Example·Call(s): | 127 | #·Example·Call(s): |
| 128 | # | 128 | # |
| 129 | #·····package_remove·telnet-server | 129 | #·····package_remove·telnet-server |
| 130 | # | 130 | # |
| 131 | function·package_remove·{ | 131 | function·package_remove·{ |
| Offset 156, 62 lines modified | Offset 156, 62 lines modified | ||
| 156 | ··echo·"Aborting." | 156 | ··echo·"Aborting." |
| 157 | ··exit·1 | 157 | ··exit·1 |
| 158 | fi | 158 | fi |
| 159 | } | 159 | } |
| 160 | package_remove·rsh | 160 | package_remove·rsh |
| 161 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 161 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36023">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36023"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed |
| 162 | ··package: | 162 | ··package: |
| 163 | ····name="{{item}}" | 163 | ····name="{{item}}" |
| 164 | ····state=absent | 164 | ····state=absent |
| 165 | ··with_items: | 165 | ··with_items: |
| 166 | ····-·rsh | 166 | ····-·rsh |
| 167 | ··tags: | 167 | ··tags: |
| 168 | ····-·package_rsh_removed | 168 | ····-·package_rsh_removed |
| 169 | ····-·unknown_severity | 169 | ····-·unknown_severity |
| 170 | ····-·disable_strategy | 170 | ····-·disable_strategy |
| 171 | ····-·low_complexity | 171 | ····-·low_complexity |
| 172 | ····-·low_disruption | 172 | ····-·low_disruption |
| 173 | ····-·CCE-27274-0 | 173 | ····-·CCE-27274-0 |
| 174 | ····-·NIST-800-171-3.1.13 | 174 | ····-·NIST-800-171-3.1.13 |
| 175 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 175 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36024">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36024"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh |
| 176 | class·remove_rsh·{ | 176 | class·remove_rsh·{ |
| 177 | ··package·{·'rsh': | 177 | ··package·{·'rsh': |
| 178 | ····ensure·=>·'purged', | 178 | ····ensure·=>·'purged', |
| 179 | ··} | 179 | ··} |
| 180 | } | 180 | } |
| 181 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 181 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36025">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36025"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 182 | package·--remove=rsh | 182 | package·--remove=rsh |
| 183 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm360 | 183 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service |
| 184 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with | 184 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with |
| 185 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 185 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 186 | as·a·systemd·socket,·should·be·disabled. | 186 | as·a·systemd·socket,·should·be·disabled. |
| 187 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. | 187 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>. |
| 188 | If·using·systemd,· | 188 | If·using·systemd,· |
| 189 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: | 189 | ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command: |
| 190 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which | 190 | ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which |
| 191 | means·that·data·from·the·login·session,·including·passwords·and | 191 | means·that·data·from·the·login·session,·including·passwords·and |
| 192 | all·other·information·transmitted·during·the·session,·can·be | 192 | all·other·information·transmitted·during·the·session,·can·be |
| 193 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 193 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 194 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 194 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 195 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm360 | 195 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36054">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36054"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&&·\ |
| 196 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin | 196 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin |
| 197 | # | 197 | # |
| 198 | #·Disable·rlogin.socket·for·all·systemd·targets | 198 | #·Disable·rlogin.socket·for·all·systemd·targets |
| 199 | # | 199 | # |
| 200 | systemctl·disable·rlogin.socket | 200 | systemctl·disable·rlogin.socket |
| 201 | # | 201 | # |
| 202 | #·Stop·rlogin.socket·if·currently·running | 202 | #·Stop·rlogin.socket·if·currently·running |
| 203 | # | 203 | # |
| 204 | systemctl·stop·rlogin.socket | 204 | systemctl·stop·rlogin.socket |
| 205 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm360 | 205 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36055">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36055"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin |
| 206 | ··service: | 206 | ··service: |
| 207 | ····name="{{item}}" | 207 | ····name="{{item}}" |
| 208 | ····enabled="no" | 208 | ····enabled="no" |
| 209 | ····state="stopped" | 209 | ····state="stopped" |
| 210 | ··register:·service_result | 210 | ··register:·service_result |
| 211 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 211 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 212 | ··with_items: | 212 | ··with_items: |
| Offset 224, 39 lines modified | Offset 224, 39 lines modified | ||
| 224 | ····-·low_disruption | 224 | ····-·low_disruption |
| 225 | ····-·CCE-27336-7 | 225 | ····-·CCE-27336-7 |
| 226 | ····-·NIST-800-53-AC-17(8) | 226 | ····-·NIST-800-53-AC-17(8) |
| 227 | ····-·NIST-800-53-CM-7 | 227 | ····-·NIST-800-53-CM-7 |
| 228 | ····-·NIST-800-53-IA-5(1)(c) | 228 | ····-·NIST-800-53-IA-5(1)(c) |
| 229 | ····-·NIST-800-171-3.1.13 | 229 | ····-·NIST-800-171-3.1.13 |
| 230 | ····-·NIST-800-171-3.4.7 | 230 | ····-·NIST-800-171-3.4.7 |
| 231 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm360 | 231 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36060"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service |
| 232 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with | 232 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with |
| 233 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately | 233 | the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately |
| 234 | as·a·systemd·socket,·should·be·disabled. | 234 | as·a·systemd·socket,·should·be·disabled. |
| 235 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· | 235 | If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.· |
| 236 | If·using·systemd,· | 236 | If·using·systemd,· |
| 237 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: | 237 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 238 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which | 238 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which |
| 239 | means·that·data·from·the·login·session,·including·passwords·and | 239 | means·that·data·from·the·login·session,·including·passwords·and |
| 240 | all·other·information·transmitted·during·the·session,·can·be | 240 | all·other·information·transmitted·during·the·session,·can·be |
| 241 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 241 | stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 242 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 242 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 243 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 243 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36084">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36084"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&&·\ |
| 244 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec | 244 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec |
| 245 | # | 245 | # |
| 246 | #·Disable·rexec.socket·for·all·systemd·targets | 246 | #·Disable·rexec.socket·for·all·systemd·targets |
| 247 | # | 247 | # |
| 248 | systemctl·disable·rexec.socket | 248 | systemctl·disable·rexec.socket |
| 249 | # | 249 | # |
| 250 | #·Stop·rexec.socket·if·currently·running | 250 | #·Stop·rexec.socket·if·currently·running |
| 251 | # | 251 | # |
| 252 | systemctl·stop·rexec.socket | 252 | systemctl·stop·rexec.socket |
| 253 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36 | 253 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36085">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36085"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec |
| 254 | ··service: | 254 | ··service: |
| 255 | ····name="{{item}}" | 255 | ····name="{{item}}" |
| 256 | ····enabled="no" | 256 | ····enabled="no" |
| 257 | ····state="stopped" | 257 | ····state="stopped" |
| 258 | ··register:·service_result | 258 | ··register:·service_result |
| 259 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 259 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 260 | ··with_items: | 260 | ··with_items: |
| Max diff block lines reached; 1663739/1688870 bytes (98.51%) of diff not shown. | |||
| Offset 116, 15 lines modified | Offset 116, 15 lines modified | ||
| 116 | <br><br> | 116 | <br><br> |
| 117 | Refer·to·<a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>·for·more·detailed·comparison·of·features·of·<code>chronyd</code> | 117 | Refer·to·<a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>·for·more·detailed·comparison·of·features·of·<code>chronyd</code> |
| 118 | and·<code>ntpd</code>·daemon·features·respectively,·and·for·further·guidance·how·to | 118 | and·<code>ntpd</code>·daemon·features·respectively,·and·for·further·guidance·how·to |
| 119 | choose·between·the·two·NTP·daemons. | 119 | choose·between·the·two·NTP·daemons. |
| 120 | <br><br> | 120 | <br><br> |
| 121 | The·upstream·manual·pages·at·<a·href="http://chrony.tuxfamily.org/manual.html">http://chrony.tuxfamily.org/manual.html</a>·for | 121 | The·upstream·manual·pages·at·<a·href="http://chrony.tuxfamily.org/manual.html">http://chrony.tuxfamily.org/manual.html</a>·for |
| 122 | <code>chronyd</code>·and·<a·href="http://www.ntp.org">http://www.ntp.org</a>·for·<code>ntpd</code>·provide·additional | 122 | <code>chronyd</code>·and·<a·href="http://www.ntp.org">http://www.ntp.org</a>·for·<code>ntpd</code>·provide·additional |
| 123 | information·on·the·capabilities·and·configuration·of·each·of·the·NTP·daemons.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm384 | 123 | information·on·the·capabilities·and·configuration·of·each·of·the·NTP·daemons.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm38489"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers |
| 124 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete | 124 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete |
| 125 | production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be | 125 | production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be |
| 126 | configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the | 126 | configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the |
| 127 | default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to | 127 | default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to |
| 128 | <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a> | 128 | <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a> |
| 129 | for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for | 129 | for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for |
| 130 | further·guidance·how·to·choose·between·the·two·NTP·daemons. | 130 | further·guidance·how·to·choose·between·the·two·NTP·daemons. |
| Offset 137, 15 lines modified | Offset 137, 15 lines modified | ||
| 137 | Add·additional·lines·of·the·following·form,·substituting·the·IP·address·or | 137 | Add·additional·lines·of·the·following·form,·substituting·the·IP·address·or |
| 138 | hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: | 138 | hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>: |
| 139 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of | 139 | <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of |
| 140 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes | 140 | accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes |
| 141 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for | 141 | unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for |
| 142 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 142 | other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 143 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 143 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 144 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38 | 144 | ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38509">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38509"><pre><code> |
| 145 | var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>" | 145 | var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>" |
| 146 | #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here. | 146 | #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here. |
| 147 | #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries | 147 | #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries |
| 148 | #·$1:·Path·to·the·config·file | 148 | #·$1:·Path·to·the·config·file |
| 149 | #·$2:·Comma-separated·list·of·servers | 149 | #·$2:·Comma-separated·list·of·servers |
| 150 | function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{ | 150 | function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{ |
| Offset 164, 15 lines modified | Offset 164, 15 lines modified | ||
| 164 | rhel7_ensure_there_are_servers_in_ntp_compatible_config_file | 164 | rhel7_ensure_there_are_servers_in_ntp_compatible_config_file |
| 165 | config_file="/etc/ntp.conf" | 165 | config_file="/etc/ntp.conf" |
| 166 | /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf" | 166 | /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf" |
| 167 | [·"$(grep·-c·'^server'·"$config_file")"·-gt·1·]·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers" | 167 | [·"$(grep·-c·'^server'·"$config_file")"·-gt·1·]·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers" |
| 168 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·id="guide-tree-leaf-idm38 | 168 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·id="guide-tree-leaf-idm38514"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server |
| 169 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete | 169 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete |
| 170 | production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be | 170 | production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be |
| 171 | configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the | 171 | configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the |
| 172 | default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to | 172 | default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to |
| 173 | <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a> | 173 | <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a> |
| 174 | for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for | 174 | for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for |
| 175 | further·guidance·how·to·choose·between·the·two·NTP·daemons. | 175 | further·guidance·how·to·choose·between·the·two·NTP·daemons. |
| Offset 184, 15 lines modified | Offset 184, 15 lines modified | ||
| 184 | Add·or·correct·the·following·lines,·substituting·the·IP·or·hostname·of·a·remote | 184 | Add·or·correct·the·following·lines,·substituting·the·IP·or·hostname·of·a·remote |
| 185 | NTP·server·for·<em>ntpserver</em>: | 185 | NTP·server·for·<em>ntpserver</em>: |
| 186 | <pre>server·<i>ntpserver</i></pre> | 186 | <pre>server·<i>ntpserver</i></pre> |
| 187 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time | 187 | This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time |
| 188 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible·to·collate·system | 188 | data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible·to·collate·system |
| 189 | logs·from·multiple·sources·or·correlate·computer·events·with·real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 189 | logs·from·multiple·sources·or·correlate·computer·events·with·real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 190 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 190 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 191 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38 | 191 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38538">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38538"><pre><code> |
| 192 | var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>" | 192 | var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>" |
| 193 | #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here. | 193 | #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here. |
| 194 | #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries | 194 | #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries |
| 195 | #·$1:·Path·to·the·config·file | 195 | #·$1:·Path·to·the·config·file |
| 196 | #·$2:·Comma-separated·list·of·servers | 196 | #·$2:·Comma-separated·list·of·servers |
| 197 | function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{ | 197 | function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{ |
| Offset 211, 15 lines modified | Offset 211, 15 lines modified | ||
| 211 | rhel7_ensure_there_are_servers_in_ntp_compatible_config_file | 211 | rhel7_ensure_there_are_servers_in_ntp_compatible_config_file |
| 212 | config_file="/etc/ntp.conf" | 212 | config_file="/etc/ntp.conf" |
| 213 | /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf" | 213 | /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf" |
| 214 | grep·-q·^server·"$config_file"·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers" | 214 | grep·-q·^server·"$config_file"·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers" |
| 215 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·id="guide-tree-leaf-idm38 | 215 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·id="guide-tree-leaf-idm38545"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">Enable·the·NTP·Daemon |
| 216 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> | 216 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> |
| 217 | ········The·<code>chronyd</code>·service·can·be·enabled·with·the·following·command: | 217 | ········The·<code>chronyd</code>·service·can·be·enabled·with·the·following·command: |
| 218 | ········<pre>$·sudo·systemctl·enable·chronyd.service</pre> | 218 | ········<pre>$·sudo·systemctl·enable·chronyd.service</pre> |
| 219 | Note:·The·<code>chronyd</code>·daemon·is·enabled·by·default. | 219 | Note:·The·<code>chronyd</code>·daemon·is·enabled·by·default. |
| 220 | <br><br> | 220 | <br><br> |
| 221 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: | 221 | ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command: |
| Offset 237, 15 lines modified | Offset 237, 15 lines modified | ||
| 237 | maintaining·accurate·logs·and·auditing·possible·security·breaches. | 237 | maintaining·accurate·logs·and·auditing·possible·security·breaches. |
| 238 | <br><br> | 238 | <br><br> |
| 239 | The·<code>chronyd</code>·and·<code>ntpd</code>·NTP·daemons·offer·all·of·the | 239 | The·<code>chronyd</code>·and·<code>ntpd</code>·NTP·daemons·offer·all·of·the |
| 240 | functionality·of·<code>ntpdate</code>,·which·is·now·deprecated.·Additional | 240 | functionality·of·<code>ntpdate</code>,·which·is·now·deprecated.·Additional |
| 241 | information·on·this·is·available·at | 241 | information·on·this·is·available·at |
| 242 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 242 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 243 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 243 | ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 244 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm385 | 244 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38573">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38573"><pre><code> |
| 245 | if·!·`rpm·-q·--quiet·chrony`·&&·!·`rpm·-q·--quiet·ntp-`;·then | 245 | if·!·`rpm·-q·--quiet·chrony`·&&·!·`rpm·-q·--quiet·ntp-`;·then |
| 246 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 246 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 247 | # | 247 | # |
| 248 | #·Example·Call(s): | 248 | #·Example·Call(s): |
| 249 | # | 249 | # |
| 250 | #·····package_install·aide | 250 | #·····package_install·aide |
| Offset 450, 15 lines modified | Offset 450, 15 lines modified | ||
| 450 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program· | 450 | <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program· |
| 451 | is·called·<code>sshd</code>·and·provided·by·the·RPM·package | 451 | is·called·<code>sshd</code>·and·provided·by·the·RPM·package |
| 452 | <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary | 452 | <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary |
| 453 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then | 453 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then |
| 454 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration | 454 | certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration |
| 455 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be | 455 | file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be |
| 456 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more | 456 | applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more |
| 457 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm39 | 457 | detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm39772"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval |
| 458 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout | 458 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout |
| 459 | interval. | 459 | interval. |
| 460 | After·this·interval·has·passed,·the·idle·user·will·be | 460 | After·this·interval·has·passed,·the·idle·user·will·be |
| 461 | automatically·logged·out. | 461 | automatically·logged·out. |
| 462 | <br><br> | 462 | <br><br> |
| 463 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | 463 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 464 | follows: | 464 | follows: |
| Offset 468, 15 lines modified | Offset 468, 15 lines modified | ||
| 468 | <br><br> | 468 | <br><br> |
| 469 | If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will· | 469 | If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will· |
| 470 | preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | 470 | preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH |
| 471 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of | 471 | from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of |
| 472 | opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session | 472 | opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session |
| 473 | enabled·on·the·console·or·console·port·that·has·been·let·unattended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 473 | enabled·on·the·console·or·console·port·that·has·been·let·unattended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 474 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 474 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 475 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm | 475 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm39797">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39797"><pre><code> |
| 476 | sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>" | 476 | sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>" |
| 477 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 477 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 478 | #·it·does·not·exist. | 478 | #·it·does·not·exist. |
| 479 | # | 479 | # |
| 480 | #·Expects·arguments: | 480 | #·Expects·arguments: |
| 481 | # | 481 | # |
| 482 | #·config_file:» » Configuration·file·that·will·be·modified | 482 | #·config_file:» » Configuration·file·that·will·be·modified |
| Max diff block lines reached; 358165/379597 bytes (94.35%) of diff not shown. | |||
| Offset 83, 23 lines modified | Offset 83, 23 lines modified | ||
| 83 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 83 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 84 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 84 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 85 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 85 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 86 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet | 86 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet |
| 87 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity | 87 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity |
| 88 | for·information·transmitted·on·the·network.·This·includes·authentication | 88 | for·information·transmitted·on·the·network.·This·includes·authentication |
| 89 | information·such·as·passwords.·Organizations·which·use·telnet·should·be | 89 | information·such·as·passwords.·Organizations·which·use·telnet·should·be |
| 90 | actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed"·id="guide-tree-leaf-idm362 | 90 | actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed"·id="guide-tree-leaf-idm36210"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet_removed">Remove·telnet·Clients |
| 91 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·client·allows·users·to·start·connections·to·other· | 91 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·client·allows·users·to·start·connections·to·other· |
| 92 | systems·via·the·telnet·protocol.</p><span·class="label·label-primary">Rationale:</span><p>The·<code>telnet</code>·protocol·is·insecure·and·unencrypted.·The·use | 92 | systems·via·the·telnet·protocol.</p><span·class="label·label-primary">Rationale:</span><p>The·<code>telnet</code>·protocol·is·insecure·and·unencrypted.·The·use |
| 93 | of·an·unencrypted·transmission·medium·could·allow·an·unauthorized·user | 93 | of·an·unencrypted·transmission·medium·could·allow·an·unauthorized·user |
| 94 | to·steal·credentials.·The·<code>ssh</code>·package·provides·an | 94 | to·steal·credentials.·The·<code>ssh</code>·package·provides·an |
| 95 | encrypted·session·and·stronger·security·and·is·included·in·Red·Hat | 95 | encrypted·session·and·stronger·security·and·is·included·in·Red·Hat |
| 96 | Enterprise·Linux.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 96 | Enterprise·Linux.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 97 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 97 | ························low</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 98 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm362 | 98 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36230">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36230"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 99 | # | 99 | # |
| 100 | #·Example·Call(s): | 100 | #·Example·Call(s): |
| 101 | # | 101 | # |
| 102 | #·····package_remove·telnet-server | 102 | #·····package_remove·telnet-server |
| 103 | # | 103 | # |
| 104 | function·package_remove·{ | 104 | function·package_remove·{ |
| Offset 129, 38 lines modified | Offset 129, 38 lines modified | ||
| 129 | ··echo·"Aborting." | 129 | ··echo·"Aborting." |
| 130 | ··exit·1 | 130 | ··exit·1 |
| 131 | fi | 131 | fi |
| 132 | } | 132 | } |
| 133 | package_remove·telnet | 133 | package_remove·telnet |
| 134 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm362 | 134 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36232">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36232"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnet·is·removed |
| 135 | ··package: | 135 | ··package: |
| 136 | ····name="{{item}}" | 136 | ····name="{{item}}" |
| 137 | ····state=absent | 137 | ····state=absent |
| 138 | ··with_items: | 138 | ··with_items: |
| 139 | ····-·telnet | 139 | ····-·telnet |
| 140 | ··tags: | 140 | ··tags: |
| 141 | ····-·package_telnet_removed | 141 | ····-·package_telnet_removed |
| 142 | ····-·low_severity | 142 | ····-·low_severity |
| 143 | ····-·disable_strategy | 143 | ····-·disable_strategy |
| 144 | ····-·low_complexity | 144 | ····-·low_complexity |
| 145 | ····-·low_disruption | 145 | ····-·low_disruption |
| 146 | ····-·CCE-27305-2 | 146 | ····-·CCE-27305-2 |
| 147 | ····-·NIST-800-171-3.1.13 | 147 | ····-·NIST-800-171-3.1.13 |
| 148 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm362 | 148 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36233">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36233"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnet |
| 149 | class·remove_telnet·{ | 149 | class·remove_telnet·{ |
| 150 | ··package·{·'telnet': | 150 | ··package·{·'telnet': |
| 151 | ····ensure·=>·'purged', | 151 | ····ensure·=>·'purged', |
| 152 | ··} | 152 | ··} |
| 153 | } | 153 | } |
| 154 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm362 | 154 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36234">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36234"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 155 | package·--remove=telnet | 155 | package·--remove=telnet |
| 156 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_telnet_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_telnet_disabled"·id="guide-tree-leaf-idm362 | 156 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_telnet_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_telnet_disabled"·id="guide-tree-leaf-idm36239"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_telnet_disabled">Disable·telnet·Service |
| 157 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_telnet_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet</code>·service·configuration·file·<code>/etc/xinetd.d/telnet</code> | 157 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_telnet_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet</code>·service·configuration·file·<code>/etc/xinetd.d/telnet</code> |
| 158 | is·not·created·automatically.·If·it·was·created·manually,·check·the | 158 | is·not·created·automatically.·If·it·was·created·manually,·check·the |
| 159 | <code>/etc/xinetd.d/telnet</code>·file·and·ensure·that·<code>disable·=·no</code> | 159 | <code>/etc/xinetd.d/telnet</code>·file·and·ensure·that·<code>disable·=·no</code> |
| 160 | is·changed·to·read·<code>disable·=·yes</code>·as·follows·below: | 160 | is·changed·to·read·<code>disable·=·yes</code>·as·follows·below: |
| 161 | <pre> | 161 | <pre> |
| 162 | #·description:·The·telnet·server·serves·telnet·sessions;·it·uses·\\ | 162 | #·description:·The·telnet·server·serves·telnet·sessions;·it·uses·\\ |
| 163 | #·······unencrypted·username/password·pairs·for·authentication. | 163 | #·······unencrypted·username/password·pairs·for·authentication. |
| Offset 183, 27 lines modified | Offset 183, 27 lines modified | ||
| 183 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: | 183 | ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command: |
| 184 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·telnet·protocol·uses·unencrypted·network·communication,·which | 184 | ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·telnet·protocol·uses·unencrypted·network·communication,·which |
| 185 | means·that·data·from·the·login·session,·including·passwords·and | 185 | means·that·data·from·the·login·session,·including·passwords·and |
| 186 | all·other·information·transmitted·during·the·session,·can·be | 186 | all·other·information·transmitted·during·the·session,·can·be |
| 187 | stolen·by·eavesdroppers·on·the·network.·The·telnet·protocol·is·also | 187 | stolen·by·eavesdroppers·on·the·network.·The·telnet·protocol·is·also |
| 188 | subject·to·man-in-the-middle·attacks.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 188 | subject·to·man-in-the-middle·attacks.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 189 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 189 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 190 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.18</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm362 | 190 | ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.18</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36265">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36265"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/telnet·&&·\ |
| 191 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/telnet | 191 | ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/telnet |
| 192 | # | 192 | # |
| 193 | #·Disable·telnet.socket·for·all·systemd·targets | 193 | #·Disable·telnet.socket·for·all·systemd·targets |
| 194 | # | 194 | # |
| 195 | systemctl·disable·telnet.socket | 195 | systemctl·disable·telnet.socket |
| 196 | # | 196 | # |
| 197 | #·Stop·telnet.socket·if·currently·running | 197 | #·Stop·telnet.socket·if·currently·running |
| 198 | # | 198 | # |
| 199 | systemctl·stop·telnet.socket | 199 | systemctl·stop·telnet.socket |
| 200 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm362 | 200 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36266">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36266"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·telnet |
| 201 | ··service: | 201 | ··service: |
| 202 | ····name="{{item}}" | 202 | ····name="{{item}}" |
| 203 | ····enabled="no" | 203 | ····enabled="no" |
| 204 | ····state="stopped" | 204 | ····state="stopped" |
| 205 | ··register:·service_result | 205 | ··register:·service_result |
| 206 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 206 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 207 | ··with_items: | 207 | ··with_items: |
| Offset 216, 29 lines modified | Offset 216, 29 lines modified | ||
| 216 | ····-·low_disruption | 216 | ····-·low_disruption |
| 217 | ····-·CCE-27401-9 | 217 | ····-·CCE-27401-9 |
| 218 | ····-·NIST-800-53-AC-17(8) | 218 | ····-·NIST-800-53-AC-17(8) |
| 219 | ····-·NIST-800-53-CM-7 | 219 | ····-·NIST-800-53-CM-7 |
| 220 | ····-·NIST-800-53-IA-5(1)(c) | 220 | ····-·NIST-800-53-IA-5(1)(c) |
| 221 | ····-·NIST-800-171-3.1.13 | 221 | ····-·NIST-800-171-3.1.13 |
| 222 | ····-·NIST-800-171-3.4.7 | 222 | ····-·NIST-800-171-3.4.7 |
| 223 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm362 | 223 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm36271"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed">Uninstall·telnet-server·Package |
| 224 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with | 224 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with |
| 225 | the·following·command: | 225 | the·following·command: |
| 226 | <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding | 226 | <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding |
| 227 | requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore | 227 | requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore |
| 228 | may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors. | 228 | may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors. |
| 229 | <br> | 229 | <br> |
| 230 | The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the· | 230 | The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the· |
| 231 | confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were | 231 | confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were |
| 232 | to·login·using·this·service,·the·privileged·user·password·could·be·compromised. | 232 | to·login·using·this·service,·the·privileged·user·password·could·be·compromised. |
| 233 | <br> | 233 | <br> |
| 234 | Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental· | 234 | Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental· |
| 235 | (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 235 | (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 236 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 236 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 237 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 237 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36298">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36298"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 238 | # | 238 | # |
| 239 | #·Example·Call(s): | 239 | #·Example·Call(s): |
| 240 | # | 240 | # |
| 241 | #·····package_remove·telnet-server | 241 | #·····package_remove·telnet-server |
| 242 | # | 242 | # |
| 243 | function·package_remove·{ | 243 | function·package_remove·{ |
| Offset 268, 15 lines modified | Offset 268, 15 lines modified | ||
| 268 | ··echo·"Aborting." | 268 | ··echo·"Aborting." |
| 269 | ··exit·1 | 269 | ··exit·1 |
| 270 | fi | 270 | fi |
| 271 | } | 271 | } |
| Max diff block lines reached; 132658/157561 bytes (84.19%) of diff not shown. | |||
| Offset 71, 28 lines modified | Offset 71, 28 lines modified | ||
| 71 | Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional | 71 | Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional |
| 72 | system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up | 72 | system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up |
| 73 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons | 73 | the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons |
| 74 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to | 74 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to |
| 75 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost | 75 | be·executed·at·a·later·time.·The·cron·service·is·required·by·almost |
| 76 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or | 76 | all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or |
| 77 | may·not·be·required·on·a·given·system.·Both·daemons·should·be | 77 | may·not·be·required·on·a·given·system.·Both·daemons·should·be |
| 78 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm369 | 78 | configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm36993"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_atd_disabled">Disable·At·Service·(atd) |
| 79 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to | 79 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to |
| 80 | schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed | 80 | schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed |
| 81 | execution·in·a·manner·similar·to·cron,·except·that·it·is·not | 81 | execution·in·a·manner·similar·to·cron,·except·that·it·is·not |
| 82 | recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via | 82 | recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via |
| 83 | <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time. | 83 | <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time. |
| 84 | ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command: | 84 | ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command: |
| 85 | ········<pre>$·sudo·systemctl·disable·atd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry | 85 | ········<pre>$·sudo·systemctl·disable·atd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry |
| 86 | out·activities·outside·of·a·normal·login·session,·which·could·complicate | 86 | out·activities·outside·of·a·normal·login·session,·which·could·complicate |
| 87 | accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or | 87 | accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or |
| 88 | <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 88 | <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 89 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 89 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 90 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm3 | 90 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm37009">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm37009"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 91 | # | 91 | # |
| 92 | #·Example·Call(s): | 92 | #·Example·Call(s): |
| 93 | # | 93 | # |
| 94 | #·····service_command·enable·bluetooth | 94 | #·····service_command·enable·bluetooth |
| 95 | #·····service_command·disable·bluetooth.service | 95 | #·····service_command·disable·bluetooth.service |
| 96 | # | 96 | # |
| 97 | #·····Using·xinetd: | 97 | #·····Using·xinetd: |
| Offset 160, 15 lines modified | Offset 160, 15 lines modified | ||
| 160 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 160 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 161 | ··fi | 161 | ··fi |
| 162 | fi | 162 | fi |
| 163 | } | 163 | } |
| 164 | service_command·disable·atd | 164 | service_command·disable·atd |
| 165 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm3 | 165 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm37011">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm37011"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·atd |
| 166 | ··service: | 166 | ··service: |
| 167 | ····name="{{item}}" | 167 | ····name="{{item}}" |
| 168 | ····enabled="no" | 168 | ····enabled="no" |
| 169 | ····state="stopped" | 169 | ····state="stopped" |
| 170 | ··register:·service_result | 170 | ··register:·service_result |
| 171 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 171 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 172 | ··with_items: | 172 | ··with_items: |
| Offset 183, 27 lines modified | Offset 183, 27 lines modified | ||
| 183 | ····-·NIST-800-53-CM-7 | 183 | ····-·NIST-800-53-CM-7 |
| 184 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_base"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_base">Base·Services | 184 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_base"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_base">Base·Services |
| 185 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_base">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·addresses·the·base·services·that·are·installed·on·a | 185 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_base">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·addresses·the·base·services·that·are·installed·on·a |
| 186 | Red·Hat·Enterprise·Linux·7·default·installation·which·are·not·covered·in·other | 186 | Red·Hat·Enterprise·Linux·7·default·installation·which·are·not·covered·in·other |
| 187 | sections.·Some·of·these·services·listen·on·the·network·and | 187 | sections.·Some·of·these·services·listen·on·the·network·and |
| 188 | should·be·treated·with·particular·discretion.·Other·services·are·local | 188 | should·be·treated·with·particular·discretion.·Other·services·are·local |
| 189 | system·utilities·that·may·or·may·not·be·extraneous.·In·general,·system·services | 189 | system·utilities·that·may·or·may·not·be·extraneous.·In·general,·system·services |
| 190 | should·be·disabled·if·not·required.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·id="guide-tree-leaf-idm38 | 190 | should·be·disabled·if·not·required.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·id="guide-tree-leaf-idm38655"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_base"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled">Disable·Network·Router·Discovery·Daemon·(rdisc) |
| 191 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rdisc_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rdisc</code>·service·implements·the·client·side·of·the·ICMP | 191 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rdisc_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rdisc</code>·service·implements·the·client·side·of·the·ICMP |
| 192 | Internet·Router·Discovery·Protocol·(IRDP),·which·allows·discovery·of·routers·on | 192 | Internet·Router·Discovery·Protocol·(IRDP),·which·allows·discovery·of·routers·on |
| 193 | the·local·subnet.·If·a·router·is·discovered·then·the·local·routing·table·is | 193 | the·local·subnet.·If·a·router·is·discovered·then·the·local·routing·table·is |
| 194 | updated·with·a·corresponding·default·route.·By·default·this·daemon·is·disabled. | 194 | updated·with·a·corresponding·default·route.·By·default·this·daemon·is·disabled. |
| 195 | ········The·<code>rdisc</code>·service·can·be·disabled·with·the·following·command: | 195 | ········The·<code>rdisc</code>·service·can·be·disabled·with·the·following·command: |
| 196 | ········<pre>$·sudo·systemctl·disable·rdisc.service</pre></p><span·class="label·label-primary">Rationale:</span><p>General-purpose·systems·typically·have·their·network·and·routing | 196 | ········<pre>$·sudo·systemctl·disable·rdisc.service</pre></p><span·class="label·label-primary">Rationale:</span><p>General-purpose·systems·typically·have·their·network·and·routing |
| 197 | information·configured·statically·by·a·system·administrator.·Workstations·or | 197 | information·configured·statically·by·a·system·administrator.·Workstations·or |
| 198 | some·special-purpose·systems·often·use·DHCP·(instead·of·IRDP)·to·retrieve | 198 | some·special-purpose·systems·often·use·DHCP·(instead·of·IRDP)·to·retrieve |
| 199 | dynamic·network·configuration·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 199 | dynamic·network·configuration·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 200 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 200 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 201 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38 | 201 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38666">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38666"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 202 | # | 202 | # |
| 203 | #·Example·Call(s): | 203 | #·Example·Call(s): |
| 204 | # | 204 | # |
| 205 | #·····service_command·enable·bluetooth | 205 | #·····service_command·enable·bluetooth |
| 206 | #·····service_command·disable·bluetooth.service | 206 | #·····service_command·disable·bluetooth.service |
| 207 | # | 207 | # |
| 208 | #·····Using·xinetd: | 208 | #·····Using·xinetd: |
| Offset 271, 15 lines modified | Offset 271, 15 lines modified | ||
| 271 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 271 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 272 | ··fi | 272 | ··fi |
| 273 | fi | 273 | fi |
| 274 | } | 274 | } |
| 275 | service_command·disable·rdisc | 275 | service_command·disable·rdisc |
| 276 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm38 | 276 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm38668">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38668"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rdisc |
| 277 | ··service: | 277 | ··service: |
| 278 | ····name="{{item}}" | 278 | ····name="{{item}}" |
| 279 | ····enabled="no" | 279 | ····enabled="no" |
| 280 | ····state="stopped" | 280 | ····state="stopped" |
| 281 | ··register:·service_result | 281 | ··register:·service_result |
| 282 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 282 | ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 283 | ··with_items: | 283 | ··with_items: |
| Offset 290, 27 lines modified | Offset 290, 27 lines modified | ||
| 290 | ····-·disable_strategy | 290 | ····-·disable_strategy |
| 291 | ····-·low_complexity | 291 | ····-·low_complexity |
| 292 | ····-·low_disruption | 292 | ····-·low_disruption |
| 293 | ····-·CCE-80268-6 | 293 | ····-·CCE-80268-6 |
| 294 | ····-·NIST-800-53-AC-17(8) | 294 | ····-·NIST-800-53-AC-17(8) |
| 295 | ····-·NIST-800-53-AC-4 | 295 | ····-·NIST-800-53-AC-4 |
| 296 | ····-·NIST-800-53-CM-7 | 296 | ····-·NIST-800-53-CM-7 |
| 297 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·id="guide-tree-leaf-idm387 | 297 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·id="guide-tree-leaf-idm38788"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_base"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">Disable·Odd·Job·Daemon·(oddjobd) |
| 298 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>oddjobd</code>·service·exists·to·provide·an·interface·and | 298 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>oddjobd</code>·service·exists·to·provide·an·interface·and |
| 299 | access·control·mechanism·through·which | 299 | access·control·mechanism·through·which |
| 300 | specified·privileged·tasks·can·run·tasks·for·unprivileged·client | 300 | specified·privileged·tasks·can·run·tasks·for·unprivileged·client |
| 301 | applications.·Communication·with·<code>oddjobd</code>·through·the·system·message·bus. | 301 | applications.·Communication·with·<code>oddjobd</code>·through·the·system·message·bus. |
| 302 | ········The·<code>oddjobd</code>·service·can·be·disabled·with·the·following·command: | 302 | ········The·<code>oddjobd</code>·service·can·be·disabled·with·the·following·command: |
| 303 | ········<pre>$·sudo·systemctl·disable·oddjobd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>oddjobd</code>·service·may·provide·necessary·functionality·in | 303 | ········<pre>$·sudo·systemctl·disable·oddjobd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>oddjobd</code>·service·may·provide·necessary·functionality·in |
| 304 | some·environments,·and·can·be·disabled·if·it·is·not·needed.·Execution·of | 304 | some·environments,·and·can·be·disabled·if·it·is·not·needed.·Execution·of |
| 305 | tasks·by·privileged·programs,·on·behalf·of·unprivileged·ones,·has·traditionally | 305 | tasks·by·privileged·programs,·on·behalf·of·unprivileged·ones,·has·traditionally |
| 306 | been·a·source·of·privilege·escalation·security·issues.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 306 | been·a·source·of·privilege·escalation·security·issues.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 307 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 307 | ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 308 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm387 | 308 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm38799">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38799"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 309 | # | 309 | # |
| 310 | #·Example·Call(s): | 310 | #·Example·Call(s): |
| 311 | # | 311 | # |
| 312 | #·····service_command·enable·bluetooth | 312 | #·····service_command·enable·bluetooth |
| 313 | #·····service_command·disable·bluetooth.service | 313 | #·····service_command·disable·bluetooth.service |
| 314 | # | 314 | # |
| 315 | #·····Using·xinetd: | 315 | #·····Using·xinetd: |
| Offset 378, 15 lines modified | Offset 378, 15 lines modified | ||
| 378 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 378 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 379 | ··fi | 379 | ··fi |
| 380 | fi | 380 | fi |
| 381 | } | 381 | } |
| 382 | service_command·disable·oddjobd | 382 | service_command·disable·oddjobd |
| 383 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm38 | 383 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm38801">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38801"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·oddjobd |
| 384 | ··service: | 384 | ··service: |
| 385 | ····name="{{item}}" | 385 | ····name="{{item}}" |
| Max diff block lines reached; 316204/334498 bytes (94.53%) of diff not shown. | |||
| Offset 92, 65 lines modified | Offset 92, 65 lines modified | ||
| 92 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict | 92 | these·services·for·legacy·reasons,·care·should·be·taken·to·restrict |
| 93 | the·service·as·much·as·possible,·for·instance·by·configuring·host | 93 | the·service·as·much·as·possible,·for·instance·by·configuring·host |
| 94 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the | 94 | firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the |
| 95 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known | 95 | vulnerable·service·to·only·those·remote·hosts·which·have·a·known |
| 96 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·7·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec | 96 | need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·7·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec |
| 97 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which | 97 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which |
| 98 | allow·cleartext·remote·access·and·have·an·insecure·trust | 98 | allow·cleartext·remote·access·and·have·an·insecure·trust |
| 99 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files"·id="guide-tree-leaf-idm36 | 99 | model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files"·id="guide-tree-leaf-idm36090"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_host_based_files">Remove·Host-Based·Authentication·Files |
| 100 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>shosts.equiv</code>·file·list·remote·hosts | 100 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>shosts.equiv</code>·file·list·remote·hosts |
| 101 | and·users·that·are·trusted·by·the·local·system. | 101 | and·users·that·are·trusted·by·the·local·system. |
| 102 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any | 102 | To·remove·these·files,·run·the·following·command·to·delete·them·from·any |
| 103 | location: | 103 | location: |
| 104 | <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre></p><span·class="label·label-primary">Rationale:</span><p>The·shosts.equiv·files·are·used·to·configure·host-based·authentication·for·the | 104 | <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre></p><span·class="label·label-primary">Rationale:</span><p>The·shosts.equiv·files·are·used·to·configure·host-based·authentication·for·the |
| 105 | system·via·SSH.·Host-based·authentication·is·not·sufficient·for·preventing | 105 | system·via·SSH.·Host-based·authentication·is·not·sufficient·for·preventing |
| 106 | unauthorized·access·to·the·system,·as·it·does·not·require·interactive | 106 | unauthorized·access·to·the·system,·as·it·does·not·require·interactive |
| 107 | identification·and·authentication·of·a·connection·request,·or·for·the·use·of | 107 | identification·and·authentication·of·a·connection·request,·or·for·the·use·of |
| 108 | two-factor·authentication.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 108 | two-factor·authentication.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 109 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 109 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 110 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 110 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36099">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36099"><pre><code> |
| 111 | #·Identify·local·mounts | 111 | #·Identify·local·mounts |
| 112 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | 112 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· |
| 113 | #·Find·file·on·each·listed·mount·point | 113 | #·Find·file·on·each·listed·mount·point |
| 114 | for·cur_mount·in·${MOUNT_LIST} | 114 | for·cur_mount·in·${MOUNT_LIST} |
| 115 | do | 115 | do |
| 116 | » find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\; | 116 | » find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\; |
| 117 | done | 117 | done |
| 118 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files"·id="guide-tree-leaf-idm361 | 118 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files"·id="guide-tree-leaf-idm36135"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_user_host_based_files">Remove·User·Host-Based·Authentication·Files |
| 119 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_user_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files | 119 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_user_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files |
| 120 | list·remote·hosts·and·users·that·are·trusted·by·the | 120 | list·remote·hosts·and·users·that·are·trusted·by·the |
| 121 | local·system.·To·remove·these·files,·run·the·following·command | 121 | local·system.·To·remove·these·files,·run·the·following·command |
| 122 | to·delete·them·from·any·location: | 122 | to·delete·them·from·any·location: |
| 123 | <pre>$·sudo·rm·~/.shosts</pre></p><span·class="label·label-primary">Rationale:</span><p>The·.shosts·files·are·used·to·configure·host-based·authentication·for | 123 | <pre>$·sudo·rm·~/.shosts</pre></p><span·class="label·label-primary">Rationale:</span><p>The·.shosts·files·are·used·to·configure·host-based·authentication·for |
| 124 | individual·users·or·the·system·via·SSH.·Host-based·authentication·is·not | 124 | individual·users·or·the·system·via·SSH.·Host-based·authentication·is·not |
| 125 | sufficient·for·preventing·unauthorized·access·to·the·system,·as·it·does·not | 125 | sufficient·for·preventing·unauthorized·access·to·the·system,·as·it·does·not |
| 126 | require·interactive·identification·and·authentication·of·a·connection·request, | 126 | require·interactive·identification·and·authentication·of·a·connection·request, |
| 127 | or·for·the·use·of·two-factor·authentication.false</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 127 | or·for·the·use·of·two-factor·authentication.false</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 128 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 128 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 129 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm361 | 129 | ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36144">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36144"><pre><code> |
| 130 | #·Identify·local·mounts | 130 | #·Identify·local·mounts |
| 131 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· | 131 | MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')· |
| 132 | #·Find·file·on·each·listed·mount·point | 132 | #·Find·file·on·each·listed·mount·point |
| 133 | for·cur_mount·in·${MOUNT_LIST} | 133 | for·cur_mount·in·${MOUNT_LIST} |
| 134 | do | 134 | do |
| 135 | » find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\; | 135 | » find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\; |
| 136 | done | 136 | done |
| 137 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm361 | 137 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36149"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package |
| 138 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with | 138 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with |
| 139 | the·following·command: | 139 | the·following·command: |
| 140 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not | 140 | <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not |
| 141 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak | 141 | provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak |
| 142 | authentication.·If·a·privileged·user·were·to·login·using·this·service,·the·privileged·user·password | 142 | authentication.·If·a·privileged·user·were·to·login·using·this·service,·the·privileged·user·password |
| 143 | could·be·compromised.·The·<code>rsh-server</code>·package·provides·several·obsolete·and·insecure | 143 | could·be·compromised.·The·<code>rsh-server</code>·package·provides·several·obsolete·and·insecure |
| 144 | network·services.·Removing·it·decreases·the·risk·of·those·services'·accidental·(or·intentional) | 144 | network·services.·Removing·it·decreases·the·risk·of·those·services'·accidental·(or·intentional) |
| 145 | activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 145 | activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 146 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 146 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 147 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86591r1_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm361 | 147 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86591r1_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36174">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36174"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 148 | # | 148 | # |
| 149 | #·Example·Call(s): | 149 | #·Example·Call(s): |
| 150 | # | 150 | # |
| 151 | #·····package_remove·telnet-server | 151 | #·····package_remove·telnet-server |
| 152 | # | 152 | # |
| 153 | function·package_remove·{ | 153 | function·package_remove·{ |
| Offset 180, 15 lines modified | Offset 180, 15 lines modified | ||
| 180 | ··echo·"Aborting." | 180 | ··echo·"Aborting." |
| 181 | ··exit·1 | 181 | ··exit·1 |
| 182 | fi | 182 | fi |
| 183 | } | 183 | } |
| 184 | package_remove·rsh-server | 184 | package_remove·rsh-server |
| 185 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm361 | 185 | </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36176">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36176"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh-server·is·removed |
| 186 | ··package: | 186 | ··package: |
| 187 | ····name="{{item}}" | 187 | ····name="{{item}}" |
| 188 | ····state=absent | 188 | ····state=absent |
| 189 | ··with_items: | 189 | ··with_items: |
| 190 | ····-·rsh-server | 190 | ····-·rsh-server |
| 191 | ··tags: | 191 | ··tags: |
| 192 | ····-·package_rsh-server_removed | 192 | ····-·package_rsh-server_removed |
| Offset 196, 42 lines modified | Offset 196, 42 lines modified | ||
| 196 | ····-·disable_strategy | 196 | ····-·disable_strategy |
| 197 | ····-·low_complexity | 197 | ····-·low_complexity |
| 198 | ····-·low_disruption | 198 | ····-·low_disruption |
| 199 | ····-·CCE-27342-5 | 199 | ····-·CCE-27342-5 |
| 200 | ····-·NIST-800-53-AC-17(8) | 200 | ····-·NIST-800-53-AC-17(8) |
| 201 | ····-·NIST-800-53-CM-7(a) | 201 | ····-·NIST-800-53-CM-7(a) |
| 202 | ····-·DISA-STIG-RHEL-07-020000 | 202 | ····-·DISA-STIG-RHEL-07-020000 |
| 203 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36 | 203 | </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36177">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36177"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh-server |
| 204 | class·remove_rsh-server·{ | 204 | class·remove_rsh-server·{ |
| 205 | ··package·{·'rsh-server': | 205 | ··package·{·'rsh-server': |
| 206 | ····ensure·=>·'purged', | 206 | ····ensure·=>·'purged', |
| 207 | ··} | 207 | ··} |
| 208 | } | 208 | } |
| 209 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36 | 209 | </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span> <a·data-toggle="collapse"·data-target="#idm36178">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36178"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code> |
| 210 | package·--remove=rsh-server | 210 | package·--remove=rsh-server |
| 211 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet | 211 | </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet |
| 212 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity | 212 | ························ <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity |
| 213 | for·information·transmitted·on·the·network.·This·includes·authentication | 213 | for·information·transmitted·on·the·network.·This·includes·authentication |
| 214 | information·such·as·passwords.·Organizations·which·use·telnet·should·be | 214 | information·such·as·passwords.·Organizations·which·use·telnet·should·be |
| 215 | actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm362 | 215 | actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm36271"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed">Uninstall·telnet-server·Package |
| 216 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with | 216 | ···················· <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with |
| 217 | the·following·command: | 217 | the·following·command: |
| 218 | <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding | 218 | <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding |
| 219 | requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore | 219 | requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore |
| 220 | may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors. | 220 | may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors. |
| 221 | <br> | 221 | <br> |
| 222 | The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the· | 222 | The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the· |
| 223 | confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were | 223 | confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were |
| 224 | to·login·using·this·service,·the·privileged·user·password·could·be·compromised. | 224 | to·login·using·this·service,·the·privileged·user·password·could·be·compromised. |
| 225 | <br> | 225 | <br> |
| 226 | Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental· | 226 | Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental· |
| 227 | (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> | 227 | (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> |
| 228 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> | 228 | ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> |
| 229 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36 | 229 | ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span> <a·data-toggle="collapse"·data-target="#idm36298">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36298"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 230 | # | 230 | # |
| 231 | #·Example·Call(s): | 231 | #·Example·Call(s): |
| 232 | # | 232 | # |
| 233 | #·····package_remove·telnet-server | 233 | #·····package_remove·telnet-server |
| 234 | # | 234 | # |
| 235 | function·package_remove·{ | 235 | function·package_remove·{ |
| Offset 261, 15 lines modified | Offset 261, 15 lines modified | ||
| 261 | ··echo·"Aborting." | 261 | ··echo·"Aborting." |
| 262 | ··exit·1 | 262 | ··exit·1 |
| Max diff block lines reached; 928191/953987 bytes (97.30%) of diff not shown. | |||
| Offset 37, 73 lines modified | Offset 37, 111 lines modified | ||
| 37 | <table> | 37 | <table> |
| 38 | <thead> | 38 | <thead> |
| 39 | <td>CCE·ID</td> | 39 | <td>CCE·ID</td> |
| 40 | <td>Rule·Title</td> | 40 | <td>Rule·Title</td> |
| 41 | <td>Description</td> | 41 | <td>Description</td> |
| 42 | </thead> | 42 | </thead> |
| 43 | <tr> | 43 | <tr> |
| 44 | <td>CCE-271 | 44 | <td>CCE-27115-5</td> |
| 45 | <td> | 45 | <td>Restrict·Access·to·Anonymous·Users·if·Possible</td> |
| 46 | <td·xml:lang="en-US"> | 46 | <td·xml:lang="en-US">Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than |
| 47 | ············ | 47 | using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option: |
| 48 | 48 | <pre>local_enable=NO</pre> | |
| 49 | ······ | 49 | If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure |
| 50 | ····· | 50 | these·logins·as·much·as·possible.</td> |
| 51 | </tr> | 51 | </tr> |
| 52 | <tr> | 52 | <tr> |
| 53 | <td> | 53 | <td></td> |
| 54 | <td>U | 54 | <td>Limit·Users·Allowed·FTP·Access·if·Necessary</td> |
| 55 | <td·xml:lang="en-US"> | 55 | <td·xml:lang="en-US">If·there·is·a·mission-critical·reason·for·users·to·access·their·accounts·via·the·insecure·FTP·protocol,·limit·the·set·of·users·who·are·allowed·this·access.·Edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·options: |
| 56 | 56 | <pre>userlist_enable=YES | |
| 57 | 57 | userlist_file=/etc/vsftp.ftpusers | |
| 58 | 58 | userlist_deny=NO</pre> | |
| 59 | ·········· | 59 | Edit·the·file·<code>/etc/vsftp.ftpusers</code>.·For·each·user·USERNAME·who·should·be·allowed·to·access·the·system·via·FTP,·add·a·line·containing·that·user's·name: |
| 60 | <pre>USERNAME</pre> | ||
| 61 | If·anonymous·access·is·also·required,·add·the·anonymous·usernames·to·<code>/etc/vsftp.ftpusers</code>·as·well. | ||
| 62 | <pre>anonymous | ||
| 63 | ftp</pre> | ||
| 64 | </td> | ||
| 60 | </tr> | 65 | </tr> |
| 61 | <tr> | 66 | <tr> |
| 62 | <td> | 67 | <td></td> |
| 63 | <td> | 68 | <td>Configure·Firewalls·to·Protect·the·FTP·Server</td> |
| 64 | <td·xml:lang="en-US"> | 69 | <td·xml:lang="en-US">By·default,·<code>iptables</code> |
| 70 | blocks·access·to·the·ports·used·by·the·web·server. | ||
| 65 | ········T | 71 | ········To·configure·<code>iptables</code>·to·allow·port |
| 66 | ········ | 72 | ········21·traffic·one·must·edit |
| 73 | ········<code>/etc/sysconfig/iptables</code>·and | ||
| 74 | ········<code>/etc/sysconfig/ip6tables</code>·(if·IPv6·is·in·use). | ||
| 75 | ········Add·the·following·line,·ensuring·that·it·appears·before·the·final·LOG | ||
| 76 | ········and·DROP·lines·for·the·INPUT·chain: | ||
| 77 | ········<pre·xml:space="preserve">-A·INPUT·-m·state·--state·NEW·-p·tcp·--dport·21·-j·ACCEPT</pre> | ||
| 78 | Edit·the·file·<code>/etc/sysconfig/iptables-config</code>.·Ensure·that·the·space-separated·list·of·modules·contains | ||
| 79 | the·FTP·connection·tracking·module: | ||
| 80 | <pre>IPTABLES_MODULES="ip_conntrack_ftp"</pre> | ||
| 67 | </td> | 81 | </td> |
| 68 | </tr> | 82 | </tr> |
| 69 | <tr> | 83 | <tr> |
| 70 | <td>CCE-27 | 84 | <td>CCE-27411-8</td> |
| 71 | <td> | 85 | <td>Place·the·FTP·Home·Directory·on·its·Own·Partition</td> |
| 72 | <td·xml:lang="en-US"> | 86 | <td·xml:lang="en-US">By·default,·the·anonymous·FTP·root·is·the·home·directory·of·the·FTP·user·account.·The·df·command·can |
| 73 | 87 | be·used·to·verify·that·this·directory·is·on·its·own·partition.</td> | |
| 74 | administrator·group: | ||
| 75 | <pre>[<i>share</i>] | ||
| 76 | ··invalid·users·=·root·@wheel</pre> | ||
| 77 | If·administrator·accounts·cannot·be·disabled,·ensure·that·local·system | ||
| 78 | passwords·and·Samba·service·passwords·do·not·match.</td> | ||
| 79 | </tr> | 88 | </tr> |
| 80 | <tr> | 89 | <tr> |
| 81 | <td>CCE-2 | 90 | <td>CCE-27142-9</td> |
| 82 | <td> | 91 | <td>Enable·Logging·of·All·FTP·Transactions</td> |
| 83 | <td·xml:lang="en-US"> | 92 | <td·xml:lang="en-US">Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code> |
| 84 | 93 | configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>: | |
| 85 | 94 | <pre>xferlog_enable=YES | |
| 86 | 95 | xferlog_std_format=NO | |
| 87 | 96 | log_ftp_protocol=YES</pre> | |
| 88 | 97 | </td> | |
| 89 | only·communicate·with·servers·that·support·packet·signing.</td> | ||
| 90 | </tr> | 98 | </tr> |
| 91 | <tr> | 99 | <tr> |
| 92 | <td>CCE-2 | 100 | <td>CCE-27117-1</td> |
| 93 | <td> | 101 | <td>Disable·FTP·Uploads·if·Possible</td> |
| 94 | <td·xml:lang="en-US"> | 102 | <td·xml:lang="en-US">Is·there·a·mission-critical·reason·for·users·to·upload·files·via·FTP?·If·not, |
| 95 | 103 | edit·the·vsftpd·configuration·file·to·add·or·correct·the·following·configuration·options: | |
| 96 | 104 | <pre>write_enable=NO</pre> | |
| 97 | 105 | If·FTP·uploads·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure·these·transactions | |
| 98 | 106 | as·much·as·possible.</td> | |
| 99 | 107 | </tr> | |
| 100 | 108 | <tr> | |
| 101 | 109 | <td>CCE-27145-2</td> | |
| 110 | <td>Create·Warning·Banners·for·All·FTP·Users</td> | ||
| 111 | <td·xml:lang="en-US">Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code> | ||
| 112 | by·default.·Add·or·correct·the·following·configuration·options: | ||
| 113 | <pre>banner_file=/etc/issue</pre> | ||
| 114 | </td> | ||
| 115 | </tr> | ||
| 116 | <tr> | ||
| 117 | <td>CCE-27187-4</td> | ||
| 118 | <td>Install·vsftpd·Package</td> | ||
| 119 | <td·xml:lang="en-US">If·this·system·must·operate·as·an·FTP·server,·install·the·<code>vsftpd</code>·package·via·the·standard·channels. | ||
| 120 | <pre>$·sudo·yum·install·vsftpd</pre> | ||
| 121 | </td> | ||
| 122 | </tr> | ||
| 123 | <tr> | ||
| 124 | <td>CCE-26948-0</td> | ||
| 125 | <td>Disable·vsftpd·Service</td> | ||
| 126 | <td·xml:lang="en-US"> | ||
| 127 | ············ | ||
| 128 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: | ||
| 129 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> | ||
| 130 | ··········</td> | ||
| 131 | </tr> | ||
| 132 | <tr> | ||
| 133 | <td>CCE-26687-4</td> | ||
| 134 | <td>Uninstall·vsftpd·Package</td> | ||
| 135 | <td·xml:lang="en-US"> | ||
| 136 | ············ | ||
| 137 | ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command: | ||
| 138 | ········<pre>$·sudo·yum·erase·vsftpd</pre> | ||
| 139 | ··········</td> | ||
| 102 | </tr> | 140 | </tr> |
| 103 | <tr> | 141 | <tr> |
| 104 | <td>CCE-27075-1</td> | 142 | <td>CCE-27075-1</td> |
| 105 | <td>Disable·httpd·Service</td> | 143 | <td>Disable·httpd·Service</td> |
| 106 | <td·xml:lang="en-US"> | 144 | <td·xml:lang="en-US"> |
| 107 | ············ | 145 | ············ |
| 108 | ········The·<code>httpd</code>·service·can·be·disabled·with·the·following·command: | 146 | ········The·<code>httpd</code>·service·can·be·disabled·with·the·following·command: |
| Offset 237, 69 lines modified | Offset 275, 57 lines modified | ||
| 237 | <td·xml:lang="en-US">The·<code>ldap</code>·module·provides·HTTP·authentication·via·an·LDAP·directory. | 275 | <td·xml:lang="en-US">The·<code>ldap</code>·module·provides·HTTP·authentication·via·an·LDAP·directory. |
| 238 | If·its·functionality·is·unnecessary,·comment·out·the·related·modules: | 276 | If·its·functionality·is·unnecessary,·comment·out·the·related·modules: |
| 239 | <pre>#LoadModule·ldap_module·modules/mod_ldap.so | 277 | <pre>#LoadModule·ldap_module·modules/mod_ldap.so |
| 240 | #LoadModule·authnz_ldap_module·modules/mod_authnz_ldap.so</pre> | 278 | #LoadModule·authnz_ldap_module·modules/mod_authnz_ldap.so</pre> |
| 241 | If·LDAP·is·to·be·used,·SSL·encryption·should·be·used·as·well.</td> | 279 | If·LDAP·is·to·be·used,·SSL·encryption·should·be·used·as·well.</td> |
| 242 | </tr> | 280 | </tr> |
| 243 | <tr> | 281 | <tr> |
| 244 | <td>CCE-27 | 282 | <td>CCE-27362-3</td> |
| 245 | <td>Disable· | 283 | <td>Disable·CGI·Support</td> |
| Max diff block lines reached; 219003/226906 bytes (96.52%) of diff not shown. | |||
| Offset 42, 14 lines modified | Offset 42, 72 lines modified | ||
| 42 | <td>Rule·Title</td> | 42 | <td>Rule·Title</td> |
| 43 | <td>Description</td> | 43 | <td>Description</td> |
| 44 | <td>Rationale</td> | 44 | <td>Rationale</td> |
| 45 | <td>Variable·Setting</td> | 45 | <td>Variable·Setting</td> |
| 46 | </thead> | 46 | </thead> |
| 47 | <tr> | 47 | <tr> |
| 48 | <td>CM-7</td> | 48 | <td>CM-7</td> |
| 49 | <td>Restrict·Access·to·Anonymous·Users·if·Possible</td> | ||
| 50 | <td·xml:lang="en-US">Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than | ||
| 51 | using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option: | ||
| 52 | <pre>local_enable=NO</pre> | ||
| 53 | If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure | ||
| 54 | these·logins·as·much·as·possible.</td> | ||
| 55 | <td·xml:lang="en-US">The·use·of·non-anonymous·FTP·logins·is·strongly·discouraged.·Since·SSH·clients·and·servers·are·widely·available,·and·since·SSH·provides·support·for·a·transfer·mode·which·resembles·FTP·in·user·interface,·there·is·no·good·reason·to·allow·password-based·FTP·access.</td> | ||
| 56 | <td></td> | ||
| 57 | </tr> | ||
| 58 | <tr> | ||
| 59 | <td>AC-3</td> | ||
| 60 | <td>Restrict·Access·to·Anonymous·Users·if·Possible</td> | ||
| 61 | <td·xml:lang="en-US">Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than | ||
| 62 | using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option: | ||
| 63 | <pre>local_enable=NO</pre> | ||
| 64 | If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure | ||
| 65 | these·logins·as·much·as·possible.</td> | ||
| 66 | <td·xml:lang="en-US">The·use·of·non-anonymous·FTP·logins·is·strongly·discouraged.·Since·SSH·clients·and·servers·are·widely·available,·and·since·SSH·provides·support·for·a·transfer·mode·which·resembles·FTP·in·user·interface,·there·is·no·good·reason·to·allow·password-based·FTP·access.</td> | ||
| 67 | <td></td> | ||
| 68 | </tr> | ||
| 69 | <tr> | ||
| 70 | <td>CM-7</td> | ||
| 71 | <td>Install·vsftpd·Package</td> | ||
| 72 | <td·xml:lang="en-US">If·this·system·must·operate·as·an·FTP·server,·install·the·<code>vsftpd</code>·package·via·the·standard·channels. | ||
| 73 | <pre>$·sudo·yum·install·vsftpd</pre> | ||
| 74 | </td> | ||
| 75 | <td·xml:lang="en-US">After·Red·Hat·Enterprise·Linux·2.1,·Red·Hat·switched·from·distributing·wu-ftpd·with·Red·Hat·Enterprise·Linux·to·distributing·vsftpd.·For·security | ||
| 76 | and·for·consistency·with·future·Red·Hat·releases,·the·use·of·vsftpd·is·recommended.</td> | ||
| 77 | <td></td> | ||
| 78 | </tr> | ||
| 79 | <tr> | ||
| 80 | <td>CM-7</td> | ||
| 81 | <td>Disable·vsftpd·Service</td> | ||
| 82 | <td·xml:lang="en-US"> | ||
| 83 | ············ | ||
| 84 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: | ||
| 85 | ········<pre>$·sudo·chkconfig·vsftpd·off</pre> | ||
| 86 | ··········</td> | ||
| 87 | <td·xml:lang="en-US">Running·FTP·server·software·provides·a·network-based·avenue | ||
| 88 | of·attack,·and·should·be·disabled·if·not·needed. | ||
| 89 | Furthermore,·the·FTP·protocol·is·unencrypted·and·creates | ||
| 90 | a·risk·of·compromising·sensitive·information.</td> | ||
| 91 | <td></td> | ||
| 92 | </tr> | ||
| 93 | <tr> | ||
| 94 | <td>CM-7</td> | ||
| 95 | <td>Uninstall·vsftpd·Package</td> | ||
| 96 | <td·xml:lang="en-US"> | ||
| 97 | ············ | ||
| 98 | ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command: | ||
| 99 | ········<pre>$·sudo·yum·erase·vsftpd</pre> | ||
| 100 | ··········</td> | ||
| 101 | <td·xml:lang="en-US">Removing·the·vsftpd·package·decreases·the·risk·of·its | ||
| 102 | accidental·activation.</td> | ||
| 103 | <td></td> | ||
| 104 | </tr> | ||
| 105 | <tr> | ||
| 106 | <td>CM-7</td> | ||
| 49 | <td>Disable·httpd·Service</td> | 107 | <td>Disable·httpd·Service</td> |
| 50 | <td·xml:lang="en-US"> | 108 | <td·xml:lang="en-US"> |
| 51 | ············ | 109 | ············ |
| 52 | ········The·<code>httpd</code>·service·can·be·disabled·with·the·following·command: | 110 | ········The·<code>httpd</code>·service·can·be·disabled·with·the·following·command: |
| 53 | ········<pre>$·sudo·chkconfig·httpd·off</pre> | 111 | ········<pre>$·sudo·chkconfig·httpd·off</pre> |
| 54 | ··········</td> | 112 | ··········</td> |
| 55 | <td·xml:lang="en-US">Running·web·server·software·provides·a·network-based·avenue | 113 | <td·xml:lang="en-US">Running·web·server·software·provides·a·network-based·avenue |
| Offset 113, 74 lines modified | Offset 171, 82 lines modified | ||
| 113 | This·is·its·default·setting.</td> | 171 | This·is·its·default·setting.</td> |
| 114 | <td·xml:lang="en-US">Access·to·the·web·server's·log·files·may·allow·an·unauthorized·user·or·attacker | 172 | <td·xml:lang="en-US">Access·to·the·web·server's·log·files·may·allow·an·unauthorized·user·or·attacker |
| 115 | to·access·information·about·the·web·server·or·alter·the·server's·log·files.</td> | 173 | to·access·information·about·the·web·server·or·alter·the·server's·log·files.</td> |
| 116 | <td></td> | 174 | <td></td> |
| 117 | </tr> | 175 | </tr> |
| 118 | <tr> | 176 | <tr> |
| 119 | <td>CM-7</td> | 177 | <td>CM-7</td> |
| 120 | <td> | 178 | <td>Authenticate·Zone·Transfers</td> |
| 121 | <td·xml:lang="en-US"> | 179 | <td·xml:lang="en-US">If·it·is·necessary·for·a·secondary·nameserver·to·receive·zone·data |
| 122 | 180 | via·zone·transfer·from·the·primary·server,·follow·the·instructions·here.··Use | |
| 123 | 181 | dnssec-keygen·to·create·a·symmetric·key·file·in·the·current·directory: | |
| 124 | </t | 182 | <pre>$·cd·/tmp |
| 125 | 183 | $·sudo·dnssec-keygen·-a·HMAC-MD5·-b·128·-n·HOST·dns.example.com | |
| 126 | 184 | Kdns.example.com·.+aaa·+iiiii</pre> | |
| 127 | 185 | This·output·is·the·name·of·a·file·containing·the·new·key.·Read·the·file·to·find | |
| 128 | 186 | the·base64-encoded·key·string: | |
| 129 | < | 187 | <pre>$·sudo·cat·Kdns.example.com·.+NNN·+MMMMM·.key |
| 130 | < | 188 | dns.example.com·IN·KEY·512·3·157·base64-key-string</pre> |
| 131 | < | 189 | Add·the·directives·to·<code>/etc/named.conf</code>·on·the·primary·server: |
| 132 | < | 190 | <pre>key·zone-transfer-key·{ |
| 133 | 191 | ··algorithm·hmac-md5; | |
| 134 | 192 | ··secret·"base64-key-string·"; | |
| 135 | 193 | }; | |
| 136 | 194 | zone·"example.com·"·IN·{ | |
| 195 | ··type·master; | ||
| 196 | ··allow-transfer·{·key·zone-transfer-key;·}; | ||
| 197 | ··... | ||
| 198 | };</pre> | ||
| 199 | Add·the·directives·below·to·<code>/etc/named.conf</code>·on·the·secondary·nameserver: | ||
| 200 | <pre>key·zone-transfer-key·{ | ||
| 201 | ··algorithm·hmac-md5; | ||
| 202 | ··secret·"base64-key-string·"; | ||
| 203 | }; | ||
| 204 | server·IP-OF-MASTER·{ | ||
| 205 | ··keys·{·zone-transfer-key;·}; | ||
| 206 | }; | ||
| 207 | zone·"example.com·"·IN·{ | ||
| 208 | ··type·slave; | ||
| 209 | ··masters·{·IP-OF-MASTER·;·}; | ||
| 210 | ··... | ||
| 211 | };</pre> | ||
| 137 | </td> | 212 | </td> |
| 138 | <td·xml:lang="en-US">The· | 213 | <td·xml:lang="en-US">The·BIND·transaction·signature·(TSIG)·functionality·allows·primary |
| 139 | 214 | and·secondary·nameservers·to·use·a·shared·secret·to·verify·authorization·to | |
| 140 | 215 | perform·zone·transfers.·This·method·is·more·secure·than·using·IP-based·limiting | |
| 141 | 216 | to·restrict·nameserver·access,·since·IP·addresses·can·be·easily·spoofed. | |
| 142 | 217 | However,·if·you·cannot·configure·TSIG·between·your·servers·because,·for | |
| 143 | 218 | instance,·the·secondary·nameserver·is·not·under·your·control·and·its | |
| 144 | 219 | administrators·are·unwilling·to·configure·TSIG,·you·can·configure·an | |
| 145 | 220 | allow-transfer·directive·with·numerical·IP·addresses·or·ACLs·as·a·last·resort.</td> | |
| 146 | variant·is·supported.</td> | ||
| 147 | <td></td> | 221 | <td></td> |
| Max diff block lines reached; 475985/483007 bytes (98.55%) of diff not shown. | |||
| Offset 107, 76 lines modified | Offset 107, 14 lines modified | ||
| 107 | from·correctly·detecting·that·the·user·is·idle.</td> | 107 | from·correctly·detecting·that·the·user·is·idle.</td> |
| 108 | <td·xml:lang="en-US">Causing·idle·users·to·be·automatically·logged·out | 108 | <td·xml:lang="en-US">Causing·idle·users·to·be·automatically·logged·out |
| 109 | guards·against·compromises·one·system·leading·trivially | 109 | guards·against·compromises·one·system·leading·trivially |
| 110 | to·compromises·on·another.</td> | 110 | to·compromises·on·another.</td> |
| 111 | <td></td> | 111 | <td></td> |
| 112 | </tr> | 112 | </tr> |
| 113 | <tr> | 113 | <tr> |
| 114 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> | ||
| 115 | <td>Implement·Blank·Screensaver</td> | ||
| 116 | <td·xml:lang="en-US">Run·the·following·command·to·set·the·screensaver·mode | ||
| 117 | in·the·GNOME·desktop·to·a·blank·screen: | ||
| 118 | <pre>$·sudo·gconftool-2·--direct·\ | ||
| 119 | ··--config-source·xml:readwrite:/etc/gconf/gconf.xml.mandatory·\ | ||
| 120 | ··--type·string·\ | ||
| 121 | ··--set·/apps/gnome-screensaver/mode·blank-only</pre> | ||
| 122 | </td> | ||
| 123 | <td·xml:lang="en-US">Setting·the·screensaver·mode·to·blank-only·conceals·the | ||
| 124 | contents·of·the·display·from·passersby.</td> | ||
| 125 | <td></td> | ||
| 126 | </tr> | ||
| 127 | <tr> | ||
| 128 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> | ||
| 129 | <td>Enable·Screen·Lock·Activation·After·Idle·Period</td> | ||
| 130 | <td·xml:lang="en-US">Run·the·following·command·to·activate·locking·of·the·screensaver | ||
| 131 | in·the·GNOME·desktop·when·it·is·activated: | ||
| 132 | <pre>$·sudo·gconftool-2·--direct·\ | ||
| 133 | ··--config-source·xml:readwrite:/etc/gconf/gconf.xml.mandatory·\ | ||
| 134 | ··--type·bool·\ | ||
| 135 | ··--set·/apps/gnome-screensaver/lock_enabled·true</pre> | ||
| 136 | </td> | ||
| 137 | <td·xml:lang="en-US">Enabling·the·activation·of·the·screen·lock·after·an·idle·period | ||
| 138 | ensures·password·entry·will·be·required·in·order·to | ||
| 139 | access·the·system,·preventing·access·by·passersby.</td> | ||
| 140 | <td></td> | ||
| 141 | </tr> | ||
| 142 | <tr> | ||
| 143 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> | ||
| 144 | <td>GNOME·Desktop·Screensaver·Mandatory·Use</td> | ||
| 145 | <td·xml:lang="en-US">Run·the·following·command·to·activate·the·screensaver | ||
| 146 | in·the·GNOME·desktop·after·a·period·of·inactivity: | ||
| 147 | <pre>$·sudo·gconftool-2·--direct·\ | ||
| 148 | ··--config-source·xml:readwrite:/etc/gconf/gconf.xml.mandatory·\ | ||
| 149 | ··--type·bool·\ | ||
| 150 | ··--set·/apps/gnome-screensaver/idle_activation_enabled·true</pre> | ||
| 151 | </td> | ||
| 152 | <td·xml:lang="en-US">Enabling·idle·activation·of·the·screensaver·ensures·the·screensaver·will | ||
| 153 | be·activated·after·the·idle·delay.··Applications·requiring·continuous, | ||
| 154 | real-time·screen·display·(such·as·network·management·products)·require·the | ||
| 155 | login·session·does·not·have·administrator·rights·and·the·display·station·is·located·in·a | ||
| 156 | controlled-access·area.</td> | ||
| 157 | <td></td> | ||
| 158 | </tr> | ||
| 159 | <tr> | ||
| 160 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> | ||
| 161 | <td>Set·GNOME·Login·Inactivity·Timeout</td> | ||
| 162 | <td·xml:lang="en-US">Run·the·following·command·to·set·the·idle·time-out·value·for | ||
| 163 | inactivity·in·the·GNOME·desktop·to·<ns0:sub·xmlns:ns0="http://checklists.nist.gov/xccdf/1.1"·idref="inactivity_timeout_value"></ns0:sub>·minutes: | ||
| 164 | <pre>$·sudo·gconftool-2·\ | ||
| 165 | ··--direct·\ | ||
| 166 | ··--config-source·xml:readwrite:/etc/gconf/gconf.xml.mandatory·\ | ||
| 167 | ··--type·int·\ | ||
| 168 | ··--set·/desktop/gnome/session/idle_delay·<ns0:sub·xmlns:ns0="http://checklists.nist.gov/xccdf/1.1"·idref="inactivity_timeout_value"></ns0:sub></pre> | ||
| 169 | </td> | ||
| 170 | <td·xml:lang="en-US">Setting·the·idle·delay·controls·when·the | ||
| 171 | screensaver·will·start,·and·can·be·combined·with | ||
| 172 | screen·locking·to·prevent·access·from·passersby.</td> | ||
| 173 | <td></td> | ||
| 174 | </tr> | ||
| 175 | <tr> | ||
| 176 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.5.1</a></td> | 114 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.5.1</a></td> |
| 177 | <td>Ensure·System·Log·Files·Have·Correct·Permissions</td> | 115 | <td>Ensure·System·Log·Files·Have·Correct·Permissions</td> |
| 178 | <td·xml:lang="en-US">The·file·permissions·for·all·log·files·written·by | 116 | <td·xml:lang="en-US">The·file·permissions·for·all·log·files·written·by |
| 179 | <code>rsyslog</code>·should·be·set·to·600,·or·more·restrictive. | 117 | <code>rsyslog</code>·should·be·set·to·600,·or·more·restrictive. |
| 180 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in | 118 | These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in |
| 181 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>.· | 119 | <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>.· |
| 182 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, | 120 | For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>, |
| Offset 503, 14 lines modified | Offset 441, 130 lines modified | ||
| 503 | their·account.·Providing·users·with·information·regarding·the·number | 441 | their·account.·Providing·users·with·information·regarding·the·number |
| 504 | of·unsuccessful·attempts·that·were·made·to·login·to·their·account | 442 | of·unsuccessful·attempts·that·were·made·to·login·to·their·account |
| 505 | allows·the·user·to·determine·if·any·unauthorized·activity·has·occurred | 443 | allows·the·user·to·determine·if·any·unauthorized·activity·has·occurred |
| 506 | and·gives·them·an·opportunity·to·notify·administrators.</td> | 444 | and·gives·them·an·opportunity·to·notify·administrators.</td> |
| 507 | <td></td> | 445 | <td></td> |
| 508 | </tr> | 446 | </tr> |
| 509 | <tr> | 447 | <tr> |
| 448 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.7.c</a></td> | ||
| 449 | <td>Verify·Permissions·on·shadow·File</td> | ||
| 450 | <td·xml:lang="en-US"> | ||
| 451 | ·············· | ||
| 452 | ····To·properly·set·the·permissions·of·<code>/etc/shadow</code>,·run·the·command: | ||
| 453 | ····<pre·xml:space="preserve">$·sudo·chmod·0000·/etc/shadow</pre> | ||
| 454 | ············</td> | ||
| 455 | <td·xml:lang="en-US">The·<code>/etc/shadow</code>·file·contains·the·list·of·local | ||
| 456 | system·accounts·and·stores·password·hashes.·Protection·of·this·file·is | ||
| 457 | critical·for·system·security.·Failure·to·give·ownership·of·this·file | ||
| 458 | to·root·provides·the·designated·owner·with·access·to·sensitive·information | ||
| 459 | which·could·weaken·the·system·security·posture.</td> | ||
| 460 | <td></td> | ||
| 461 | </tr> | ||
| 462 | <tr> | ||
| 463 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.7.c</a></td> | ||
| 464 | <td>Verify·Group·Who·Owns·shadow·File</td> | ||
| 465 | <td·xml:lang="en-US"> | ||
| 466 | ·············· | ||
| 467 | ····To·properly·set·the·group·owner·of·<code>/etc/shadow</code>,·run·the·command: | ||
| 468 | ····<pre·xml:space="preserve">$·sudo·chgrp·root·/etc/shadow·</pre> | ||
| 469 | ············</td> | ||
| 470 | <td·xml:lang="en-US">The·<code>/etc/shadow</code>·file·stores·password·hashes.·Protection·of·this·file·is | ||
| 471 | critical·for·system·security.</td> | ||
| 472 | <td></td> | ||
| 473 | </tr> | ||
| 474 | <tr> | ||
| 475 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.7.c</a></td> | ||
| 476 | <td>Verify·Permissions·on·group·File</td> | ||
| 477 | <td·xml:lang="en-US"> | ||
| 478 | ·············· | ||
| 479 | ····To·properly·set·the·permissions·of·<code>/etc/group</code>,·run·the·command: | ||
| 480 | ····<pre·xml:space="preserve">$·sudo·chmod·644·/etc/group</pre> | ||
| 481 | ············</td> | ||
| 482 | <td·xml:lang="en-US">The·<code>/etc/group</code>·file·contains·information·regarding·groups·that·are·configured | ||
| 483 | on·the·system.·Protection·of·this·file·is·important·for·system·security.</td> | ||
| 484 | <td></td> | ||
| 485 | </tr> | ||
| 486 | <tr> | ||
| 487 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.7.c</a></td> | ||
| 488 | <td>Verify·User·Who·Owns·passwd·File</td> | ||
| 489 | <td·xml:lang="en-US"> | ||
| 490 | ·············· | ||
| Max diff block lines reached; 41781/51532 bytes (81.08%) of diff not shown. | |||
| Offset 66, 124 lines modified | Offset 66, 14 lines modified | ||
| 66 | <td></td> | 66 | <td></td> |
| 67 | </tr> | 67 | </tr> |
| 68 | <tr> | 68 | <tr> |
| 69 | <td>SRG-OS-000480-GPOS-00232</td> | 69 | <td>SRG-OS-000480-GPOS-00232</td> |
| 70 | <td>CCI-000366</td> | 70 | <td>CCI-000366</td> |
| 71 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 71 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 72 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 72 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| 73 | <td>postfix_client_configure_mail_alias</td> | ||
| 74 | <td>Configure·System·to·Forward·All·Mail·For·The·Root·Account</td> | ||
| 75 | <td·xml:lang="en-US">Set·up·an·alias·for·root·that·forwards·to·a·monitored·email·address: | ||
| 76 | <pre>$·sudo·echo·"root:·<ns0:sub·xmlns:ns0="http://checklists.nist.gov/xccdf/1.1"·idref="var_postfix_root_mail_alias"></ns0:sub>"·>>·/etc/aliases | ||
| 77 | $·sudo·newaliases</pre> | ||
| 78 | </td> | ||
| 79 | <td></td> | ||
| 80 | </tr> | ||
| 81 | <tr> | ||
| 82 | <td>SRG-OS-000480-GPOS-00232</td> | ||
| 83 | <td>CCI-000366</td> | ||
| 84 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | ||
| 85 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | ||
| 86 | <td>sysconfig_networking_bootproto_ifcfg</td> | ||
| 87 | <td>Disable·DHCP·Client</td> | ||
| 88 | <td·xml:lang="en-US">For·each·interface·on·the·system·(e.g.·eth0),·edit | ||
| 89 | <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the | ||
| 90 | following·changes: | ||
| 91 | <ul> | ||
| 92 | <li>·Correct·the·BOOTPROTO·line·to·read: | ||
| 93 | <pre>BOOTPROTO=none</pre> | ||
| 94 | </li> | ||
| 95 | <li>·Add·or·correct·the·following·lines,·substituting·the·appropriate | ||
| 96 | values·based·on·your·site's·addressing·scheme: | ||
| 97 | <pre>NETMASK=255.255.255.0 | ||
| 98 | IPADDR=192.168.1.2 | ||
| 99 | GATEWAY=192.168.1.1</pre> | ||
| 100 | </li> | ||
| 101 | </ul> | ||
| 102 | </td> | ||
| 103 | <td></td> | ||
| 104 | </tr> | ||
| 105 | <tr> | ||
| 106 | <td>SRG-OS-000480-GPOS-00232</td> | ||
| 107 | <td>CCI-000366</td> | ||
| 108 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | ||
| 109 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | ||
| 110 | <td>package_dhcp_removed</td> | ||
| 111 | <td>Uninstall·DHCP·Server·Package</td> | ||
| 112 | <td·xml:lang="en-US">If·the·system·does·not·need·to·act·as·a·DHCP·server, | ||
| 113 | the·dhcp·package·can·be·uninstalled. | ||
| 114 | ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: | ||
| 115 | ········<pre>$·sudo·yum·erase·dhcp</pre> | ||
| 116 | </td> | ||
| 117 | <td></td> | ||
| 118 | </tr> | ||
| 119 | <tr> | ||
| 120 | <td>SRG-OS-000480-GPOS-00232</td> | ||
| 121 | <td>CCI-000366</td> | ||
| 122 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | ||
| 123 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | ||
| 124 | <td>service_dhcpd_disabled</td> | ||
| 125 | <td>Disable·DHCP·Service</td> | ||
| 126 | <td·xml:lang="en-US">The·<code>dhcpd</code>·service·should·be·disabled·on | ||
| 127 | any·system·that·does·not·need·to·act·as·a·DHCP·server. | ||
| 128 | ········The·<code>dhcpd</code>·service·can·be·disabled·with·the·following·command: | ||
| 129 | ········<pre>$·sudo·chkconfig·dhcpd·off</pre> | ||
| 130 | </td> | ||
| 131 | <td></td> | ||
| 132 | </tr> | ||
| 133 | <tr> | ||
| 134 | <td>SRG-OS-000480-GPOS-00232</td> | ||
| 135 | <td>CCI-000366</td> | ||
| 136 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | ||
| 137 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | ||
| 138 | <td>tftpd_uses_secure_mode</td> | ||
| 139 | <td>Ensure·tftp·Daemon·Uses·Secure·Mode</td> | ||
| 140 | <td·xml:lang="en-US">If·running·the·<code>tftp</code>·service·is·necessary,·it·should·be·configured | ||
| 141 | to·change·its·root·directory·at·startup.·To·do·so,·ensure | ||
| 142 | <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in | ||
| 143 | the·following·example·(which·is·also·the·default): | ||
| 144 | <pre>server_args·=·-s·/var/lib/tftpboot</pre> | ||
| 145 | </td> | ||
| 146 | <td></td> | ||
| 147 | </tr> | ||
| 148 | <tr> | ||
| 149 | <td>SRG-OS-000480-GPOS-00232</td> | ||
| 150 | <td>CCI-000366</td> | ||
| 151 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | ||
| 152 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | ||
| 153 | <td>package_xorg-x11-server-common_removed</td> | ||
| 154 | <td>Remove·the·X·Windows·Package·Group</td> | ||
| 155 | <td·xml:lang="en-US">Removing·all·packages·which·constitute·the·X·Window·System | ||
| 156 | ensures·users·or·malicious·software·cannot·start·X. | ||
| 157 | To·do·so,·run·the·following·command: | ||
| 158 | <pre>$·sudo·yum·groupremove·"X·Window·System"</pre> | ||
| 159 | </td> | ||
| 160 | <td></td> | ||
| 161 | </tr> | ||
| 162 | <tr> | ||
| 163 | <td>SRG-OS-000480-GPOS-00232</td> | ||
| 164 | <td>CCI-000366</td> | ||
| 165 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | ||
| 166 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | ||
| 167 | <td>xwindows_runlevel_setting</td> | ||
| 168 | <td>Disable·X·Windows·Startup·By·Setting·Runlevel</td> | ||
| 169 | <td·xml:lang="en-US">Setting·the·system's·runlevel·to·3·will·prevent·automatic·startup | ||
| 170 | of·the·X·server.·To·do·so,·ensure·the·following·line·in·<code>/etc/inittab</code> | ||
| 171 | features·a·<code>3</code>·as·shown: | ||
| 172 | <pre>id:3:initdefault:</pre> | ||
| 173 | </td> | ||
| 174 | <td></td> | ||
| 175 | </tr> | ||
| 176 | <tr> | ||
| 177 | <td>SRG-OS-000480-GPOS-00232</td> | ||
| 178 | <td>CCI-000366</td> | ||
| 179 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | ||
| 180 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | ||
| 181 | <td>service_named_disabled</td> | 73 | <td>service_named_disabled</td> |
| 182 | <td>Disable·DNS·Server</td> | 74 | <td>Disable·DNS·Server</td> |
| 183 | <td·xml:lang="en-US"> | 75 | <td·xml:lang="en-US"> |
| 184 | ············ | 76 | ············ |
| 185 | ········The·<code>named</code>·service·can·be·disabled·with·the·following·command: | 77 | ········The·<code>named</code>·service·can·be·disabled·with·the·following·command: |
| 186 | ········<pre>$·sudo·chkconfig·named·off</pre> | 78 | ········<pre>$·sudo·chkconfig·named·off</pre> |
| 187 | ··········</td> | 79 | ··········</td> |
| Offset 219, 131 lines modified | Offset 109, 138 lines modified | ||
| 219 | <td></td> | 109 | <td></td> |
| 220 | </tr> | 110 | </tr> |
| Max diff block lines reached; 384067/390015 bytes (98.47%) of diff not shown. | |||
| Offset 65, 14 lines modified | Offset 65, 64 lines modified | ||
| 65 | <tr> | 65 | <tr> |
| 66 | <td>SRG-OS-000480-GPOS-00232</td> | 66 | <td>SRG-OS-000480-GPOS-00232</td> |
| 67 | <td>CCI-000366</td> | 67 | <td>CCI-000366</td> |
| 68 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 68 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 69 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 69 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| 70 | <td> | 70 | <td> |
| 71 | <table><tr> | 71 | <table><tr> |
| 72 | <td>Disable·DNS·Server</td> | ||
| 73 | <td·xml:lang="en-US"> | ||
| 74 | ············ | ||
| 75 | ········The·<code>named</code>·service·can·be·disabled·with·the·following·command: | ||
| 76 | ········<pre>$·sudo·chkconfig·named·off</pre> | ||
| 77 | ··········</td> | ||
| 78 | </tr></table> | ||
| 79 | <table><tr> | ||
| 80 | <td>Uninstall·bind·Package</td> | ||
| 81 | <td·xml:lang="en-US">To·remove·the·<code>bind</code>·package,·which·contains·the | ||
| 82 | <code>named</code>·service,·run·the·following·command: | ||
| 83 | <pre>$·sudo·yum·erase·bind</pre> | ||
| 84 | </td> | ||
| 85 | </tr></table> | ||
| 86 | <table><tr> | ||
| 87 | <td>Uninstall·openldap-servers·Package</td> | ||
| 88 | <td·xml:lang="en-US">The·<code>openldap-servers</code>·package·should·be·removed·if·not·in·use. | ||
| 89 | Is·this·system·the·OpenLDAP·server?·If·not,·remove·the·package. | ||
| 90 | <pre>$·sudo·yum·erase·openldap-servers</pre> | ||
| 91 | The·openldap-servers·RPM·is·not·installed·by·default·on·Red·Hat·Enterprise·Linux·6 | ||
| 92 | systems.·It·is·needed·only·by·the·OpenLDAP·server,·not·by·the | ||
| 93 | clients·which·use·LDAP·for·authentication.·If·the·system·is·not | ||
| 94 | intended·for·use·as·an·LDAP·Server·it·should·be·removed.</td> | ||
| 95 | </tr></table> | ||
| 96 | <table><tr> | ||
| 97 | <td>Disable·X·Windows·Startup·By·Setting·Runlevel</td> | ||
| 98 | <td·xml:lang="en-US">Setting·the·system's·runlevel·to·3·will·prevent·automatic·startup | ||
| 99 | of·the·X·server.·To·do·so,·ensure·the·following·line·in·<code>/etc/inittab</code> | ||
| 100 | features·a·<code>3</code>·as·shown: | ||
| 101 | <pre>id:3:initdefault:</pre> | ||
| 102 | </td> | ||
| 103 | </tr></table> | ||
| 104 | <table><tr> | ||
| 105 | <td>Remove·the·X·Windows·Package·Group</td> | ||
| 106 | <td·xml:lang="en-US">Removing·all·packages·which·constitute·the·X·Window·System | ||
| 107 | ensures·users·or·malicious·software·cannot·start·X. | ||
| 108 | To·do·so,·run·the·following·command: | ||
| 109 | <pre>$·sudo·yum·groupremove·"X·Window·System"</pre> | ||
| 110 | </td> | ||
| 111 | </tr></table> | ||
| 112 | <table><tr> | ||
| 113 | <td>Ensure·tftp·Daemon·Uses·Secure·Mode</td> | ||
| 114 | <td·xml:lang="en-US">If·running·the·<code>tftp</code>·service·is·necessary,·it·should·be·configured | ||
| 115 | to·change·its·root·directory·at·startup.·To·do·so,·ensure | ||
| 116 | <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in | ||
| 117 | the·following·example·(which·is·also·the·default): | ||
| 118 | <pre>server_args·=·-s·/var/lib/tftpboot</pre> | ||
| 119 | </td> | ||
| 120 | </tr></table> | ||
| 121 | <table><tr> | ||
| 72 | <td>Configure·System·to·Forward·All·Mail·For·The·Root·Account</td> | 122 | <td>Configure·System·to·Forward·All·Mail·For·The·Root·Account</td> |
| 73 | <td·xml:lang="en-US">Set·up·an·alias·for·root·that·forwards·to·a·monitored·email·address: | 123 | <td·xml:lang="en-US">Set·up·an·alias·for·root·that·forwards·to·a·monitored·email·address: |
| 74 | <pre>$·sudo·echo·"root:·<ns0:sub·xmlns:ns0="http://checklists.nist.gov/xccdf/1.1"·idref="var_postfix_root_mail_alias"></ns0:sub>"·>>·/etc/aliases | 124 | <pre>$·sudo·echo·"root:·<ns0:sub·xmlns:ns0="http://checklists.nist.gov/xccdf/1.1"·idref="var_postfix_root_mail_alias"></ns0:sub>"·>>·/etc/aliases |
| 75 | $·sudo·newaliases</pre> | 125 | $·sudo·newaliases</pre> |
| 76 | </td> | 126 | </td> |
| 77 | </tr></table> | 127 | </tr></table> |
| 78 | <table><tr> | 128 | <table><tr> |
| Offset 108, 139 lines modified | Offset 158, 22 lines modified | ||
| 108 | any·system·that·does·not·need·to·act·as·a·DHCP·server. | 158 | any·system·that·does·not·need·to·act·as·a·DHCP·server. |
| 109 | ········The·<code>dhcpd</code>·service·can·be·disabled·with·the·following·command: | 159 | ········The·<code>dhcpd</code>·service·can·be·disabled·with·the·following·command: |
| 110 | ········<pre>$·sudo·chkconfig·dhcpd·off</pre> | 160 | ········<pre>$·sudo·chkconfig·dhcpd·off</pre> |
| 111 | </td> | 161 | </td> |
| 112 | </tr></table> | 162 | </tr></table> |
| 113 | <table><tr> | 163 | <table><tr> |
| 114 | <td>Ensure·tftp·Daemon·Uses·Secure·Mode</td> | ||
| 115 | <td·xml:lang="en-US">If·running·the·<code>tftp</code>·service·is·necessary,·it·should·be·configured | ||
| 116 | to·change·its·root·directory·at·startup.·To·do·so,·ensure | ||
| 117 | <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in | ||
| 118 | the·following·example·(which·is·also·the·default): | ||
| 119 | <pre>server_args·=·-s·/var/lib/tftpboot</pre> | ||
| 120 | </td> | ||
| 121 | </tr></table> | ||
| 122 | <table><tr> | ||
| 123 | <td>Remove·the·X·Windows·Package·Group</td> | ||
| 124 | <td·xml:lang="en-US">Removing·all·packages·which·constitute·the·X·Window·System | ||
| 125 | ensures·users·or·malicious·software·cannot·start·X. | ||
| 126 | To·do·so,·run·the·following·command: | ||
| 127 | <pre>$·sudo·yum·groupremove·"X·Window·System"</pre> | ||
| 128 | </td> | ||
| 129 | </tr></table> | ||
| 130 | <table><tr> | ||
| 131 | <td>Disable·X·Windows·Startup·By·Setting·Runlevel</td> | ||
| 132 | <td·xml:lang="en-US">Setting·the·system's·runlevel·to·3·will·prevent·automatic·startup | ||
| 133 | of·the·X·server.·To·do·so,·ensure·the·following·line·in·<code>/etc/inittab</code> | ||
| 134 | features·a·<code>3</code>·as·shown: | ||
| 135 | <pre>id:3:initdefault:</pre> | ||
| 136 | </td> | ||
| 137 | </tr></table> | ||
| 138 | <table><tr> | ||
| 139 | <td>Disable·DNS·Server</td> | ||
| 140 | <td·xml:lang="en-US"> | ||
| 141 | ············ | ||
| 142 | ········The·<code>named</code>·service·can·be·disabled·with·the·following·command: | ||
| 143 | ········<pre>$·sudo·chkconfig·named·off</pre> | ||
| 144 | ··········</td> | ||
| 145 | </tr></table> | ||
| 146 | <table><tr> | ||
| 147 | <td>Uninstall·bind·Package</td> | ||
| 148 | <td·xml:lang="en-US">To·remove·the·<code>bind</code>·package,·which·contains·the | ||
| 149 | <code>named</code>·service,·run·the·following·command: | ||
| 150 | <pre>$·sudo·yum·erase·bind</pre> | ||
| 151 | </td> | ||
| 152 | </tr></table> | ||
| 153 | <table><tr> | ||
| 154 | <td>Uninstall·openldap-servers·Package</td> | ||
| 155 | <td·xml:lang="en-US">The·<code>openldap-servers</code>·package·should·be·removed·if·not·in·use. | ||
| 156 | Is·this·system·the·OpenLDAP·server?·If·not,·remove·the·package. | ||
| 157 | <pre>$·sudo·yum·erase·openldap-servers</pre> | ||
| 158 | The·openldap-servers·RPM·is·not·installed·by·default·on·Red·Hat·Enterprise·Linux·6 | ||
| 159 | systems.·It·is·needed·only·by·the·OpenLDAP·server,·not·by·the | ||
| 160 | clients·which·use·LDAP·for·authentication.·If·the·system·is·not | ||
| 161 | intended·for·use·as·an·LDAP·Server·it·should·be·removed.</td> | ||
| 162 | </tr></table> | ||
| 163 | <table><tr> | ||
| 164 | <td>Disable·Avahi·Server·Software</td> | 164 | <td>Disable·Avahi·Server·Software</td> |
| 165 | <td·xml:lang="en-US"> | 165 | <td·xml:lang="en-US"> |
| 166 | ············ | 166 | ············ |
| 167 | ········The·<code>avahi-daemon</code>·service·can·be·disabled·with·the·following·command: | 167 | ········The·<code>avahi-daemon</code>·service·can·be·disabled·with·the·following·command: |
| 168 | ········<pre>$·sudo·chkconfig·avahi-daemon·off</pre> | 168 | ········<pre>$·sudo·chkconfig·avahi-daemon·off</pre> |
| Max diff block lines reached; 200508/205974 bytes (97.35%) of diff not shown. | |||
| Offset 37, 32 lines modified | Offset 37, 14 lines modified | ||
| 37 | <table> | 37 | <table> |
| 38 | <thead> | 38 | <thead> |
| 39 | <td>CCE·ID</td> | 39 | <td>CCE·ID</td> |
| 40 | <td>Rule·Title</td> | 40 | <td>Rule·Title</td> |
| 41 | <td>Description</td> | 41 | <td>Description</td> |
| 42 | </thead> | 42 | </thead> |
| 43 | <tr> | 43 | <tr> |
| 44 | <td>CCE-80441-9</td> | ||
| 45 | <td>Use·direct-lvm·with·the·Device·Mapper·Storage·Driver</td> | ||
| 46 | <td·xml:lang="en-US">To·use·Docker·in·production·with·the·device·mapper·storage·driver,·the·Docker | ||
| 47 | daemon·should·be·configured·to·use·direct-lvm·instead·of·loopback·device·as | ||
| 48 | a·storage.·For·setting·up·the·LVM·and·configuring·Docker,·see·the | ||
| 49 | <a·href="https://docs.docker.com/engine/userguide/storagedriver/device-mapper-driver/">Docker·Device·Mapper·Storage·Documentation</a>.</td> | ||
| 50 | </tr> | ||
| 51 | <tr> | ||
| 52 | <td>CCE-80440-1</td> | ||
| 53 | <td>Enable·the·Docker·service</td> | ||
| 54 | <td·xml:lang="en-US">The·docker·service·is·commonly·needed·to | ||
| 55 | ··create·containers. | ||
| 56 | ········The·<code>docker</code>·service·can·be·enabled·with·the·following·command: | ||
| 57 | ········<pre>$·sudo·systemctl·enable·docker.service</pre> | ||
| 58 | </td> | ||
| 59 | </tr> | ||
| 60 | <tr> | ||
| 61 | <td>CCE-27274-0</td> | 44 | <td>CCE-27274-0</td> |
| 62 | <td>Uninstall·rsh·Package</td> | 45 | <td>Uninstall·rsh·Package</td> |
| 63 | <td·xml:lang="en-US">The·<code>rsh</code>·package·contains·the·client·commands | 46 | <td·xml:lang="en-US">The·<code>rsh</code>·package·contains·the·client·commands |
| 64 | for·the·rsh·services</td> | 47 | for·the·rsh·services</td> |
| 65 | </tr> | 48 | </tr> |
| 66 | <tr> | 49 | <tr> |
| 67 | <td>CCE-27336-7</td> | 50 | <td>CCE-27336-7</td> |
| Offset 181, 32 lines modified | Offset 163, 32 lines modified | ||
| 181 | <td>Uninstall·telnet-server·Package</td> | 163 | <td>Uninstall·telnet-server·Package</td> |
| 182 | <td·xml:lang="en-US">The·<code>telnet-server</code>·package·can·be·uninstalled·with | 164 | <td·xml:lang="en-US">The·<code>telnet-server</code>·package·can·be·uninstalled·with |
| 183 | the·following·command: | 165 | the·following·command: |
| 184 | <pre>$·sudo·yum·erase·telnet-server</pre> | 166 | <pre>$·sudo·yum·erase·telnet-server</pre> |
| 185 | </td> | 167 | </td> |
| 186 | </tr> | 168 | </tr> |
| 187 | <tr> | 169 | <tr> |
| 170 | <td>CCE-27396-1</td> | ||
| 171 | <td>Remove·NIS·Client</td> | ||
| 172 | <td·xml:lang="en-US">The·Network·Information·Service·(NIS),·formerly·known·as·Yellow·Pages, | ||
| 173 | is·a·client-server·directory·service·protocol·used·to·distribute·system·configuration | ||
| 174 | files.·The·NIS·client·(<code>ypbind</code>)·was·used·to·bind·a·system·to·an·NIS·server | ||
| 175 | and·receive·the·distributed·configuration·files.</td> | ||
| 176 | </tr> | ||
| 177 | <tr> | ||
| 188 | <td>CCE-27385-4</td> | 178 | <td>CCE-27385-4</td> |
| 189 | <td>Disable·ypbind·Service</td> | 179 | <td>Disable·ypbind·Service</td> |
| 190 | <td·xml:lang="en-US">The·<code>ypbind</code>·service,·which·allows·the·system·to·act·as·a·client·in | 180 | <td·xml:lang="en-US">The·<code>ypbind</code>·service,·which·allows·the·system·to·act·as·a·client·in |
| 191 | a·NIS·or·NIS+·domain,·should·be·disabled. | 181 | a·NIS·or·NIS+·domain,·should·be·disabled. |
| 192 | ········The·<code>ypbind</code>·service·can·be·disabled·with·the·following·command: | 182 | ········The·<code>ypbind</code>·service·can·be·disabled·with·the·following·command: |
| 193 | ········<pre>$·sudo·systemctl·disable·ypbind.service</pre> | 183 | ········<pre>$·sudo·systemctl·disable·ypbind.service</pre> |
| 194 | </td> | 184 | </td> |
| 195 | </tr> | 185 | </tr> |
| 196 | <tr> | 186 | <tr> |
| 197 | <td>CCE-27396-1</td> | ||
| 198 | <td>Remove·NIS·Client</td> | ||
| 199 | <td·xml:lang="en-US">The·Network·Information·Service·(NIS),·formerly·known·as·Yellow·Pages, | ||
| 200 | is·a·client-server·directory·service·protocol·used·to·distribute·system·configuration | ||
| 201 | files.·The·NIS·client·(<code>ypbind</code>)·was·used·to·bind·a·system·to·an·NIS·server | ||
| 202 | and·receive·the·distributed·configuration·files.</td> | ||
| 203 | </tr> | ||
| 204 | <tr> | ||
| 205 | <td>CCE-27399-5</td> | 187 | <td>CCE-27399-5</td> |
| 206 | <td>Uninstall·ypserv·Package</td> | 188 | <td>Uninstall·ypserv·Package</td> |
| 207 | <td·xml:lang="en-US">The·<code>ypserv</code>·package·can·be·uninstalled·with | 189 | <td·xml:lang="en-US">The·<code>ypserv</code>·package·can·be·uninstalled·with |
| 208 | the·following·command: | 190 | the·following·command: |
| 209 | <pre>$·sudo·yum·erase·ypserv</pre> | 191 | <pre>$·sudo·yum·erase·ypserv</pre> |
| 210 | </td> | 192 | </td> |
| 211 | </tr> | 193 | </tr> |
| Offset 243, 33 lines modified | Offset 225, 33 lines modified | ||
| 243 | to·change·its·root·directory·at·startup.·To·do·so,·ensure | 225 | to·change·its·root·directory·at·startup.·To·do·so,·ensure |
| 244 | <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in | 226 | <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in |
| 245 | the·following·example·(which·is·also·the·default): | 227 | the·following·example·(which·is·also·the·default): |
| 246 | <pre>server_args·=·-s·/var/lib/tftpboot</pre> | 228 | <pre>server_args·=·-s·/var/lib/tftpboot</pre> |
| 247 | </td> | 229 | </td> |
| 248 | </tr> | 230 | </tr> |
| 249 | <tr> | 231 | <tr> |
| 250 | <td>CCE-27443-1</td> | ||
| 251 | <td>Disable·xinetd·Service</td> | ||
| 252 | <td·xml:lang="en-US"> | ||
| 253 | ············ | ||
| 254 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: | ||
| 255 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> | ||
| 256 | ··········</td> | ||
| 257 | </tr> | ||
| 258 | <tr> | ||
| 259 | <td>CCE-27361-5</td> | 232 | <td>CCE-27361-5</td> |
| 260 | <td>Install·tcp_wrappers·Package</td> | 233 | <td>Install·tcp_wrappers·Package</td> |
| 261 | <td·xml:lang="en-US">When·network·services·are·using·the·<code>xinetd</code>·service,·the | 234 | <td·xml:lang="en-US">When·network·services·are·using·the·<code>xinetd</code>·service,·the |
| 262 | <code>tcp_wrappers</code>·package·should·be·installed. | 235 | <code>tcp_wrappers</code>·package·should·be·installed. |
| 263 | ········The·<code>tcp_wrappers</code>·package·can·be·installed·with·the·following·command: | 236 | ········The·<code>tcp_wrappers</code>·package·can·be·installed·with·the·following·command: |
| 264 | ········<pre>$·sudo·yum·install·tcp_wrappers</pre> | 237 | ········<pre>$·sudo·yum·install·tcp_wrappers</pre> |
| 265 | </td> | 238 | </td> |
| 266 | </tr> | 239 | </tr> |
| 267 | <tr> | 240 | <tr> |
| 241 | <td>CCE-27443-1</td> | ||
| 242 | <td>Disable·xinetd·Service</td> | ||
| 243 | <td·xml:lang="en-US"> | ||
| 244 | ············ | ||
| 245 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: | ||
| 246 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> | ||
| 247 | ··········</td> | ||
| 248 | </tr> | ||
| 249 | <tr> | ||
| 268 | <td>CCE-27354-0</td> | 250 | <td>CCE-27354-0</td> |
| 269 | <td>Uninstall·xinetd·Package</td> | 251 | <td>Uninstall·xinetd·Package</td> |
| 270 | <td·xml:lang="en-US">The·<code>xinetd</code>·package·can·be·uninstalled·with·the·following·command: | 252 | <td·xml:lang="en-US">The·<code>xinetd</code>·package·can·be·uninstalled·with·the·following·command: |
| 271 | <pre>$·sudo·yum·erase·xinetd</pre> | 253 | <pre>$·sudo·yum·erase·xinetd</pre> |
| 272 | </td> | 254 | </td> |
| 273 | </tr> | 255 | </tr> |
| 274 | <tr> | 256 | <tr> |
| Offset 290, 40 lines modified | Offset 272, 83 lines modified | ||
| 290 | <td·xml:lang="en-US"> | 272 | <td·xml:lang="en-US"> |
| 291 | ············ | 273 | ············ |
| 292 | ········The·<code>talk-server</code>·package·can·be·removed·with·the·following·command: | 274 | ········The·<code>talk-server</code>·package·can·be·removed·with·the·following·command: |
| 293 | ········<pre>$·sudo·yum·erase·talk-server</pre> | 275 | ········<pre>$·sudo·yum·erase·talk-server</pre> |
| 294 | ··········</td> | 276 | ··········</td> |
| 295 | </tr> | 277 | </tr> |
| 296 | <tr> | 278 | <tr> |
| 279 | <td>CCE-80298-3</td> | ||
| 280 | <td>Configure·Dovecot·to·Use·the·SSL·Key·file</td> | ||
| 281 | <td·xml:lang="en-US">This·option·tells·Dovecot·where·to·find·the·the·mail· | ||
| Max diff block lines reached; 304807/311388 bytes (97.89%) of diff not shown. | |||
| Offset 227, 42 lines modified | Offset 227, 42 lines modified | ||
| 227 | ········<pre>$·sudo·systemctl·disable·tftp.service</pre> | 227 | ········<pre>$·sudo·systemctl·disable·tftp.service</pre> |
| 228 | </td> | 228 | </td> |
| 229 | <td·xml:lang="en-US">Disabling·the·<code>tftp</code>·service·ensures·the·system·is·not·acting | 229 | <td·xml:lang="en-US">Disabling·the·<code>tftp</code>·service·ensures·the·system·is·not·acting |
| 230 | as·a·TFTP·server,·which·does·not·provide·encryption·or·authentication.</td> | 230 | as·a·TFTP·server,·which·does·not·provide·encryption·or·authentication.</td> |
| 231 | <td></td> | 231 | <td></td> |
| 232 | </tr> | 232 | </tr> |
| 233 | <tr> | 233 | <tr> |
| 234 | <td>2.1.7</td> | ||
| 235 | <td>Disable·xinetd·Service</td> | ||
| 236 | <td·xml:lang="en-US"> | ||
| 237 | ············ | ||
| 238 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: | ||
| 239 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> | ||
| 240 | ··········</td> | ||
| 241 | <td·xml:lang="en-US">The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, | ||
| 242 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling | ||
| 243 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents | ||
| 244 | attacks·against·xinetd·itself.</td> | ||
| 245 | <td></td> | ||
| 246 | </tr> | ||
| 247 | <tr> | ||
| 248 | <td>3.4.1</td> | 234 | <td>3.4.1</td> |
| 249 | <td>Install·tcp_wrappers·Package</td> | 235 | <td>Install·tcp_wrappers·Package</td> |
| 250 | <td·xml:lang="en-US">When·network·services·are·using·the·<code>xinetd</code>·service,·the | 236 | <td·xml:lang="en-US">When·network·services·are·using·the·<code>xinetd</code>·service,·the |
| 251 | <code>tcp_wrappers</code>·package·should·be·installed. | 237 | <code>tcp_wrappers</code>·package·should·be·installed. |
| 252 | ········The·<code>tcp_wrappers</code>·package·can·be·installed·with·the·following·command: | 238 | ········The·<code>tcp_wrappers</code>·package·can·be·installed·with·the·following·command: |
| 253 | ········<pre>$·sudo·yum·install·tcp_wrappers</pre> | 239 | ········<pre>$·sudo·yum·install·tcp_wrappers</pre> |
| 254 | </td> | 240 | </td> |
| 255 | <td·xml:lang="en-US">Access·control·methods·provide·the·ability·to·enhance·system·security·posture | 241 | <td·xml:lang="en-US">Access·control·methods·provide·the·ability·to·enhance·system·security·posture |
| 256 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This | 242 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This |
| 257 | prevents·connections·from·unknown·hosts·and·protocols.</td> | 243 | prevents·connections·from·unknown·hosts·and·protocols.</td> |
| 258 | <td></td> | 244 | <td></td> |
| 259 | </tr> | 245 | </tr> |
| 260 | <tr> | 246 | <tr> |
| 247 | <td>2.1.7</td> | ||
| 248 | <td>Disable·xinetd·Service</td> | ||
| 249 | <td·xml:lang="en-US"> | ||
| 250 | ············ | ||
| 251 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: | ||
| 252 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> | ||
| 253 | ··········</td> | ||
| 254 | <td·xml:lang="en-US">The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, | ||
| 255 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling | ||
| 256 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents | ||
| 257 | attacks·against·xinetd·itself.</td> | ||
| 258 | <td></td> | ||
| 259 | </tr> | ||
| 260 | <tr> | ||
| 261 | <td>2.3.3</td> | 261 | <td>2.3.3</td> |
| 262 | <td>Uninstall·talk·Package</td> | 262 | <td>Uninstall·talk·Package</td> |
| 263 | <td·xml:lang="en-US">The·<code>talk</code>·package·contains·the·client·program·for·the | 263 | <td·xml:lang="en-US">The·<code>talk</code>·package·contains·the·client·program·for·the |
| 264 | Internet·talk·protocol,·which·allows·the·user·to·chat·with·other·users·on | 264 | Internet·talk·protocol,·which·allows·the·user·to·chat·with·other·users·on |
| 265 | different·systems.·Talk·is·a·communication·program·which·copies·lines·from·one | 265 | different·systems.·Talk·is·a·communication·program·which·copies·lines·from·one |
| 266 | terminal·to·the·terminal·of·another·user. | 266 | terminal·to·the·terminal·of·another·user. |
| Offset 284, 14 lines modified | Offset 284, 26 lines modified | ||
| 284 | ··········</td> | 284 | ··········</td> |
| 285 | <td·xml:lang="en-US">The·talk·software·presents·a·security·risk·as·it·uses·unencrypted·protocols | 285 | <td·xml:lang="en-US">The·talk·software·presents·a·security·risk·as·it·uses·unencrypted·protocols |
| 286 | for·communications.·Removing·the·<code>talk-server</code>·package·decreases·the | 286 | for·communications.·Removing·the·<code>talk-server</code>·package·decreases·the |
| 287 | risk·of·the·accidental·(or·intentional)·activation·of·talk·services.</td> | 287 | risk·of·the·accidental·(or·intentional)·activation·of·talk·services.</td> |
| 288 | <td></td> | 288 | <td></td> |
| 289 | </tr> | 289 | </tr> |
| 290 | <tr> | 290 | <tr> |
| 291 | <td>2.2.11</td> | ||
| 292 | <td>Disable·Dovecot·Service</td> | ||
| 293 | <td·xml:lang="en-US"> | ||
| 294 | ············ | ||
| 295 | ········The·<code>dovecot</code>·service·can·be·disabled·with·the·following·command: | ||
| 296 | ········<pre>$·sudo·systemctl·disable·dovecot.service</pre> | ||
| 297 | ··········</td> | ||
| 298 | <td·xml:lang="en-US">Running·an·IMAP·or·POP3·server·provides·a·network-based | ||
| 299 | avenue·of·attack,·and·should·be·disabled·if·not·needed.</td> | ||
| 300 | <td></td> | ||
| 301 | </tr> | ||
| 302 | <tr> | ||
| 291 | <td>2.2.9</td> | 303 | <td>2.2.9</td> |
| 292 | <td>Disable·vsftpd·Service</td> | 304 | <td>Disable·vsftpd·Service</td> |
| 293 | <td·xml:lang="en-US"> | 305 | <td·xml:lang="en-US"> |
| 294 | ············ | 306 | ············ |
| 295 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: | 307 | ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command: |
| 296 | ········<pre>$·sudo·systemctl·disable·vsftpd.service</pre> | 308 | ········<pre>$·sudo·systemctl·disable·vsftpd.service</pre> |
| 297 | ··········</td> | 309 | ··········</td> |
| Offset 487, 26 lines modified | Offset 499, 14 lines modified | ||
| 487 | </td> | 499 | </td> |
| 488 | <td·xml:lang="en-US">Unmanaged·or·unintentionally·activated·DHCP·servers·may·provide·faulty·information | 500 | <td·xml:lang="en-US">Unmanaged·or·unintentionally·activated·DHCP·servers·may·provide·faulty·information |
| 489 | to·clients,·interfering·with·the·operation·of·a·legitimate·site | 501 | to·clients,·interfering·with·the·operation·of·a·legitimate·site |
| 490 | DHCP·server·if·there·is·one.</td> | 502 | DHCP·server·if·there·is·one.</td> |
| 491 | <td></td> | 503 | <td></td> |
| 492 | </tr> | 504 | </tr> |
| 493 | <tr> | 505 | <tr> |
| 494 | <td>2.2.11</td> | ||
| 495 | <td>Disable·Dovecot·Service</td> | ||
| 496 | <td·xml:lang="en-US"> | ||
| 497 | ············ | ||
| 498 | ········The·<code>dovecot</code>·service·can·be·disabled·with·the·following·command: | ||
| 499 | ········<pre>$·sudo·systemctl·disable·dovecot.service</pre> | ||
| 500 | ··········</td> | ||
| 501 | <td·xml:lang="en-US">Running·an·IMAP·or·POP3·server·provides·a·network-based | ||
| 502 | avenue·of·attack,·and·should·be·disabled·if·not·needed.</td> | ||
| 503 | <td></td> | ||
| 504 | </tr> | ||
| 505 | <tr> | ||
| 506 | <td>2.2.7</td> | 506 | <td>2.2.7</td> |
| 507 | <td>Disable·rpcbind·Service</td> | 507 | <td>Disable·rpcbind·Service</td> |
| 508 | <td·xml:lang="en-US">The·rpcbind·utility·maps·RPC·services·to·the·ports·on·which·they·listen.·RPC | 508 | <td·xml:lang="en-US">The·rpcbind·utility·maps·RPC·services·to·the·ports·on·which·they·listen.·RPC |
| 509 | processes·notify·rpcbind·when·they·start,·registering·the·ports·they·are | 509 | processes·notify·rpcbind·when·they·start,·registering·the·ports·they·are |
| 510 | listening·on·and·the·RPC·program·numbers·they·expect·to·serve.·The·rpcbind | 510 | listening·on·and·the·RPC·program·numbers·they·expect·to·serve.·The·rpcbind |
| 511 | service·redirects·the·client·to·the·proper·port·number·so·it·can·communicate· | 511 | service·redirects·the·client·to·the·proper·port·number·so·it·can·communicate· |
| 512 | with·the·requested·service.·If·the·system·does·not·require·RPC·(such·as·for·NFS | 512 | with·the·requested·service.·If·the·system·does·not·require·RPC·(such·as·for·NFS |
| Offset 579, 14 lines modified | Offset 579, 36 lines modified | ||
| 579 | <pre>ClientAliveCountMax·0</pre> | 579 | <pre>ClientAliveCountMax·0</pre> |
| 580 | </td> | 580 | </td> |
| 581 | <td·xml:lang="en-US">This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> | 581 | <td·xml:lang="en-US">This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> |
| 582 | is·reached.</td> | 582 | is·reached.</td> |
| 583 | <td></td> | 583 | <td></td> |
| 584 | </tr> | 584 | </tr> |
| 585 | <tr> | 585 | <tr> |
| 586 | <td>5.2.12</td> | ||
| 587 | <td>Set·SSH·Idle·Timeout·Interval</td> | ||
| 588 | <td·xml:lang="en-US">SSH·allows·administrators·to·set·an·idle·timeout | ||
| 589 | interval. | ||
| 590 | After·this·interval·has·passed,·the·idle·user·will·be | ||
| 591 | automatically·logged·out. | ||
| 592 | <br><br> | ||
| 593 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | ||
| 594 | follows: | ||
| Max diff block lines reached; 73217/78932 bytes (92.76%) of diff not shown. | |||
| Offset 313, 14 lines modified | Offset 313, 27 lines modified | ||
| 313 | information·on·this·is·available·at | 313 | information·on·this·is·available·at |
| 314 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a> | 314 | <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a> |
| 315 | </td> | 315 | </td> |
| 316 | <td></td> | 316 | <td></td> |
| 317 | </tr> | 317 | </tr> |
| 318 | <tr> | 318 | <tr> |
| 319 | <td>3.1.12</td> | 319 | <td>3.1.12</td> |
| 320 | <td>Enable·Use·of·Strict·Mode·Checking</td> | ||
| 321 | <td·xml:lang="en-US">SSHs·StrictModes·option·checks·file·and·ownership·permissions·in | ||
| 322 | the·user's·home·directory·<code>.ssh</code>·folder·before·accepting·login.·If·world- | ||
| 323 | writable·permissions·are·found,·logon·is·rejected.·To·enable·StrictModes·in·SSH, | ||
| 324 | add·or·correct·the·following·line·in·the·<code>/etc/ssh/sshd_config</code>·file: | ||
| 325 | <pre>StrictModes·yes</pre> | ||
| 326 | </td> | ||
| 327 | <td·xml:lang="en-US">If·other·users·have·access·to·modify·user-specific·SSH·configuration·files,·they | ||
| 328 | may·be·able·to·log·into·the·system·as·another·user.</td> | ||
| 329 | <td></td> | ||
| 330 | </tr> | ||
| 331 | <tr> | ||
| 332 | <td>3.1.12</td> | ||
| 320 | <td>Disable·SSH·Support·for·User·Known·Hosts</td> | 333 | <td>Disable·SSH·Support·for·User·Known·Hosts</td> |
| 321 | <td·xml:lang="en-US">SSH·can·allow·system·users·user·host-based·authentication·to·connect | 334 | <td·xml:lang="en-US">SSH·can·allow·system·users·user·host-based·authentication·to·connect |
| 322 | to·systems·if·a·cache·of·the·remote·systems·public·keys·are·available. | 335 | to·systems·if·a·cache·of·the·remote·systems·public·keys·are·available. |
| 323 | This·should·be·disabled. | 336 | This·should·be·disabled. |
| 324 | <br><br> | 337 | <br><br> |
| 325 | To·ensure·this·behavior·is·disabled,·add·or·correct·the | 338 | To·ensure·this·behavior·is·disabled,·add·or·correct·the |
| 326 | following·line·in·<code>/etc/ssh/sshd_config</code>: | 339 | following·line·in·<code>/etc/ssh/sshd_config</code>: |
| Offset 369, 26 lines modified | Offset 382, 33 lines modified | ||
| 369 | <pre>ClientAliveCountMax·0</pre> | 382 | <pre>ClientAliveCountMax·0</pre> |
| 370 | </td> | 383 | </td> |
| 371 | <td·xml:lang="en-US">This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> | 384 | <td·xml:lang="en-US">This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code> |
| 372 | is·reached.</td> | 385 | is·reached.</td> |
| 373 | <td></td> | 386 | <td></td> |
| 374 | </tr> | 387 | </tr> |
| 375 | <tr> | 388 | <tr> |
| 376 | <td>3.1.1 | 389 | <td>3.1.11</td> |
| 377 | <td> | 390 | <td>Set·SSH·Idle·Timeout·Interval</td> |
| 378 | <td·xml:lang="en-US">SSH· | 391 | <td·xml:lang="en-US">SSH·allows·administrators·to·set·an·idle·timeout |
| 379 | 392 | interval. | |
| 393 | After·this·interval·has·passed,·the·idle·user·will·be | ||
| 394 | automatically·logged·out. | ||
| 380 | <br><br> | 395 | <br><br> |
| 381 | To·en | 396 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as |
| 382 | follow | 397 | follows: |
| 383 | <pre> | 398 | <pre>ClientAliveInterval·<b>interval</b></pre> |
| 384 | </t | 399 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout |
| 385 | 400 | of·10·minutes,·set·<b>interval</b>·to·600. | |
| 386 | 401 | <br><br> | |
| 387 | 402 | If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will· | |
| 403 | preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH | ||
| 404 | from·correctly·detecting·that·the·user·is·idle.</td> | ||
| 405 | <td·xml:lang="en-US">Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of | ||
| 406 | opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session | ||
| 407 | enabled·on·the·console·or·console·port·that·has·been·let·unattended.</td> | ||
| 388 | <td></td> | 408 | <td></td> |
| 389 | </tr> | 409 | </tr> |
| 390 | <tr> | 410 | <tr> |
| 391 | <td>3.1.12</td> | 411 | <td>3.1.12</td> |
| 392 | <td>Limit·Users'·SSH·Access</td> | 412 | <td>Limit·Users'·SSH·Access</td> |
| 393 | <td·xml:lang="en-US">By·default,·the·SSH·configuration·allows·any·user·with·an·account | 413 | <td·xml:lang="en-US">By·default,·the·SSH·configuration·allows·any·user·with·an·account |
| 394 | to·access·the·system.·In·order·to·specify·the·users·that·are·allowed·to·login | 414 | to·access·the·system.·In·order·to·specify·the·users·that·are·allowed·to·login |
| Offset 481, 26 lines modified | Offset 501, 14 lines modified | ||
| 481 | RHEL7·can·be·found·at·http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.</td> | 501 | RHEL7·can·be·found·at·http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.</td> |
| 482 | <td·xml:lang="en-US">DoD·Information·Systems·are·required·to·use·FIPS-approved·cryptographic·hash | 502 | <td·xml:lang="en-US">DoD·Information·Systems·are·required·to·use·FIPS-approved·cryptographic·hash |
| 483 | functions.·The·only·SSHv2·hash·algorithms·meeting·this·requirement·is·SHA2.</td> | 503 | functions.·The·only·SSHv2·hash·algorithms·meeting·this·requirement·is·SHA2.</td> |
| 484 | <td></td> | 504 | <td></td> |
| 485 | </tr> | 505 | </tr> |
| 486 | <tr> | 506 | <tr> |
| 487 | <td>3.1.12</td> | 507 | <td>3.1.12</td> |
| 488 | <td>Do·Not·Allow·SSH·Environment·Options</td> | ||
| 489 | <td·xml:lang="en-US">To·ensure·users·are·not·able·to·override·environment | ||
| 490 | options·to·the·SSH·daemon,·add·or·correct·the·following·line | ||
| 491 | in·<code>/etc/ssh/sshd_config</code>: | ||
| 492 | <pre>PermitUserEnvironment·no</pre> | ||
| 493 | </td> | ||
| 494 | <td·xml:lang="en-US">SSH·environment·options·potentially·allow·users·to·bypass | ||
| 495 | access·restriction·in·some·configurations.</td> | ||
| 496 | <td></td> | ||
| 497 | </tr> | ||
| 498 | <tr> | ||
| 499 | <td>3.1.12</td> | ||
| 500 | <td>Disable·Kerberos·Authentication</td> | 508 | <td>Disable·Kerberos·Authentication</td> |
| 501 | <td·xml:lang="en-US">Unless·needed,·SSH·should·not·permit·extraneous·or·unnecessary | 509 | <td·xml:lang="en-US">Unless·needed,·SSH·should·not·permit·extraneous·or·unnecessary |
| 502 | authentication·mechanisms·like·Kerberos.·To·disable·Kerberos·authentication,·add | 510 | authentication·mechanisms·like·Kerberos.·To·disable·Kerberos·authentication,·add |
| 503 | or·correct·the·following·line·in·the·<code>/etc/ssh/sshd_config</code>·file: | 511 | or·correct·the·following·line·in·the·<code>/etc/ssh/sshd_config</code>·file: |
| 504 | <pre>KerberosAuthentication·no</pre> | 512 | <pre>KerberosAuthentication·no</pre> |
| 505 | </td> | 513 | </td> |
| 506 | <td·xml:lang="en-US">Kerberos·authentication·for·SSH·is·often·implemented·using·GSSAPI.·If·Kerberos | 514 | <td·xml:lang="en-US">Kerberos·authentication·for·SSH·is·often·implemented·using·GSSAPI.·If·Kerberos |
| Offset 551, 33 lines modified | Offset 559, 38 lines modified | ||
| 551 | <pre>IgnoreRhosts·yes</pre> | 559 | <pre>IgnoreRhosts·yes</pre> |
| 552 | </td> | 560 | </td> |
| 553 | <td·xml:lang="en-US">SSH·trust·relationships·mean·a·compromise·on·one·host | 561 | <td·xml:lang="en-US">SSH·trust·relationships·mean·a·compromise·on·one·host |
| 554 | can·allow·an·attacker·to·move·trivially·to·other·hosts.</td> | 562 | can·allow·an·attacker·to·move·trivially·to·other·hosts.</td> |
| 555 | <td></td> | 563 | <td></td> |
| 556 | </tr> | 564 | </tr> |
| 557 | <tr> | 565 | <tr> |
| 558 | <td>3.1.1 | 566 | <td>3.1.12</td> |
| 559 | <td> | 567 | <td>Disable·SSH·Support·for·Rhosts·RSA·Authentication</td> |
| 560 | <td·xml:lang="en-US">SSH·allow | 568 | <td·xml:lang="en-US">SSH·can·allow·authentication·through·the·obsolete·rsh |
| 561 | in | 569 | command·through·the·use·of·the·authenticating·user's·SSH·keys.·This·should·be·disabled. |
| 562 | After·this·interval·has·passed,·the·idle·user·will·be | ||
| 563 | automatically·logged·out. | ||
| 564 | <br><br> | ||
| 565 | To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as | ||
| 566 | follows: | ||
| 567 | <pre>ClientAliveInterval·<b>interval</b></pre> | ||
| 568 | The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout | ||
| 569 | of·10·minutes,·set·<b>interval</b>·to·600. | ||
| 570 | <br><br> | 570 | <br><br> |
| 571 | 571 | To·ensure·this·behavior·is·disabled,·add·or·correct·the | |
| 572 | 572 | following·line·in·<code>/etc/ssh/sshd_config</code>: | |
| 573 | 573 | <pre>RhostsRSAAuthentication·no</pre> | |
| 574 | < | 574 | </td> |
| 575 | 575 | <td·xml:lang="en-US">Configuring·this·setting·for·the·SSH·daemon·provides·additional | |
| 576 | 576 | assurance·that·remove·login·via·SSH·will·require·a·password,·even | |
| 577 | in·the·event·of·misconfiguration·elsewhere.</td> | ||
| 578 | <td></td> | ||
| 579 | </tr> | ||
| 580 | <tr> | ||
| 581 | <td>3.1.12</td> | ||
| 582 | <td>Do·Not·Allow·SSH·Environment·Options</td> | ||
| 583 | <td·xml:lang="en-US">To·ensure·users·are·not·able·to·override·environment | ||
| 584 | options·to·the·SSH·daemon,·add·or·correct·the·following·line | ||
| 585 | in·<code>/etc/ssh/sshd_config</code>: | ||
| 586 | <pre>PermitUserEnvironment·no</pre> | ||
| 587 | </td> | ||
| 588 | <td·xml:lang="en-US">SSH·environment·options·potentially·allow·users·to·bypass | ||
| Max diff block lines reached; 116489/123219 bytes (94.54%) of diff not shown. | |||
| Offset 555, 14 lines modified | Offset 555, 28 lines modified | ||
| 555 | </td> | 555 | </td> |
| 556 | <td·xml:lang="en-US">Using·the·<code>-s</code>·option·causes·the·TFTP·service·to·only·serve·files·from·the | 556 | <td·xml:lang="en-US">Using·the·<code>-s</code>·option·causes·the·TFTP·service·to·only·serve·files·from·the |
| 557 | given·directory.·Serving·files·from·an·intentionally-specified·directory | 557 | given·directory.·Serving·files·from·an·intentionally-specified·directory |
| 558 | reduces·the·risk·of·sharing·files·which·should·remain·private.</td> | 558 | reduces·the·risk·of·sharing·files·which·should·remain·private.</td> |
| 559 | <td></td> | 559 | <td></td> |
| 560 | </tr> | 560 | </tr> |
| 561 | <tr> | 561 | <tr> |
| 562 | <td>CM-6(b)</td> | ||
| 563 | <td>Install·tcp_wrappers·Package</td> | ||
| 564 | <td·xml:lang="en-US">When·network·services·are·using·the·<code>xinetd</code>·service,·the | ||
| 565 | <code>tcp_wrappers</code>·package·should·be·installed. | ||
| 566 | ········The·<code>tcp_wrappers</code>·package·can·be·installed·with·the·following·command: | ||
| 567 | ········<pre>$·sudo·yum·install·tcp_wrappers</pre> | ||
| 568 | </td> | ||
| 569 | <td·xml:lang="en-US">Access·control·methods·provide·the·ability·to·enhance·system·security·posture | ||
| 570 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This | ||
| 571 | prevents·connections·from·unknown·hosts·and·protocols.</td> | ||
| 572 | <td></td> | ||
| 573 | </tr> | ||
| 574 | <tr> | ||
| 562 | <td>AC-17(8)</td> | 575 | <td>AC-17(8)</td> |
| 563 | <td>Disable·xinetd·Service</td> | 576 | <td>Disable·xinetd·Service</td> |
| 564 | <td·xml:lang="en-US"> | 577 | <td·xml:lang="en-US"> |
| 565 | ············ | 578 | ············ |
| 566 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: | 579 | ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: |
| 567 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> | 580 | ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> |
| 568 | ··········</td> | 581 | ··········</td> |
| Offset 583, 28 lines modified | Offset 597, 14 lines modified | ||
| 583 | <td·xml:lang="en-US">The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, | 597 | <td·xml:lang="en-US">The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, |
| 584 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling | 598 | which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling |
| 585 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents | 599 | it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents |
| 586 | attacks·against·xinetd·itself.</td> | 600 | attacks·against·xinetd·itself.</td> |
| 587 | <td></td> | 601 | <td></td> |
| 588 | </tr> | 602 | </tr> |
| 589 | <tr> | 603 | <tr> |
| 590 | <td>CM-6(b)</td> | ||
| 591 | <td>Install·tcp_wrappers·Package</td> | ||
| 592 | <td·xml:lang="en-US">When·network·services·are·using·the·<code>xinetd</code>·service,·the | ||
| 593 | <code>tcp_wrappers</code>·package·should·be·installed. | ||
| 594 | ········The·<code>tcp_wrappers</code>·package·can·be·installed·with·the·following·command: | ||
| 595 | ········<pre>$·sudo·yum·install·tcp_wrappers</pre> | ||
| 596 | </td> | ||
| 597 | <td·xml:lang="en-US">Access·control·methods·provide·the·ability·to·enhance·system·security·posture | ||
| 598 | by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This | ||
| 599 | prevents·connections·from·unknown·hosts·and·protocols.</td> | ||
| 600 | <td></td> | ||
| 601 | </tr> | ||
| 602 | <tr> | ||
| 603 | <td>AC-17(8)</td> | 604 | <td>AC-17(8)</td> |
| 604 | <td>Uninstall·xinetd·Package</td> | 605 | <td>Uninstall·xinetd·Package</td> |
| 605 | <td·xml:lang="en-US">The·<code>xinetd</code>·package·can·be·uninstalled·with·the·following·command: | 606 | <td·xml:lang="en-US">The·<code>xinetd</code>·package·can·be·uninstalled·with·the·following·command: |
| 606 | <pre>$·sudo·yum·erase·xinetd</pre> | 607 | <pre>$·sudo·yum·erase·xinetd</pre> |
| 607 | </td> | 608 | </td> |
| 608 | <td·xml:lang="en-US">Removing·the·<code>xinetd</code>·package·decreases·the·risk·of·the | 609 | <td·xml:lang="en-US">Removing·the·<code>xinetd</code>·package·decreases·the·risk·of·the |
| 609 | xinetd·service's·accidental·(or·intentional)·activation.</td> | 610 | xinetd·service's·accidental·(or·intentional)·activation.</td> |
| Offset 775, 28 lines modified | Offset 775, 14 lines modified | ||
| 775 | out·activities·outside·of·a·normal·login·session,·which·could·complicate | 775 | out·activities·outside·of·a·normal·login·session,·which·could·complicate |
| 776 | accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or | 776 | accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or |
| 777 | <code>batch</code>·is·not·common.</td> | 777 | <code>batch</code>·is·not·common.</td> |
| 778 | <td></td> | 778 | <td></td> |
| 779 | </tr> | 779 | </tr> |
| 780 | <tr> | 780 | <tr> |
| 781 | <td>AC-17(8).1(ii)</td> | 781 | <td>AC-17(8).1(ii)</td> |
| 782 | <td>Remove·the·X·Windows·Package·Group</td> | ||
| 783 | <td·xml:lang="en-US">By·removing·the·xorg-x11-server-common·package,·the·system·no·longer·has·X·Windows | ||
| 784 | installed.·If·X·Windows·is·not·installed·then·the·system·cannot·boot·into·graphical·user·mode. | ||
| 785 | This·prevents·the·system·from·being·accidentally·or·maliciously·booted·into·a·<code>graphical.target</code> | ||
| 786 | mode.·To·do·so,·run·the·following·command: | ||
| 787 | <pre>$·sudo·yum·groupremove·"X·Window·System"</pre> | ||
| 788 | <pre>$·sudo·yum·remove·xorg-x11-server-common</pre> | ||
| 789 | </td> | ||
| 790 | <td·xml:lang="en-US">Unnecessary·service·packages·must·not·be·installed·to·decrease·the·attack·surface·of·the·system.·X·windows·has·a·long·history·of·security | ||
| 791 | vulnerabilities·and·should·not·be·installed·unless·approved·and·documented.</td> | ||
| 792 | <td></td> | ||
| 793 | </tr> | ||
| 794 | <tr> | ||
| 795 | <td>AC-17(8).1(ii)</td> | ||
| 796 | <td>Disable·X·Windows·Startup·By·Setting·Default·Target</td> | 782 | <td>Disable·X·Windows·Startup·By·Setting·Default·Target</td> |
| 797 | <td·xml:lang="en-US">Systems·that·do·not·require·a·graphical·user·interface·should·only·boot·by | 783 | <td·xml:lang="en-US">Systems·that·do·not·require·a·graphical·user·interface·should·only·boot·by |
| 798 | default·into·<code>multi-user.target</code>·mode.·This·prevents·accidental·booting·of·the·system | 784 | default·into·<code>multi-user.target</code>·mode.·This·prevents·accidental·booting·of·the·system |
| 799 | into·a·<code>graphical.target</code>·mode.·Setting·the·system's·default·target·to | 785 | into·a·<code>graphical.target</code>·mode.·Setting·the·system's·default·target·to |
| 800 | <code>multi-user.target</code>·will·prevent·automatic·startup·of·the·X·server.·To·do·so,·run: | 786 | <code>multi-user.target</code>·will·prevent·automatic·startup·of·the·X·server.·To·do·so,·run: |
| 801 | <pre>$·systemctl·set-default·multi-user.target</pre> | 787 | <pre>$·systemctl·set-default·multi-user.target</pre> |
| 802 | You·should·see·the·following·output: | 788 | You·should·see·the·following·output: |
| Offset 806, 14 lines modified | Offset 792, 28 lines modified | ||
| 806 | <td·xml:lang="en-US">Services·that·are·not·required·for·system·and·application·processes | 792 | <td·xml:lang="en-US">Services·that·are·not·required·for·system·and·application·processes |
| 807 | must·not·be·active·to·decrease·the·attack·surface·of·the·system.·X·windows·has·a | 793 | must·not·be·active·to·decrease·the·attack·surface·of·the·system.·X·windows·has·a |
| 808 | long·history·of·security·vulnerabilities·and·should·not·be·used·unless·approved | 794 | long·history·of·security·vulnerabilities·and·should·not·be·used·unless·approved |
| 809 | and·documented.</td> | 795 | and·documented.</td> |
| 810 | <td></td> | 796 | <td></td> |
| 811 | </tr> | 797 | </tr> |
| 812 | <tr> | 798 | <tr> |
| 799 | <td>AC-17(8).1(ii)</td> | ||
| 800 | <td>Remove·the·X·Windows·Package·Group</td> | ||
| 801 | <td·xml:lang="en-US">By·removing·the·xorg-x11-server-common·package,·the·system·no·longer·has·X·Windows | ||
| 802 | installed.·If·X·Windows·is·not·installed·then·the·system·cannot·boot·into·graphical·user·mode. | ||
| 803 | This·prevents·the·system·from·being·accidentally·or·maliciously·booted·into·a·<code>graphical.target</code> | ||
| 804 | mode.·To·do·so,·run·the·following·command: | ||
| 805 | <pre>$·sudo·yum·groupremove·"X·Window·System"</pre> | ||
| 806 | <pre>$·sudo·yum·remove·xorg-x11-server-common</pre> | ||
| 807 | </td> | ||
| 808 | <td·xml:lang="en-US">Unnecessary·service·packages·must·not·be·installed·to·decrease·the·attack·surface·of·the·system.·X·windows·has·a·long·history·of·security | ||
| 809 | vulnerabilities·and·should·not·be·installed·unless·approved·and·documented.</td> | ||
| 810 | <td></td> | ||
| 811 | </tr> | ||
| 812 | <tr> | ||
| 813 | <td>SC-32</td> | 813 | <td>SC-32</td> |
| 814 | <td>Uninstall·quagga·Package</td> | 814 | <td>Uninstall·quagga·Package</td> |
| 815 | <td·xml:lang="en-US"> | 815 | <td·xml:lang="en-US"> |
| 816 | ············ | 816 | ············ |
| 817 | ········The·<code>quagga</code>·package·can·be·removed·with·the·following·command: | 817 | ········The·<code>quagga</code>·package·can·be·removed·with·the·following·command: |
| 818 | ········<pre>$·sudo·yum·erase·quagga</pre> | 818 | ········<pre>$·sudo·yum·erase·quagga</pre> |
| 819 | ··········</td> | 819 | ··········</td> |
| Offset 924, 39 lines modified | Offset 924, 49 lines modified | ||
| 924 | <td·xml:lang="en-US">Unnecessary·packages·should·not·be·installed·to·decrease·the·attack | 924 | <td·xml:lang="en-US">Unnecessary·packages·should·not·be·installed·to·decrease·the·attack |
| 925 | surface·of·the·system.··While·this·software·is·clearly·essential·on·an·LDAP | 925 | surface·of·the·system.··While·this·software·is·clearly·essential·on·an·LDAP |
| 926 | server,·it·is·not·necessary·on·typical·desktop·or·workstation·systems.</td> | 926 | server,·it·is·not·necessary·on·typical·desktop·or·workstation·systems.</td> |
| 927 | <td></td> | 927 | <td></td> |
| 928 | </tr> | 928 | </tr> |
| 929 | <tr> | 929 | <tr> |
| 930 | <td>AC-17(2)</td> | 930 | <td>AC-17(2)</td> |
| 931 | <td> | 931 | <td>Configure·LDAP·Client·to·Use·TLS·For·All·Transactions</td> |
| 932 | <td·xml:lang="en-US">T | 932 | <td·xml:lang="en-US">This·check·verifies·that·RHEL7·implements·cryptography |
| 933 | to·protect·the·integrity·of·remote·LDAP·authentication·sessions. | ||
| 934 | <br><br> | ||
| Max diff block lines reached; 577257/583448 bytes (98.94%) of diff not shown. | |||
| Offset 191, 23 lines modified | Offset 191, 28 lines modified | ||
| 191 | real-time·screen·display·(such·as·network·management·products)·require·the | 191 | real-time·screen·display·(such·as·network·management·products)·require·the |
| 192 | login·session·does·not·have·administrator·rights·and·the·display·station·is·located·in·a | 192 | login·session·does·not·have·administrator·rights·and·the·display·station·is·located·in·a |
| 193 | controlled-access·area.</td> | 193 | controlled-access·area.</td> |
| 194 | <td></td> | 194 | <td></td> |
| 195 | </tr> | 195 | </tr> |
| 196 | <tr> | 196 | <tr> |
| 197 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> | 197 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> |
| 198 | <td> | 198 | <td>Implement·Blank·Screensaver</td> |
| 199 | <td·xml:lang="en-US"> | 199 | <td·xml:lang="en-US">To·set·the·screensaver·mode·in·the·GNOME3·desktop·to·a·blank·screen, |
| 200 | 200 | add·or·set·<code>picture-uri</code>·to·<code>string·''</code>·in | |
| 201 | 201 | <code>/etc/dconf/db/local.d/00-security-settings</code>.·For·example: | |
| 202 | <pre>[org/gnome/desktop/screensaver] | ||
| 203 | picture-uri=string·'' | ||
| 204 | </pre> | ||
| 205 | Once·the·settings·have·been·added,·add·a·lock·to | ||
| 206 | <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code>·to·prevent·user·modification. | ||
| 202 | For·example: | 207 | For·example: |
| 203 | <pre>/org/gnome/desktop/screensaver/ | 208 | <pre>/org/gnome/desktop/screensaver/picture-uri</pre> |
| 204 | After·the·settings·have·been·set,·run·<code>dconf·update</code>.</td> | 209 | After·the·settings·have·been·set,·run·<code>dconf·update</code>.</td> |
| 205 | <td·xml:lang="en-US"> | 210 | <td·xml:lang="en-US">Setting·the·screensaver·mode·to·blank-only·conceals·the |
| 206 | 211 | contents·of·the·display·from·passersby.</td> | |
| 207 | <td></td> | 212 | <td></td> |
| 208 | </tr> | 213 | </tr> |
| 209 | <tr> | 214 | <tr> |
| 210 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> | 215 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> |
| 211 | <td>Set·GNOME3·Screensaver·Inactivity·Timeout</td> | 216 | <td>Set·GNOME3·Screensaver·Inactivity·Timeout</td> |
| 212 | <td·xml:lang="en-US">The·idle·time-out·value·for·inactivity·in·the·GNOME3·desktop·is·configured·via·the·<code>idle-delay</code> | 217 | <td·xml:lang="en-US">The·idle·time-out·value·for·inactivity·in·the·GNOME3·desktop·is·configured·via·the·<code>idle-delay</code> |
| 213 | setting·must·be·set·under·an·appropriate·configuration·file(s)·in·the·<code>/etc/dconf/db/local.d</code>·directory | 218 | setting·must·be·set·under·an·appropriate·configuration·file(s)·in·the·<code>/etc/dconf/db/local.d</code>·directory |
| Offset 240, 28 lines modified | Offset 245, 23 lines modified | ||
| 240 | After·the·settings·have·been·set,·run·<code>dconf·update</code>.</td> | 245 | After·the·settings·have·been·set,·run·<code>dconf·update</code>.</td> |
| 241 | <td·xml:lang="en-US">A·session·lock·is·a·temporary·action·taken·when·a·user·stops·work·and·moves·away·from·the·immediate·physical·vicinity | 246 | <td·xml:lang="en-US">A·session·lock·is·a·temporary·action·taken·when·a·user·stops·work·and·moves·away·from·the·immediate·physical·vicinity |
| 242 | of·the·information·system·but·does·not·want·to·logout·because·of·the·temporary·nature·of·the·absense.</td> | 247 | of·the·information·system·but·does·not·want·to·logout·because·of·the·temporary·nature·of·the·absense.</td> |
| 243 | <td></td> | 248 | <td></td> |
| 244 | </tr> | 249 | </tr> |
| 245 | <tr> | 250 | <tr> |
| 246 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> | 251 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> |
| 247 | <td> | 252 | <td>Ensure·Users·Cannot·Change·GNOME3·Screensaver·Idle·Activation</td> |
| 248 | <td·xml:lang="en-US"> | 253 | <td·xml:lang="en-US">If·not·already·configured,·ensure·that·users·cannot·change·GNOME3·screensaver·lock·settings |
| 249 | add | 254 | by·adding·<pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre> |
| 250 | <code>/etc/dconf/db/local.d/00-security-settings</code>. | 255 | to·<code>/etc/dconf/db/local.d/00-security-settings</code>. |
| 251 | <pre>[org/gnome/desktop/screensaver] | ||
| 252 | picture-uri=string·'' | ||
| 253 | </pre> | ||
| 254 | Once·the·settings·have·been·added,·add·a·lock·to | ||
| 255 | <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code>·to·prevent·user·modification. | ||
| 256 | For·example: | 256 | For·example: |
| 257 | <pre>/org/gnome/desktop/screensaver/ | 257 | <pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre> |
| 258 | After·the·settings·have·been·set,·run·<code>dconf·update</code>.</td> | 258 | After·the·settings·have·been·set,·run·<code>dconf·update</code>.</td> |
| 259 | <td·xml:lang="en-US"> | 259 | <td·xml:lang="en-US">A·session·lock·is·a·temporary·action·taken·when·a·user·stops·work·and·moves·away·from·the·immediate·physical·vicinity |
| 260 | 260 | of·the·information·system·but·does·not·want·to·logout·because·of·the·temporary·nature·of·the·absense.</td> | |
| 261 | <td></td> | 261 | <td></td> |
| 262 | </tr> | 262 | </tr> |
| 263 | <tr> | 263 | <tr> |
| 264 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> | 264 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> |
| 265 | <td>Enable·GNOME3·Screensaver·Lock·After·Idle·Period</td> | 265 | <td>Enable·GNOME3·Screensaver·Lock·After·Idle·Period</td> |
| 266 | <td·xml:lang="en-US">To·activate·locking·of·the·screensaver·in·the·GNOME3·desktop·when·it·is·activated, | 266 | <td·xml:lang="en-US">To·activate·locking·of·the·screensaver·in·the·GNOME3·desktop·when·it·is·activated, |
| 267 | add·or·set·<code>lock-enabled</code>·to·<code>true</code>·in | 267 | add·or·set·<code>lock-enabled</code>·to·<code>true</code>·in |
| Offset 931, 35 lines modified | Offset 931, 14 lines modified | ||
| 931 | </td> | 931 | </td> |
| 932 | <td·xml:lang="en-US">Manual·editing·of·these·files·may·indicate·nefarious·activity,·such | 932 | <td·xml:lang="en-US">Manual·editing·of·these·files·may·indicate·nefarious·activity,·such |
| 933 | as·an·attacker·attempting·to·remove·evidence·of·an·intrusion.</td> | 933 | as·an·attacker·attempting·to·remove·evidence·of·an·intrusion.</td> |
| 934 | <td></td> | 934 | <td></td> |
| 935 | </tr> | 935 | </tr> |
| 936 | <tr> | 936 | <tr> |
| 937 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.4.2.b</a></td> | 937 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.4.2.b</a></td> |
| 938 | <td>Record·Attempts·to·Alter·the·localtime·File</td> | ||
| 939 | <td·xml:lang="en-US">If·the·<code>auditd</code>·daemon·is·configured·to·use·the | ||
| 940 | <code>augenrules</code>·program·to·read·audit·rules·during·daemon·startup·(the·default), | ||
| 941 | add·the·following·line·to·a·file·with·suffix·<code>.rules</code>·in·the·directory | ||
| 942 | <code>/etc/audit/rules.d</code>: | ||
| 943 | <pre>-w·/etc/localtime·-p·wa·-k·audit_time_rules</pre> | ||
| 944 | If·the·<code>auditd</code>·daemon·is·configured·to·use·the·<code>auditctl</code> | ||
| 945 | utility·to·read·audit·rules·during·daemon·startup,·add·the·following·line·to | ||
| 946 | <code>/etc/audit/audit.rules</code>·file: | ||
| 947 | <pre>-w·/etc/localtime·-p·wa·-k·audit_time_rules</pre> | ||
| 948 | The·-k·option·allows·for·the·specification·of·a·key·in·string·form·that·can | ||
| 949 | be·used·for·better·reporting·capability·through·ausearch·and·aureport·and | ||
| 950 | should·always·be·used.</td> | ||
| 951 | <td·xml:lang="en-US">Arbitrary·changes·to·the·system·time·can·be·used·to·obfuscate | ||
| 952 | nefarious·activities·in·log·files,·as·well·as·to·confuse·network·services·that | ||
| 953 | are·highly·dependent·upon·an·accurate·system·time·(such·as·sshd).·All·changes | ||
| 954 | to·the·system·time·should·be·audited.</td> | ||
| 955 | <td></td> | ||
| 956 | </tr> | ||
| 957 | <tr> | ||
| 958 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.4.2.b</a></td> | ||
| 959 | <td>Record·Attempts·to·Alter·Time·Through·stime</td> | 938 | <td>Record·Attempts·to·Alter·Time·Through·stime</td> |
| 960 | <td·xml:lang="en-US">If·the·<code>auditd</code>·daemon·is·configured·to·use·the | 939 | <td·xml:lang="en-US">If·the·<code>auditd</code>·daemon·is·configured·to·use·the |
| 961 | <code>augenrules</code>·program·to·read·audit·rules·during·daemon·startup·(the | 940 | <code>augenrules</code>·program·to·read·audit·rules·during·daemon·startup·(the |
| 962 | default),·add·the·following·line·to·a·file·with·suffix·<code>.rules</code>·in·the | 941 | default),·add·the·following·line·to·a·file·with·suffix·<code>.rules</code>·in·the |
| 963 | directory·<code>/etc/audit/rules.d</code>·for·both·32·bit·and·64·bit·systems: | 942 | directory·<code>/etc/audit/rules.d</code>·for·both·32·bit·and·64·bit·systems: |
| 964 | <pre>-a·always,exit·-F·arch=b32·-S·stime·-F·key=audit_time_rules</pre> | 943 | <pre>-a·always,exit·-F·arch=b32·-S·stime·-F·key=audit_time_rules</pre> |
| 965 | Since·the·64·bit·version·of·the·"stime"·system·call·is·not·defined·in·the·audit | 944 | Since·the·64·bit·version·of·the·"stime"·system·call·is·not·defined·in·the·audit |
| Offset 984, 34 lines modified | Offset 963, 27 lines modified | ||
| 984 | nefarious·activities·in·log·files,·as·well·as·to·confuse·network·services·that | 963 | nefarious·activities·in·log·files,·as·well·as·to·confuse·network·services·that |
| 985 | are·highly·dependent·upon·an·accurate·system·time·(such·as·sshd).·All·changes | 964 | are·highly·dependent·upon·an·accurate·system·time·(such·as·sshd).·All·changes |
| 986 | to·the·system·time·should·be·audited.</td> | 965 | to·the·system·time·should·be·audited.</td> |
| 987 | <td></td> | 966 | <td></td> |
| 988 | </tr> | 967 | </tr> |
| 989 | <tr> | 968 | <tr> |
| 990 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.4.2.b</a></td> | 969 | <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.4.2.b</a></td> |
| 991 | <td>Record· | 970 | <td>Record·Attempts·to·Alter·the·localtime·File</td> |
| 992 | <td·xml:lang="en-US">If·the·<code>auditd</code>·daemon·is·configured·to·use·the | 971 | <td·xml:lang="en-US">If·the·<code>auditd</code>·daemon·is·configured·to·use·the |
| 993 | <code>augenrules</code>·program·to·read·audit·rules·during·daemon·startup·(the | 972 | <code>augenrules</code>·program·to·read·audit·rules·during·daemon·startup·(the·default), |
| 994 | 973 | add·the·following·line·to·a·file·with·suffix·<code>.rules</code>·in·the·directory | |
| 995 | 974 | <code>/etc/audit/rules.d</code>: | |
| 996 | <pre>- | 975 | <pre>-w·/etc/localtime·-p·wa·-k·audit_time_rules</pre> |
| 997 | If·the·system·is·64·bit·then·also·add·the·following·line: | ||
| 998 | <pre>-a·always,exit·-F·arch=b64·-S·adjtimex·-F·key=audit_time_rules</pre> | ||
| 999 | If·the·<code>auditd</code>·daemon·is·configured·to·use·the·<code>auditctl</code> | 976 | If·the·<code>auditd</code>·daemon·is·configured·to·use·the·<code>auditctl</code> |
| 1000 | utility·to·read·audit·rules·during·daemon·startup,·add·the·following·line·to | 977 | utility·to·read·audit·rules·during·daemon·startup,·add·the·following·line·to |
| 1001 | <code>/etc/audit/audit.rules</code>·file: | 978 | <code>/etc/audit/audit.rules</code>·file: |
| 1002 | <pre>- | 979 | <pre>-w·/etc/localtime·-p·wa·-k·audit_time_rules</pre> |
| 1003 | 980 | The·-k·option·allows·for·the·specification·of·a·key·in·string·form·that·can | |
| 1004 | 981 | be·used·for·better·reporting·capability·through·ausearch·and·aureport·and | |
| 1005 | 982 | should·always·be·used.</td> | |
| 1006 | used·for·better·reporting·capability·through·ausearch·and·aureport.·Multiple | ||
| 1007 | system·calls·can·be·defined·on·the·same·line·to·save·space·if·desired,·but·is | ||
| 1008 | not·required.·See·an·example·of·multiple·combined·syscalls: | ||
| 1009 | <pre>-a·always,exit·-F·arch=b64·-S·adjtimex,settimeofday·-F·key=audit_time_rules</pre> | ||
| 1010 | </td> | ||
| 1011 | <td·xml:lang="en-US">Arbitrary·changes·to·the·system·time·can·be·used·to·obfuscate | 983 | <td·xml:lang="en-US">Arbitrary·changes·to·the·system·time·can·be·used·to·obfuscate |
| 1012 | nefarious·activities·in·log·files,·as·well·as·to·confuse·network·services·that | 984 | nefarious·activities·in·log·files,·as·well·as·to·confuse·network·services·that |
| 1013 | are·highly·dependent·upon·an·accurate·system·time·(such·as·sshd).·All·changes | 985 | are·highly·dependent·upon·an·accurate·system·time·(such·as·sshd).·All·changes |
| 1014 | to·the·system·time·should·be·audited.</td> | 986 | to·the·system·time·should·be·audited.</td> |
| 1015 | <td></td> | 987 | <td></td> |
| 1016 | </tr> | 988 | </tr> |
| Max diff block lines reached; 34119/43183 bytes (79.01%) of diff not shown. | |||
| Offset 175, 30 lines modified | Offset 175, 14 lines modified | ||
| 175 | <td></td> | 175 | <td></td> |
| 176 | </tr> | 176 | </tr> |
| 177 | <tr> | 177 | <tr> |
| 178 | <td>SRG-OS-000480-GPOS-00232</td> | 178 | <td>SRG-OS-000480-GPOS-00232</td> |
| 179 | <td>CCI-000366</td> | 179 | <td>CCI-000366</td> |
| 180 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 180 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 181 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 181 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| 182 | <td>package_xorg-x11-server-common_removed</td> | ||
| 183 | <td>Remove·the·X·Windows·Package·Group</td> | ||
| 184 | <td·xml:lang="en-US">By·removing·the·xorg-x11-server-common·package,·the·system·no·longer·has·X·Windows | ||
| 185 | installed.·If·X·Windows·is·not·installed·then·the·system·cannot·boot·into·graphical·user·mode. | ||
| 186 | This·prevents·the·system·from·being·accidentally·or·maliciously·booted·into·a·<code>graphical.target</code> | ||
| 187 | mode.·To·do·so,·run·the·following·command: | ||
| 188 | <pre>$·sudo·yum·groupremove·"X·Window·System"</pre> | ||
| 189 | <pre>$·sudo·yum·remove·xorg-x11-server-common</pre> | ||
| 190 | </td> | ||
| 191 | <td></td> | ||
| 192 | </tr> | ||
| 193 | <tr> | ||
| 194 | <td>SRG-OS-000480-GPOS-00232</td> | ||
| 195 | <td>CCI-000366</td> | ||
| 196 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | ||
| 197 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | ||
| 198 | <td>xwindows_runlevel_setting</td> | 182 | <td>xwindows_runlevel_setting</td> |
| 199 | <td>Disable·X·Windows·Startup·By·Setting·Default·Target</td> | 183 | <td>Disable·X·Windows·Startup·By·Setting·Default·Target</td> |
| 200 | <td·xml:lang="en-US">Systems·that·do·not·require·a·graphical·user·interface·should·only·boot·by | 184 | <td·xml:lang="en-US">Systems·that·do·not·require·a·graphical·user·interface·should·only·boot·by |
| 201 | default·into·<code>multi-user.target</code>·mode.·This·prevents·accidental·booting·of·the·system | 185 | default·into·<code>multi-user.target</code>·mode.·This·prevents·accidental·booting·of·the·system |
| 202 | into·a·<code>graphical.target</code>·mode.·Setting·the·system's·default·target·to | 186 | into·a·<code>graphical.target</code>·mode.·Setting·the·system's·default·target·to |
| 203 | <code>multi-user.target</code>·will·prevent·automatic·startup·of·the·X·server.·To·do·so,·run: | 187 | <code>multi-user.target</code>·will·prevent·automatic·startup·of·the·X·server.·To·do·so,·run: |
| 204 | <pre>$·systemctl·set-default·multi-user.target</pre> | 188 | <pre>$·systemctl·set-default·multi-user.target</pre> |
| Offset 209, 14 lines modified | Offset 193, 30 lines modified | ||
| 209 | <td></td> | 193 | <td></td> |
| 210 | </tr> | 194 | </tr> |
| 211 | <tr> | 195 | <tr> |
| 212 | <td>SRG-OS-000480-GPOS-00232</td> | 196 | <td>SRG-OS-000480-GPOS-00232</td> |
| 213 | <td>CCI-000366</td> | 197 | <td>CCI-000366</td> |
| 214 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 198 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 215 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 199 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| 200 | <td>package_xorg-x11-server-common_removed</td> | ||
| 201 | <td>Remove·the·X·Windows·Package·Group</td> | ||
| 202 | <td·xml:lang="en-US">By·removing·the·xorg-x11-server-common·package,·the·system·no·longer·has·X·Windows | ||
| 203 | installed.·If·X·Windows·is·not·installed·then·the·system·cannot·boot·into·graphical·user·mode. | ||
| 204 | This·prevents·the·system·from·being·accidentally·or·maliciously·booted·into·a·<code>graphical.target</code> | ||
| 205 | mode.·To·do·so,·run·the·following·command: | ||
| 206 | <pre>$·sudo·yum·groupremove·"X·Window·System"</pre> | ||
| 207 | <pre>$·sudo·yum·remove·xorg-x11-server-common</pre> | ||
| 208 | </td> | ||
| 209 | <td></td> | ||
| 210 | </tr> | ||
| 211 | <tr> | ||
| 212 | <td>SRG-OS-000480-GPOS-00232</td> | ||
| 213 | <td>CCI-000366</td> | ||
| 214 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | ||
| 215 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | ||
| 216 | <td>package_quagga_removed</td> | 216 | <td>package_quagga_removed</td> |
| 217 | <td>Uninstall·quagga·Package</td> | 217 | <td>Uninstall·quagga·Package</td> |
| 218 | <td·xml:lang="en-US"> | 218 | <td·xml:lang="en-US"> |
| 219 | ············ | 219 | ············ |
| 220 | ········The·<code>quagga</code>·package·can·be·removed·with·the·following·command: | 220 | ········The·<code>quagga</code>·package·can·be·removed·with·the·following·command: |
| 221 | ········<pre>$·sudo·yum·erase·quagga</pre> | 221 | ········<pre>$·sudo·yum·erase·quagga</pre> |
| 222 | ··········</td> | 222 | ··········</td> |
| Offset 437, 14 lines modified | Offset 437, 29 lines modified | ||
| 437 | <td></td> | 437 | <td></td> |
| 438 | </tr> | 438 | </tr> |
| 439 | <tr> | 439 | <tr> |
| 440 | <td>SRG-OS-000480-GPOS-00232</td> | 440 | <td>SRG-OS-000480-GPOS-00232</td> |
| 441 | <td>CCI-000366</td> | 441 | <td>CCI-000366</td> |
| 442 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 442 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 443 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 443 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| 444 | <td>sshd_enable_strictmodes</td> | ||
| 445 | <td>Enable·Use·of·Strict·Mode·Checking</td> | ||
| 446 | <td·xml:lang="en-US">SSHs·StrictModes·option·checks·file·and·ownership·permissions·in | ||
| 447 | the·user's·home·directory·<code>.ssh</code>·folder·before·accepting·login.·If·world- | ||
| 448 | writable·permissions·are·found,·logon·is·rejected.·To·enable·StrictModes·in·SSH, | ||
| 449 | add·or·correct·the·following·line·in·the·<code>/etc/ssh/sshd_config</code>·file: | ||
| 450 | <pre>StrictModes·yes</pre> | ||
| 451 | </td> | ||
| 452 | <td></td> | ||
| 453 | </tr> | ||
| 454 | <tr> | ||
| 455 | <td>SRG-OS-000480-GPOS-00232</td> | ||
| 456 | <td>CCI-000366</td> | ||
| 457 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | ||
| 458 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | ||
| 444 | <td>sshd_disable_user_known_hosts</td> | 459 | <td>sshd_disable_user_known_hosts</td> |
| 445 | <td>Disable·SSH·Support·for·User·Known·Hosts</td> | 460 | <td>Disable·SSH·Support·for·User·Known·Hosts</td> |
| 446 | <td·xml:lang="en-US">SSH·can·allow·system·users·user·host-based·authentication·to·connect | 461 | <td·xml:lang="en-US">SSH·can·allow·system·users·user·host-based·authentication·to·connect |
| 447 | to·systems·if·a·cache·of·the·remote·systems·public·keys·are·available. | 462 | to·systems·if·a·cache·of·the·remote·systems·public·keys·are·available. |
| 448 | This·should·be·disabled. | 463 | This·should·be·disabled. |
| 449 | <br><br> | 464 | <br><br> |
| 450 | To·ensure·this·behavior·is·disabled,·add·or·correct·the | 465 | To·ensure·this·behavior·is·disabled,·add·or·correct·the |
| Offset 470, 44 lines modified | Offset 485, 14 lines modified | ||
| 470 | <td></td> | 485 | <td></td> |
| 471 | </tr> | 486 | </tr> |
| 472 | <tr> | 487 | <tr> |
| 473 | <td>SRG-OS-000480-GPOS-00232</td> | 488 | <td>SRG-OS-000480-GPOS-00232</td> |
| 474 | <td>CCI-000366</td> | 489 | <td>CCI-000366</td> |
| 475 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | 490 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> |
| 476 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | 491 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> |
| 477 | <td>sshd_disable_rhosts_rsa</td> | ||
| 478 | <td>Disable·SSH·Support·for·Rhosts·RSA·Authentication</td> | ||
| 479 | <td·xml:lang="en-US">SSH·can·allow·authentication·through·the·obsolete·rsh | ||
| 480 | command·through·the·use·of·the·authenticating·user's·SSH·keys.·This·should·be·disabled. | ||
| 481 | <br><br> | ||
| 482 | To·ensure·this·behavior·is·disabled,·add·or·correct·the | ||
| 483 | following·line·in·<code>/etc/ssh/sshd_config</code>: | ||
| 484 | <pre>RhostsRSAAuthentication·no</pre> | ||
| 485 | </td> | ||
| 486 | <td></td> | ||
| 487 | </tr> | ||
| 488 | <tr> | ||
| 489 | <td>SRG-OS-000480-GPOS-00232</td> | ||
| 490 | <td>CCI-000366</td> | ||
| 491 | <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> | ||
| 492 | <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> | ||
| 493 | <td>sshd_do_not_permit_user_env</td> | ||
| 494 | <td>Do·Not·Allow·SSH·Environment·Options</td> | ||
| 495 | <td·xml:lang="en-US">To·ensure·users·are·not·able·to·override·environment | ||
| 496 | options·to·the·SSH·daemon,·add·or·correct·the·following·line | ||
| 497 | in·<code>/etc/ssh/sshd_config</code>: | ||
| 498 | <pre>PermitUserEnvironment·no</pre> | ||
| 499 | </td> | ||
| 500 | <td></td> | ||
| 501 | </tr> | ||
| 502 | <tr> | ||
| 503 | <td>SRG-OS-000480-GPOS-00232</td> | ||
| 504 | <td>CCI-000366</td> | ||
| Max diff block lines reached; 1501824/1508677 bytes (99.55%) of diff not shown. | |||
| Offset 126, 36 lines modified | Offset 126, 36 lines modified | ||
| 126 | <td·xml:lang="en-US">If·<code>/etc/cron.allow</code>·exists,·it·must·be·owned·by·<code>root</code>. | 126 | <td·xml:lang="en-US">If·<code>/etc/cron.allow</code>·exists,·it·must·be·owned·by·<code>root</code>. |
| 127 | ····To·properly·set·the·owner·of·<code>/etc/cron.allow</code>,·run·the·command: | 127 | ····To·properly·set·the·owner·of·<code>/etc/cron.allow</code>,·run·the·command: |
| 128 | ····<pre·xml:space="preserve">$·sudo·chown·root·/etc/cron.allow·</pre> | 128 | ····<pre·xml:space="preserve">$·sudo·chown·root·/etc/cron.allow·</pre> |
| 129 | </td> | 129 | </td> |
| 130 | </tr></table> | 130 | </tr></table> |
| 131 | <table><tr> | 131 | <table><tr> |
| 132 | <td>Remove·the·X·Windows·Package·Group</td> | ||
| 133 | <td·xml:lang="en-US">By·removing·the·xorg-x11-server-common·package,·the·system·no·longer·has·X·Windows | ||
| 134 | installed.·If·X·Windows·is·not·installed·then·the·system·cannot·boot·into·graphical·user·mode. | ||
| 135 | This·prevents·the·system·from·being·accidentally·or·maliciously·booted·into·a·<code>graphical.target</code> | ||
| 136 | mode.·To·do·so,·run·the·following·command: | ||
| 137 | <pre>$·sudo·yum·groupremove·"X·Window·System"</pre> | ||
| 138 | <pre>$·sudo·yum·remove·xorg-x11-server-common</pre> | ||
| 139 | </td> | ||
| 140 | </tr></table> | ||
| 141 | <table><tr> | ||
| 142 | <td>Disable·X·Windows·Startup·By·Setting·Default·Target</td> | 132 | <td>Disable·X·Windows·Startup·By·Setting·Default·Target</td> |
| 143 | <td·xml:lang="en-US">Systems·that·do·not·require·a·graphical·user·interface·should·only·boot·by | 133 | <td·xml:lang="en-US">Systems·that·do·not·require·a·graphical·user·interface·should·only·boot·by |
| 144 | default·into·<code>multi-user.target</code>·mode.·This·prevents·accidental·booting·of·the·system | 134 | default·into·<code>multi-user.target</code>·mode.·This·prevents·accidental·booting·of·the·system |
| 145 | into·a·<code>graphical.target</code>·mode.·Setting·the·system's·default·target·to | 135 | into·a·<code>graphical.target</code>·mode.·Setting·the·system's·default·target·to |
| 146 | <code>multi-user.target</code>·will·prevent·automatic·startup·of·the·X·server.·To·do·so,·run: | 136 | <code>multi-user.target</code>·will·prevent·automatic·startup·of·the·X·server.·To·do·so,·run: |
| 147 | <pre>$·systemctl·set-default·multi-user.target</pre> | 137 | <pre>$·systemctl·set-default·multi-user.target</pre> |
| 148 | You·should·see·the·following·output: | 138 | You·should·see·the·following·output: |
| 149 | <pre>rm·'/etc/systemd/system/default.target' | 139 | <pre>rm·'/etc/systemd/system/default.target' |
| 150 | ln·-s·'/usr/lib/systemd/system/multi-user.target'·'/etc/systemd/system/default.target'</pre> | 140 | ln·-s·'/usr/lib/systemd/system/multi-user.target'·'/etc/systemd/system/default.target'</pre> |
| 151 | </td> | 141 | </td> |
| 152 | </tr></table> | 142 | </tr></table> |
| 153 | <table><tr> | 143 | <table><tr> |
| 144 | <td>Remove·the·X·Windows·Package·Group</td> | ||
| 145 | <td·xml:lang="en-US">By·removing·the·xorg-x11-server-common·package,·the·system·no·longer·has·X·Windows | ||
| 146 | installed.·If·X·Windows·is·not·installed·then·the·system·cannot·boot·into·graphical·user·mode. | ||
| 147 | This·prevents·the·system·from·being·accidentally·or·maliciously·booted·into·a·<code>graphical.target</code> | ||
| 148 | mode.·To·do·so,·run·the·following·command: | ||
| 149 | <pre>$·sudo·yum·groupremove·"X·Window·System"</pre> | ||
| 150 | <pre>$·sudo·yum·remove·xorg-x11-server-common</pre> | ||
| 151 | </td> | ||
| 152 | </tr></table> | ||
| 153 | <table><tr> | ||
| 154 | <td>Uninstall·quagga·Package</td> | 154 | <td>Uninstall·quagga·Package</td> |
| 155 | <td·xml:lang="en-US"> | 155 | <td·xml:lang="en-US"> |
| 156 | ············ | 156 | ············ |
| 157 | ········The·<code>quagga</code>·package·can·be·removed·with·the·following·command: | 157 | ········The·<code>quagga</code>·package·can·be·removed·with·the·following·command: |
| 158 | ········<pre>$·sudo·yum·erase·quagga</pre> | 158 | ········<pre>$·sudo·yum·erase·quagga</pre> |
| 159 | ··········</td> | 159 | ··········</td> |
| 160 | </tr></table> | 160 | </tr></table> |
| Offset 286, 14 lines modified | Offset 286, 23 lines modified | ||
| 286 | <td·xml:lang="en-US"> | 286 | <td·xml:lang="en-US"> |
| 287 | ············ | 287 | ············ |
| 288 | ········The·<code>avahi-daemon</code>·service·can·be·disabled·with·the·following·command: | 288 | ········The·<code>avahi-daemon</code>·service·can·be·disabled·with·the·following·command: |
| 289 | ········<pre>$·sudo·systemctl·disable·avahi-daemon.service</pre> | 289 | ········<pre>$·sudo·systemctl·disable·avahi-daemon.service</pre> |
| 290 | ··········</td> | 290 | ··········</td> |
| 291 | </tr></table> | 291 | </tr></table> |
| 292 | <table><tr> | 292 | <table><tr> |
| 293 | <td>Enable·Use·of·Strict·Mode·Checking</td> | ||
| 294 | <td·xml:lang="en-US">SSHs·StrictModes·option·checks·file·and·ownership·permissions·in | ||
| 295 | the·user's·home·directory·<code>.ssh</code>·folder·before·accepting·login.·If·world- | ||
| 296 | writable·permissions·are·found,·logon·is·rejected.·To·enable·StrictModes·in·SSH, | ||
| 297 | add·or·correct·the·following·line·in·the·<code>/etc/ssh/sshd_config</code>·file: | ||
| 298 | <pre>StrictModes·yes</pre> | ||
| 299 | </td> | ||
| 300 | </tr></table> | ||
| 301 | <table><tr> | ||
| 293 | <td>Disable·SSH·Support·for·User·Known·Hosts</td> | 302 | <td>Disable·SSH·Support·for·User·Known·Hosts</td> |
| 294 | <td·xml:lang="en-US">SSH·can·allow·system·users·user·host-based·authentication·to·connect | 303 | <td·xml:lang="en-US">SSH·can·allow·system·users·user·host-based·authentication·to·connect |
| 295 | to·systems·if·a·cache·of·the·remote·systems·public·keys·are·available. | 304 | to·systems·if·a·cache·of·the·remote·systems·public·keys·are·available. |
| 296 | This·should·be·disabled. | 305 | This·should·be·disabled. |
| 297 | <br><br> | 306 | <br><br> |
| 298 | To·ensure·this·behavior·is·disabled,·add·or·correct·the | 307 | To·ensure·this·behavior·is·disabled,·add·or·correct·the |
| 299 | following·line·in·<code>/etc/ssh/sshd_config</code>: | 308 | following·line·in·<code>/etc/ssh/sshd_config</code>: |
| Offset 307, 32 lines modified | Offset 316, 14 lines modified | ||
| 307 | <br> | 316 | <br> |
| 308 | <pre>PermitEmptyPasswords·no</pre> | 317 | <pre>PermitEmptyPasswords·no</pre> |
| 309 | <br> | 318 | <br> |
| 310 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration | 319 | Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration |
| 311 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</td> | 320 | should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</td> |
| 312 | </tr></table> | 321 | </tr></table> |
| 313 | <table><tr> | 322 | <table><tr> |
| 314 | <td>Disable·SSH·Support·for·Rhosts·RSA·Authentication</td> | ||
| 315 | <td·xml:lang="en-US">SSH·can·allow·authentication·through·the·obsolete·rsh | ||
| 316 | command·through·the·use·of·the·authenticating·user's·SSH·keys.·This·should·be·disabled. | ||
| 317 | <br><br> | ||
| 318 | To·ensure·this·behavior·is·disabled,·add·or·correct·the | ||
| 319 | following·line·in·<code>/etc/ssh/sshd_config</code>: | ||
| 320 | <pre>RhostsRSAAuthentication·no</pre> | ||
| 321 | </td> | ||
| 322 | </tr></table> | ||
| 323 | <table><tr> | ||
| 324 | <td>Do·Not·Allow·SSH·Environment·Options</td> | ||
| 325 | <td·xml:lang="en-US">To·ensure·users·are·not·able·to·override·environment | ||
| 326 | options·to·the·SSH·daemon,·add·or·correct·the·following·line | ||
| 327 | in·<code>/etc/ssh/sshd_config</code>: | ||
| 328 | <pre>PermitUserEnvironment·no</pre> | ||
| 329 | </td> | ||
| 330 | </tr></table> | ||
| 331 | <table><tr> | ||
| 332 | <td>Allow·Only·SSH·Protocol·2</td> | 323 | <td>Allow·Only·SSH·Protocol·2</td> |
| 333 | <td·xml:lang="en-US">Only·SSH·protocol·version·2·connections·should·be | 324 | <td·xml:lang="en-US">Only·SSH·protocol·version·2·connections·should·be |
| 334 | permitted.·The·default·setting·in | 325 | permitted.·The·default·setting·in |
| 335 | <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be | 326 | <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be |
| 336 | verified·by·ensuring·that·the·following | 327 | verified·by·ensuring·that·the·following |
| 337 | line·appears: | 328 | line·appears: |
| 338 | <pre>Protocol·2</pre> | 329 | <pre>Protocol·2</pre> |
| Offset 346, 14 lines modified | Offset 337, 32 lines modified | ||
| 346 | <br><br> | 337 | <br><br> |
| 347 | To·ensure·this·behavior·is·disabled,·add·or·correct·the | 338 | To·ensure·this·behavior·is·disabled,·add·or·correct·the |
| 348 | following·line·in·<code>/etc/ssh/sshd_config</code>: | 339 | following·line·in·<code>/etc/ssh/sshd_config</code>: |
| 349 | <pre>IgnoreRhosts·yes</pre> | 340 | <pre>IgnoreRhosts·yes</pre> |
| 350 | </td> | 341 | </td> |
| 351 | </tr></table> | 342 | </tr></table> |
| 352 | <table><tr> | 343 | <table><tr> |
| 344 | <td>Disable·SSH·Support·for·Rhosts·RSA·Authentication</td> | ||
| 345 | <td·xml:lang="en-US">SSH·can·allow·authentication·through·the·obsolete·rsh | ||
| 346 | command·through·the·use·of·the·authenticating·user's·SSH·keys.·This·should·be·disabled. | ||
| 347 | <br><br> | ||
| 348 | To·ensure·this·behavior·is·disabled,·add·or·correct·the | ||
| 349 | following·line·in·<code>/etc/ssh/sshd_config</code>: | ||
| 350 | <pre>RhostsRSAAuthentication·no</pre> | ||
| 351 | </td> | ||
| 352 | </tr></table> | ||
| 353 | <table><tr> | ||
| 354 | <td>Do·Not·Allow·SSH·Environment·Options</td> | ||
| 355 | <td·xml:lang="en-US">To·ensure·users·are·not·able·to·override·environment | ||
| 356 | options·to·the·SSH·daemon,·add·or·correct·the·following·line | ||
| 357 | in·<code>/etc/ssh/sshd_config</code>: | ||
| 358 | <pre>PermitUserEnvironment·no</pre> | ||
| 359 | </td> | ||
| Max diff block lines reached; 988704/994325 bytes (99.43%) of diff not shown. | |||
| Offset 43, 57 lines modified | Offset 43, 58 lines modified | ||
| 43 | ·········· | 43 | ·········· |
| 44 | ···vars: | 44 | ···vars: |
| 45 | ······sshd_idle_timeout_value:·300 | 45 | ······sshd_idle_timeout_value:·300 |
| 46 | ······rsyslog_remote_loghost_address:·None | 46 | ······rsyslog_remote_loghost_address:·None |
| 47 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 47 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 48 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 49 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 50 | ······sysctl_net_ipv4_icmp_ | 50 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 51 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 51 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 52 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 53 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 53 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 54 | ······sysctl_net_ipv4_conf_ | 54 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 55 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 55 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 56 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 56 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 57 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 57 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 58 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 58 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 59 | ······sysctl_net_ipv4_icmp_ | 59 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 60 | ······sysctl_net_ipv4_conf_ | 60 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 61 | ······var_selinux_policy_name:·targeted | 61 | ······var_selinux_policy_name:·targeted |
| 62 | ······var_selinux_state:·enforcing | 62 | ······var_selinux_state:·enforcing |
| 63 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 64 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 65 | ······var_accounts_password_warn_age_login_defs:·7 | 63 | ······var_accounts_password_warn_age_login_defs:·7 |
| 64 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 65 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 66 | ······var_account_disable_post_pw_expiration:·35 | 66 | ······var_account_disable_post_pw_expiration:·35 |
| 67 | ······var_password_pam_unix_remember:·0 | 67 | ······var_password_pam_unix_remember:·0 |
| 68 | ······var_accounts_passwords_pam_faillock_deny:·3 | 68 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 69 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 69 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 70 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 70 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 71 | ······var_removable_partition:·/dev/cdrom | ||
| 72 | ······var_removable_partition:·/dev/cdrom | ||
| 73 | ······var_removable_partition:·/dev/cdrom | ||
| 71 | ······var_auditd_max_log_file:·1 | 74 | ······var_auditd_max_log_file:·1 |
| 72 | ······var_auditd_action_mail_acct:·admin | 75 | ······var_auditd_action_mail_acct:·admin |
| 73 | ······var_auditd_space_left_action:·suspend | ||
| 74 | ······var_auditd_admin_space_left_action:·suspend | 76 | ······var_auditd_admin_space_left_action:·suspend |
| 77 | ······var_auditd_space_left_action:·suspend | ||
| 75 | ······var_auditd_max_log_file_action:·ignore | 78 | ······var_auditd_max_log_file_action:·ignore |
| 76 | ······var_removable_partition:·/dev/cdrom | ||
| 77 | ······var_removable_partition:·/dev/cdrom | ||
| 78 | ······var_removable_partition:·/dev/cdrom | ||
| 79 | ···tasks: | 79 | ···tasks: |
| 80 | ····-·name:·Ensure·s | 80 | ····-·name:·Ensure·vsftpd·is·removed |
| 81 | ······package: | 81 | ······package: |
| 82 | ········name="{{item}}" | 82 | ········name="{{item}}" |
| 83 | ········state=absent | 83 | ········state=absent |
| 84 | ······with_items: | 84 | ······with_items: |
| 85 | ········-·s | 85 | ········-·vsftpd |
| 86 | ······tags: | 86 | ······tags: |
| 87 | ········-·package_s | 87 | ········-·package_vsftpd_removed |
| 88 | ········-·unknown_severity | 88 | ········-·unknown_severity |
| 89 | ········-·disable_strategy | 89 | ········-·disable_strategy |
| 90 | ········-·low_complexity | 90 | ········-·low_complexity |
| 91 | ········-·low_disruption | 91 | ········-·low_disruption |
| 92 | ········-·CCE-2 | 92 | ········-·CCE-26687-4 |
| 93 | ········-·NIST-800-53-CM-7 | ||
| 93 | ···· | 94 | ···· |
| 94 | ····-·name:·Ensure·httpd·is·removed | 95 | ····-·name:·Ensure·httpd·is·removed |
| 95 | ······package: | 96 | ······package: |
| 96 | ········name="{{item}}" | 97 | ········name="{{item}}" |
| 97 | ········state=absent | 98 | ········state=absent |
| 98 | ······with_items: | 99 | ······with_items: |
| 99 | ········-·httpd | 100 | ········-·httpd |
| Offset 102, 29 lines modified | Offset 103, 43 lines modified | ||
| 102 | ········-·unknown_severity | 103 | ········-·unknown_severity |
| 103 | ········-·disable_strategy | 104 | ········-·disable_strategy |
| 104 | ········-·low_complexity | 105 | ········-·low_complexity |
| 105 | ········-·low_disruption | 106 | ········-·low_disruption |
| 106 | ········-·CCE-27133-8 | 107 | ········-·CCE-27133-8 |
| 107 | ········-·NIST-800-53-CM-7 | 108 | ········-·NIST-800-53-CM-7 |
| 108 | ···· | 109 | ···· |
| 109 | ····-·name:·Ensure· | 110 | ····-·name:·Ensure·bind·is·removed |
| 110 | ······package: | 111 | ······package: |
| 111 | ········name="{{item}}" | 112 | ········name="{{item}}" |
| 112 | ········state=absent | 113 | ········state=absent |
| 113 | ······with_items: | 114 | ······with_items: |
| 114 | ········-· | 115 | ········-·bind |
| 115 | ······tags: | 116 | ······tags: |
| 116 | ········-·package_ | 117 | ········-·package_bind_removed |
| 117 | ········-· | 118 | ········-·unknown_severity |
| 118 | ········-·disable_strategy | 119 | ········-·disable_strategy |
| 119 | ········-·low_complexity | 120 | ········-·low_complexity |
| 120 | ········-·low_disruption | 121 | ········-·low_disruption |
| 121 | ········-·CCE-27 | 122 | ········-·CCE-27030-6 |
| 122 | ········-·NIST-800-53-CM-7 | 123 | ········-·NIST-800-53-CM-7 |
| 123 | ···· | 124 | ···· |
| 125 | ····-·name:·Ensure·samba·is·removed | ||
| 126 | ······package: | ||
| 127 | ········name="{{item}}" | ||
| 128 | ········state=absent | ||
| 129 | ······with_items: | ||
| 130 | ········-·samba | ||
| 131 | ······tags: | ||
| 132 | ········-·package_samba_removed | ||
| 133 | ········-·unknown_severity | ||
| 134 | ········-·disable_strategy | ||
| 135 | ········-·low_complexity | ||
| 136 | ········-·low_disruption | ||
| 137 | ········-·CCE-27102-3 | ||
| 138 | ···· | ||
| 124 | ····-·name:·Enable·service·ntpd | 139 | ····-·name:·Enable·service·ntpd |
| 125 | ······service: | 140 | ······service: |
| 126 | ········name="{{item}}" | 141 | ········name="{{item}}" |
| 127 | ········enabled="yes" | 142 | ········enabled="yes" |
| 128 | ········state="started" | 143 | ········state="started" |
| 129 | ······with_items: | 144 | ······with_items: |
| 130 | ········-·ntpd | 145 | ········-·ntpd |
| Offset 135, 45 lines modified | Offset 150, 94 lines modified | ||
| 135 | ········-·low_complexity | 150 | ········-·low_complexity |
| 136 | ········-·low_disruption | 151 | ········-·low_disruption |
| 137 | ········-·CCE-27093-4 | 152 | ········-·CCE-27093-4 |
| 138 | ········-·NIST-800-53-AU-8(1) | 153 | ········-·NIST-800-53-AU-8(1) |
| 139 | ········-·PCI-DSS-Req-10.4 | 154 | ········-·PCI-DSS-Req-10.4 |
| 140 | ········-·DISA-STIG-RHEL-06-000247 | 155 | ········-·DISA-STIG-RHEL-06-000247 |
| 141 | ···· | 156 | ···· |
| 142 | ····-·name:· | 157 | ····-·name:·Ensure·openldap-servers·is·removed |
| 158 | ······package: | ||
| 159 | ········name="{{item}}" | ||
| 160 | ········state=absent | ||
| 161 | ······with_items: | ||
| 162 | ········-·openldap-servers | ||
| 163 | ······tags: | ||
| 164 | ········-·package_openldap-servers_removed | ||
| 165 | ········-·unknown_severity | ||
| 166 | ········-·disable_strategy | ||
| 167 | ········-·low_complexity | ||
| Max diff block lines reached; 83773/89246 bytes (93.87%) of diff not shown. | |||
| Offset 33, 88 lines modified | Offset 33, 75 lines modified | ||
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······rsyslog_remote_loghost_address:·None | 36 | ······rsyslog_remote_loghost_address:·None |
| 37 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 37 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 40 | ······sysctl_net_ipv4_icmp_ | 40 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 44 | ······sysctl_net_ipv4_conf_ | 44 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 49 | ······sysctl_net_ipv4_icmp_ | 49 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_ | 50 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 51 | ······var_selinux_policy_name:·targeted | 51 | ······var_selinux_policy_name:·targeted |
| 52 | ······var_selinux_state:·enforcing | 52 | ······var_selinux_state:·enforcing |
| 53 | ······var_accounts_password_minlen_login_defs:·14 | 53 | ······var_accounts_password_minlen_login_defs:·14 |
| 54 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 55 | ······var_accounts_maximum_age_login_defs:·180 | ||
| 56 | ······var_accounts_password_warn_age_login_defs:·7 | 54 | ······var_accounts_password_warn_age_login_defs:·7 |
| 55 | ······var_accounts_maximum_age_login_defs:·180 | ||
| 56 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 57 | ······var_account_disable_post_pw_expiration:·35 | 57 | ······var_account_disable_post_pw_expiration:·35 |
| 58 | ······var_password_pam_unix_remember:·10 | 58 | ······var_password_pam_unix_remember:·10 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 59 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 62 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_user_umask:·077 | 63 | ······var_accounts_user_umask:·077 |
| 64 | ······var_accounts_max_concurrent_login_sessions:·3 | 64 | ······var_accounts_max_concurrent_login_sessions:·3 |
| 65 | ······var_removable_partition:·/dev/cdrom | 65 | ······var_removable_partition:·/dev/cdrom |
| 66 | ······var_removable_partition:·/dev/cdrom | 66 | ······var_removable_partition:·/dev/cdrom |
| 67 | ······var_removable_partition:·/dev/cdrom | 67 | ······var_removable_partition:·/dev/cdrom |
| 68 | ···tasks: | 68 | ···tasks: |
| 69 | ····-·name:·Disable·service·s | 69 | ····-·name:·Disable·service·vsftpd |
| 70 | ······service: | 70 | ······service: |
| 71 | ········name="{{item}}" | 71 | ········name="{{item}}" |
| 72 | ········enabled="no" | 72 | ········enabled="no" |
| 73 | ········state="stopped" | 73 | ········state="stopped" |
| 74 | ······register:·service_result | 74 | ······register:·service_result |
| 75 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 75 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 76 | ······with_items: | 76 | ······with_items: |
| 77 | ········-·s | 77 | ········-·vsftpd |
| 78 | ······tags: | 78 | ······tags: |
| 79 | ········-·service_s | 79 | ········-·service_vsftpd_disabled |
| 80 | ········-·unknown_severity | 80 | ········-·unknown_severity |
| 81 | ········-·disable_strategy | 81 | ········-·disable_strategy |
| 82 | ········-·low_complexity | 82 | ········-·low_complexity |
| 83 | ········-·low_disruption | 83 | ········-·low_disruption |
| 84 | ········-·CCE-2 | 84 | ········-·CCE-26948-0 |
| 85 | ···· | 85 | ········-·NIST-800-53-CM-7 |
| 86 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | ||
| 87 | ······stat: | ||
| 88 | ········path:·/etc/samba/smb.conf | ||
| 89 | ······register:·st_smb | ||
| 90 | ······tags: | ||
| 91 | ········-·require_smb_client_signing | ||
| 92 | ········-·unknown_severity | ||
| 93 | ········-·configure_strategy | ||
| 94 | ········-·low_complexity | ||
| 95 | ········-·medium_disruption | ||
| 96 | ········-·CCE-26328-5 | ||
| 97 | ········-·DISA-STIG-RHEL-06-000272 | ||
| 98 | ···· | 86 | ···· |
| 99 | ····-·name:· | 87 | ····-·name:·Ensure·vsftpd·is·removed |
| 100 | ······ | 88 | ······package: |
| 101 | ········ | 89 | ········name="{{item}}" |
| 102 | ········ | 90 | ········state=absent |
| 103 | ······ | 91 | ······with_items: |
| 104 | ········ | 92 | ········-·vsftpd |
| 105 | ······when:·st_smb.stat.exists | ||
| 106 | ······tags: | 93 | ······tags: |
| 107 | ········-· | 94 | ········-·package_vsftpd_removed |
| 108 | ········-·unknown_severity | 95 | ········-·unknown_severity |
| 109 | ········-· | 96 | ········-·disable_strategy |
| 110 | ········-·low_complexity | 97 | ········-·low_complexity |
| 111 | ········-· | 98 | ········-·low_disruption |
| 112 | ········-·CCE-26 | 99 | ········-·CCE-26687-4 |
| 113 | ········-· | 100 | ········-·NIST-800-53-CM-7 |
| 114 | ···· | 101 | ···· |
| 115 | ····-·name:·Ensure·httpd·is·removed | 102 | ····-·name:·Ensure·httpd·is·removed |
| 116 | ······package: | 103 | ······package: |
| 117 | ········name="{{item}}" | 104 | ········name="{{item}}" |
| 118 | ········state=absent | 105 | ········state=absent |
| 119 | ······with_items: | 106 | ······with_items: |
| 120 | ········-·httpd | 107 | ········-·httpd |
| Offset 153, 45 lines modified | Offset 140, 92 lines modified | ||
| 153 | ········-·unknown_severity | 140 | ········-·unknown_severity |
| 154 | ········-·configure_strategy | 141 | ········-·configure_strategy |
| 155 | ········-·low_complexity | 142 | ········-·low_complexity |
| 156 | ········-·low_disruption | 143 | ········-·low_disruption |
| 157 | ········-·CCE-27316-9 | 144 | ········-·CCE-27316-9 |
| 158 | ········-·NIST-800-53-CM-7 | 145 | ········-·NIST-800-53-CM-7 |
| 159 | ···· | 146 | ···· |
| 160 | ····-·name:· | 147 | ····-·name:·Disable·service·named |
| 148 | ······service: | ||
| 149 | ········name="{{item}}" | ||
| 150 | ········enabled="no" | ||
| 151 | ········state="stopped" | ||
| 152 | ······register:·service_result | ||
| 153 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 154 | ······with_items: | ||
| 155 | ········-·named | ||
| 156 | ······tags: | ||
| 157 | ········-·service_named_disabled | ||
| 158 | ········-·unknown_severity | ||
| 159 | ········-·disable_strategy | ||
| 160 | ········-·low_complexity | ||
| 161 | ········-·low_disruption | ||
| 162 | ········-·CCE-26873-0 | ||
| 163 | ········-·NIST-800-53-CM-7 | ||
| 164 | ···· | ||
| 165 | ····-·name:·Ensure·bind·is·removed | ||
| 161 | ······package: | 166 | ······package: |
| 162 | ········name="{{item}}" | 167 | ········name="{{item}}" |
| 163 | ········state=absent | 168 | ········state=absent |
| 164 | ······with_items: | 169 | ······with_items: |
| 165 | ········-· | 170 | ········-·bind |
| 166 | ······tags: | 171 | ······tags: |
| 167 | ········-·package_ | 172 | ········-·package_bind_removed |
| 168 | ········-· | 173 | ········-·unknown_severity |
| 169 | ········-·disable_strategy | 174 | ········-·disable_strategy |
| 170 | ········-·low_complexity | 175 | ········-·low_complexity |
| Max diff block lines reached; 175955/181073 bytes (97.17%) of diff not shown. | |||
| Offset 35, 39 lines modified | Offset 35, 72 lines modified | ||
| 35 | ·······assert: | 35 | ·······assert: |
| 36 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 36 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 37 | ·········msg:·> | 37 | ·········msg:·> |
| 38 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 38 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 39 | ·········· | 39 | ·········· |
| 40 | ···vars: | 40 | ···vars: |
| 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 42 | ······sysctl_net_ipv4_icmp_ | 42 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 46 | ······sysctl_net_ipv4_conf_ | 46 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 51 | ······sysctl_net_ipv4_icmp_ | 51 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 52 | ······sysctl_net_ipv4_conf_ | 52 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 53 | ······var_selinux_policy_name:·mls | 53 | ······var_selinux_policy_name:·mls |
| 54 | ······var_selinux_state:·enforcing | 54 | ······var_selinux_state:·enforcing |
| 55 | ······var_accounts_password_minlen_login_defs:·12 | 55 | ······var_accounts_password_minlen_login_defs:·12 |
| 56 | ······var_accounts_maximum_age_login_defs:·180 | ||
| 57 | ······var_accounts_password_warn_age_login_defs:·7 | 56 | ······var_accounts_password_warn_age_login_defs:·7 |
| 57 | ······var_accounts_maximum_age_login_defs:·180 | ||
| 58 | ······var_account_disable_post_pw_expiration:·35 | 58 | ······var_account_disable_post_pw_expiration:·35 |
| 59 | ······var_password_pam_unix_remember:·0 | 59 | ······var_password_pam_unix_remember:·0 |
| 60 | ······var_password_pam_retry:·3 | 60 | ······var_password_pam_retry:·3 |
| 61 | ······var_auditd_max_log_file:·1 | 61 | ······var_auditd_max_log_file:·1 |
| 62 | ······var_auditd_action_mail_acct:·admin | 62 | ······var_auditd_action_mail_acct:·admin |
| 63 | ······var_auditd_space_left_action:·suspend | ||
| 64 | ······var_auditd_admin_space_left_action:·suspend | 63 | ······var_auditd_admin_space_left_action:·suspend |
| 64 | ······var_auditd_space_left_action:·suspend | ||
| 65 | ······var_auditd_max_log_file_action:·keep_logs | 65 | ······var_auditd_max_log_file_action:·keep_logs |
| 66 | ···tasks: | 66 | ···tasks: |
| 67 | ····-·name:·Disable·service·vsftpd | ||
| 68 | ······service: | ||
| 69 | ········name="{{item}}" | ||
| 70 | ········enabled="no" | ||
| 71 | ········state="stopped" | ||
| 72 | ······register:·service_result | ||
| 73 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 74 | ······with_items: | ||
| 75 | ········-·vsftpd | ||
| 76 | ······tags: | ||
| 77 | ········-·service_vsftpd_disabled | ||
| 78 | ········-·unknown_severity | ||
| 79 | ········-·disable_strategy | ||
| 80 | ········-·low_complexity | ||
| 81 | ········-·low_disruption | ||
| 82 | ········-·CCE-26948-0 | ||
| 83 | ········-·NIST-800-53-CM-7 | ||
| 84 | ···· | ||
| 85 | ····-·name:·Ensure·vsftpd·is·removed | ||
| 86 | ······package: | ||
| 87 | ········name="{{item}}" | ||
| 88 | ········state=absent | ||
| 89 | ······with_items: | ||
| 90 | ········-·vsftpd | ||
| 91 | ······tags: | ||
| 92 | ········-·package_vsftpd_removed | ||
| 93 | ········-·unknown_severity | ||
| 94 | ········-·disable_strategy | ||
| 95 | ········-·low_complexity | ||
| 96 | ········-·low_disruption | ||
| 97 | ········-·CCE-26687-4 | ||
| 98 | ········-·NIST-800-53-CM-7 | ||
| 99 | ···· | ||
| 67 | ···· | 100 | ···· |
| 68 | ····-·name:·Find·/etc/httpd/conf/*·file(s) | 101 | ····-·name:·Find·/etc/httpd/conf/*·file(s) |
| 69 | ······find: | 102 | ······find: |
| 70 | ········paths:·"{{·'/etc/httpd/conf/*'·|·dirname·}}" | 103 | ········paths:·"{{·'/etc/httpd/conf/*'·|·dirname·}}" |
| 71 | ········patterns:·"{{·'/etc/httpd/conf/*'·|·basename·}}" | 104 | ········patterns:·"{{·'/etc/httpd/conf/*'·|·basename·}}" |
| 72 | ······register:·files_found | 105 | ······register:·files_found |
| 73 | ······tags: | 106 | ······tags: |
| Offset 90, 98 lines modified | Offset 123, 116 lines modified | ||
| 90 | ········-·unknown_severity | 123 | ········-·unknown_severity |
| 91 | ········-·configure_strategy | 124 | ········-·configure_strategy |
| 92 | ········-·low_complexity | 125 | ········-·low_complexity |
| 93 | ········-·low_disruption | 126 | ········-·low_disruption |
| 94 | ········-·CCE-27316-9 | 127 | ········-·CCE-27316-9 |
| 95 | ········-·NIST-800-53-CM-7 | 128 | ········-·NIST-800-53-CM-7 |
| 96 | ···· | 129 | ···· |
| 97 | ····-·name:· | 130 | ····-·name:·Disable·service·named |
| 98 | ······ | 131 | ······service: |
| 99 | ········name="{{item}}" | 132 | ········name="{{item}}" |
| 100 | ········ | 133 | ········enabled="no" |
| 134 | ········state="stopped" | ||
| 135 | ······register:·service_result | ||
| 136 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 101 | ······with_items: | 137 | ······with_items: |
| 102 | ········-· | 138 | ········-·named |
| 103 | ······tags: | 139 | ······tags: |
| 104 | ········-· | 140 | ········-·service_named_disabled |
| 105 | ········-· | 141 | ········-·unknown_severity |
| 106 | ········-·disable_strategy | 142 | ········-·disable_strategy |
| 107 | ········-·low_complexity | 143 | ········-·low_complexity |
| 108 | ········-·low_disruption | 144 | ········-·low_disruption |
| 109 | ········-·CCE-2 | 145 | ········-·CCE-26873-0 |
| 110 | ········-·NIST-800-53-CM-7 | 146 | ········-·NIST-800-53-CM-7 |
| 111 | ········-·DISA-STIG-RHEL-06-000288 | ||
| 112 | ···· | 147 | ···· |
| 113 | ····-·name:·Ensure· | 148 | ····-·name:·Ensure·bind·is·removed |
| 114 | ······package: | 149 | ······package: |
| 115 | ········name="{{item}}" | 150 | ········name="{{item}}" |
| 116 | ········state=absent | 151 | ········state=absent |
| 117 | ······with_items: | 152 | ······with_items: |
| 118 | ········-· | 153 | ········-·bind |
| 119 | ······tags: | 154 | ······tags: |
| 120 | ········-·package_ | 155 | ········-·package_bind_removed |
| 121 | ········-· | 156 | ········-·unknown_severity |
| 122 | ········-·disable_strategy | 157 | ········-·disable_strategy |
| 123 | ········-·low_complexity | 158 | ········-·low_complexity |
| 124 | ········-·low_disruption | 159 | ········-·low_disruption |
| 125 | ········-·CCE-27 | 160 | ········-·CCE-27030-6 |
| 126 | ········-·NIST-800-53-CM-7 | 161 | ········-·NIST-800-53-CM-7 |
| 127 | ···· | 162 | ···· |
| 128 | ····-·name:· | 163 | ····-·name:·Enable·service·ntpd |
| 129 | ······service: | 164 | ······service: |
| 130 | ········name="{{item}}" | 165 | ········name="{{item}}" |
| 131 | ········enabled=" | 166 | ········enabled="yes" |
| 132 | ········state="st | 167 | ········state="started" |
| 133 | ······register:·service_result | ||
| 134 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 135 | ······with_items: | 168 | ······with_items: |
| 136 | ········-· | 169 | ········-·ntpd |
| 137 | ······tags: | 170 | ······tags: |
| 138 | ········-·service_ | 171 | ········-·service_ntpd_enabled |
| Max diff block lines reached; 127041/131888 bytes (96.32%) of diff not shown. | |||
| Offset 34, 87 lines modified | Offset 34, 74 lines modified | ||
| 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 35 | ·········· | 35 | ·········· |
| 36 | ···vars: | 36 | ···vars: |
| 37 | ······sshd_idle_timeout_value:·300 | 37 | ······sshd_idle_timeout_value:·300 |
| 38 | ······rsyslog_remote_loghost_address:·None | 38 | ······rsyslog_remote_loghost_address:·None |
| 39 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 39 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 40 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 40 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 41 | ······sysctl_net_ipv4_icmp_ | 41 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 42 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 42 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 43 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 43 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 44 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 44 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 45 | ······sysctl_net_ipv4_conf_ | 45 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 50 | ······sysctl_net_ipv4_icmp_ | 50 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 51 | ······sysctl_net_ipv4_conf_ | 51 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 52 | ······var_selinux_policy_name:·targeted | 52 | ······var_selinux_policy_name:·targeted |
| 53 | ······var_selinux_state:·enforcing | 53 | ······var_selinux_state:·enforcing |
| 54 | ······var_accounts_password_minlen_login_defs:·15 | 54 | ······var_accounts_password_minlen_login_defs:·15 |
| 55 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 56 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 57 | ······var_accounts_password_warn_age_login_defs:·7 | 55 | ······var_accounts_password_warn_age_login_defs:·7 |
| 56 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 57 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 58 | ······var_password_pam_unix_remember:·5 | 58 | ······var_password_pam_unix_remember:·5 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 59 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 62 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_tmout:·600 | 63 | ······var_accounts_tmout:·600 |
| 64 | ······var_removable_partition:·/dev/cdrom | ||
| 64 | ······var_auditd_max_log_file:·6 | 65 | ······var_auditd_max_log_file:·6 |
| 65 | ······var_auditd_admin_space_left_action:·single | 66 | ······var_auditd_admin_space_left_action:·single |
| 66 | ······var_auditd_max_log_file_action:·rotate | 67 | ······var_auditd_max_log_file_action:·rotate |
| 67 | ······var_removable_partition:·/dev/cdrom | ||
| 68 | ···tasks: | 68 | ···tasks: |
| 69 | ····-·name:·Disable·service·s | 69 | ····-·name:·Disable·service·vsftpd |
| 70 | ······service: | 70 | ······service: |
| 71 | ········name="{{item}}" | 71 | ········name="{{item}}" |
| 72 | ········enabled="no" | 72 | ········enabled="no" |
| 73 | ········state="stopped" | 73 | ········state="stopped" |
| 74 | ······register:·service_result | 74 | ······register:·service_result |
| 75 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 75 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 76 | ······with_items: | 76 | ······with_items: |
| 77 | ········-·s | 77 | ········-·vsftpd |
| 78 | ······tags: | 78 | ······tags: |
| 79 | ········-·service_s | 79 | ········-·service_vsftpd_disabled |
| 80 | ········-·unknown_severity | 80 | ········-·unknown_severity |
| 81 | ········-·disable_strategy | 81 | ········-·disable_strategy |
| 82 | ········-·low_complexity | 82 | ········-·low_complexity |
| 83 | ········-·low_disruption | 83 | ········-·low_disruption |
| 84 | ········-·CCE-2 | 84 | ········-·CCE-26948-0 |
| 85 | ···· | 85 | ········-·NIST-800-53-CM-7 |
| 86 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | ||
| 87 | ······stat: | ||
| 88 | ········path:·/etc/samba/smb.conf | ||
| 89 | ······register:·st_smb | ||
| 90 | ······tags: | ||
| 91 | ········-·require_smb_client_signing | ||
| 92 | ········-·unknown_severity | ||
| 93 | ········-·configure_strategy | ||
| 94 | ········-·low_complexity | ||
| 95 | ········-·medium_disruption | ||
| 96 | ········-·CCE-26328-5 | ||
| 97 | ········-·DISA-STIG-RHEL-06-000272 | ||
| 98 | ···· | 86 | ···· |
| 99 | ····-·name:· | 87 | ····-·name:·Ensure·vsftpd·is·removed |
| 100 | ······ | 88 | ······package: |
| 101 | ········ | 89 | ········name="{{item}}" |
| 102 | ········ | 90 | ········state=absent |
| 103 | ······ | 91 | ······with_items: |
| 104 | ········ | 92 | ········-·vsftpd |
| 105 | ······when:·st_smb.stat.exists | ||
| 106 | ······tags: | 93 | ······tags: |
| 107 | ········-· | 94 | ········-·package_vsftpd_removed |
| 108 | ········-·unknown_severity | 95 | ········-·unknown_severity |
| 109 | ········-· | 96 | ········-·disable_strategy |
| 110 | ········-·low_complexity | 97 | ········-·low_complexity |
| 111 | ········-· | 98 | ········-·low_disruption |
| 112 | ········-·CCE-26 | 99 | ········-·CCE-26687-4 |
| 113 | ········-· | 100 | ········-·NIST-800-53-CM-7 |
| 114 | ···· | 101 | ···· |
| 115 | ····-·name:·Disable·service·httpd | 102 | ····-·name:·Disable·service·httpd |
| 116 | ······service: | 103 | ······service: |
| 117 | ········name="{{item}}" | 104 | ········name="{{item}}" |
| 118 | ········enabled="no" | 105 | ········enabled="no" |
| 119 | ········state="stopped" | 106 | ········state="stopped" |
| 120 | ······register:·service_result | 107 | ······register:·service_result |
| Offset 141, 46 lines modified | Offset 128, 92 lines modified | ||
| 141 | ········-·unknown_severity | 128 | ········-·unknown_severity |
| 142 | ········-·disable_strategy | 129 | ········-·disable_strategy |
| 143 | ········-·low_complexity | 130 | ········-·low_complexity |
| 144 | ········-·low_disruption | 131 | ········-·low_disruption |
| 145 | ········-·CCE-27133-8 | 132 | ········-·CCE-27133-8 |
| 146 | ········-·NIST-800-53-CM-7 | 133 | ········-·NIST-800-53-CM-7 |
| 147 | ···· | 134 | ···· |
| 148 | ····-·name:· | 135 | ····-·name:·Disable·service·named |
| 136 | ······service: | ||
| 137 | ········name="{{item}}" | ||
| 138 | ········enabled="no" | ||
| 139 | ········state="stopped" | ||
| 140 | ······register:·service_result | ||
| 141 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 142 | ······with_items: | ||
| 143 | ········-·named | ||
| 144 | ······tags: | ||
| 145 | ········-·service_named_disabled | ||
| 146 | ········-·unknown_severity | ||
| 147 | ········-·disable_strategy | ||
| 148 | ········-·low_complexity | ||
| 149 | ········-·low_disruption | ||
| 150 | ········-·CCE-26873-0 | ||
| 151 | ········-·NIST-800-53-CM-7 | ||
| 152 | ···· | ||
| 153 | ····-·name:·Ensure·bind·is·removed | ||
| 149 | ······package: | 154 | ······package: |
| 150 | ········name="{{item}}" | 155 | ········name="{{item}}" |
| 151 | ········state=absent | 156 | ········state=absent |
| 152 | ······with_items: | 157 | ······with_items: |
| 153 | ········-· | 158 | ········-·bind |
| 154 | ······tags: | 159 | ······tags: |
| 155 | ········-·package_ | 160 | ········-·package_bind_removed |
| 156 | ········-· | 161 | ········-·unknown_severity |
| 157 | ········-·disable_strategy | 162 | ········-·disable_strategy |
| 158 | ········-·low_complexity | 163 | ········-·low_complexity |
| Max diff block lines reached; 126640/131720 bytes (96.14%) of diff not shown. | |||
| Offset 32, 46 lines modified | Offset 32, 46 lines modified | ||
| 32 | ·········msg:·> | 32 | ·········msg:·> |
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 36 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 37 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 37 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 38 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 38 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 39 | ······sysctl_net_ipv4_icmp_ | 39 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 40 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 40 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 41 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 41 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 42 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 42 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_ | 43 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 44 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 44 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 45 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 46 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 47 | ······sysctl_net_ipv4_icmp_ | 47 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_ | 48 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 49 | ······var_selinux_policy_name:·targeted | 49 | ······var_selinux_policy_name:·targeted |
| 50 | ······var_selinux_state:·enforcing | 50 | ······var_selinux_state:·enforcing |
| 51 | ······var_accounts_password_minlen_login_defs:·12 | 51 | ······var_accounts_password_minlen_login_defs:·12 |
| 52 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 53 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 54 | ······var_accounts_password_warn_age_login_defs:·7 | 52 | ······var_accounts_password_warn_age_login_defs:·7 |
| 53 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 54 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 55 | ······var_account_disable_post_pw_expiration:·90 | 55 | ······var_account_disable_post_pw_expiration:·90 |
| 56 | ······var_password_pam_unix_remember:·24 | 56 | ······var_password_pam_unix_remember:·24 |
| 57 | ······var_accounts_passwords_pam_faillock_deny:·3 | 57 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 58 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 58 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 59 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 | 59 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 |
| 60 | ······var_password_pam_maxrepeat:·3 | 60 | ······var_password_pam_maxrepeat:·3 |
| 61 | ······var_password_pam_retry:·3 | 61 | ······var_password_pam_retry:·3 |
| 62 | ······var_accounts_max_concurrent_login_sessions:·1 | 62 | ······var_accounts_max_concurrent_login_sessions:·1 |
| 63 | ······var_removable_partition:·/dev/cdrom | ||
| 64 | ······var_removable_partition:·/dev/cdrom | ||
| 65 | ······var_removable_partition:·/dev/cdrom | ||
| 63 | ······var_auditd_max_log_file:·1 | 66 | ······var_auditd_max_log_file:·1 |
| 64 | ······var_auditd_action_mail_acct:·admin | 67 | ······var_auditd_action_mail_acct:·admin |
| 65 | ······var_auditd_space_left_action:·suspend | ||
| 66 | ······var_auditd_admin_space_left_action:·halt | 68 | ······var_auditd_admin_space_left_action:·halt |
| 69 | ······var_auditd_space_left_action:·suspend | ||
| 67 | ······var_auditd_max_log_file_action:·ignore | 70 | ······var_auditd_max_log_file_action:·ignore |
| 68 | ······var_removable_partition:·/dev/cdrom | ||
| 69 | ······var_removable_partition:·/dev/cdrom | ||
| 70 | ······var_removable_partition:·/dev/cdrom | ||
| 71 | ···tasks: | 71 | ···tasks: |
| 72 | ····-·name:·Enable·service·ntpd | 72 | ····-·name:·Enable·service·ntpd |
| 73 | ······service: | 73 | ······service: |
| 74 | ········name="{{item}}" | 74 | ········name="{{item}}" |
| 75 | ········enabled="yes" | 75 | ········enabled="yes" |
| 76 | ········state="started" | 76 | ········state="started" |
| 77 | ······with_items: | 77 | ······with_items: |
| Offset 83, 14 lines modified | Offset 83, 50 lines modified | ||
| 83 | ········-·low_complexity | 83 | ········-·low_complexity |
| 84 | ········-·low_disruption | 84 | ········-·low_disruption |
| 85 | ········-·CCE-27093-4 | 85 | ········-·CCE-27093-4 |
| 86 | ········-·NIST-800-53-AU-8(1) | 86 | ········-·NIST-800-53-AU-8(1) |
| 87 | ········-·PCI-DSS-Req-10.4 | 87 | ········-·PCI-DSS-Req-10.4 |
| 88 | ········-·DISA-STIG-RHEL-06-000247 | 88 | ········-·DISA-STIG-RHEL-06-000247 |
| 89 | ···· | 89 | ···· |
| 90 | ····-·name:·Enable·service·crond | ||
| 91 | ······service: | ||
| 92 | ········name="{{item}}" | ||
| 93 | ········enabled="yes" | ||
| 94 | ········state="started" | ||
| 95 | ······with_items: | ||
| 96 | ········-·crond | ||
| 97 | ······tags: | ||
| 98 | ········-·service_crond_enabled | ||
| 99 | ········-·medium_severity | ||
| 100 | ········-·enable_strategy | ||
| 101 | ········-·low_complexity | ||
| 102 | ········-·low_disruption | ||
| 103 | ········-·CCE-27070-2 | ||
| 104 | ········-·NIST-800-53-CM-7 | ||
| 105 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 106 | ···· | ||
| 107 | ····-·name:·Disable·service·atd | ||
| 108 | ······service: | ||
| 109 | ········name="{{item}}" | ||
| 110 | ········enabled="no" | ||
| 111 | ········state="stopped" | ||
| 112 | ······register:·service_result | ||
| 113 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 114 | ······with_items: | ||
| 115 | ········-·atd | ||
| 116 | ······tags: | ||
| 117 | ········-·service_atd_disabled | ||
| 118 | ········-·unknown_severity | ||
| 119 | ········-·disable_strategy | ||
| 120 | ········-·low_complexity | ||
| 121 | ········-·low_disruption | ||
| 122 | ········-·CCE-27249-2 | ||
| 123 | ········-·NIST-800-53-CM-7 | ||
| 124 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 125 | ···· | ||
| 90 | ····-·name:·Ensure·rsh·is·removed | 126 | ····-·name:·Ensure·rsh·is·removed |
| 91 | ······package: | 127 | ······package: |
| 92 | ········name="{{item}}" | 128 | ········name="{{item}}" |
| 93 | ········state=absent | 129 | ········state=absent |
| 94 | ······with_items: | 130 | ······with_items: |
| 95 | ········-·rsh | 131 | ········-·rsh |
| 96 | ······tags: | 132 | ······tags: |
| Offset 243, 50 lines modified | Offset 279, 14 lines modified | ||
| 243 | ········-·disable_strategy | 279 | ········-·disable_strategy |
| 244 | ········-·low_complexity | 280 | ········-·low_complexity |
| 245 | ········-·low_disruption | 281 | ········-·low_disruption |
| 246 | ········-·CCE-27005-8 | 282 | ········-·CCE-27005-8 |
| 247 | ········-·NIST-800-53-CM-7 | 283 | ········-·NIST-800-53-CM-7 |
| 248 | ········-·DISA-STIG-RHEL-06-000204 | 284 | ········-·DISA-STIG-RHEL-06-000204 |
| 249 | ···· | 285 | ···· |
| 250 | ····-·name:·Enable·service·crond | ||
| 251 | ······service: | ||
| 252 | ········name="{{item}}" | ||
| 253 | ········enabled="yes" | ||
| 254 | ········state="started" | ||
| 255 | ······with_items: | ||
| 256 | ········-·crond | ||
| 257 | ······tags: | ||
| 258 | ········-·service_crond_enabled | ||
| 259 | ········-·medium_severity | ||
| 260 | ········-·enable_strategy | ||
| 261 | ········-·low_complexity | ||
| 262 | ········-·low_disruption | ||
| 263 | ········-·CCE-27070-2 | ||
| 264 | ········-·NIST-800-53-CM-7 | ||
| 265 | ········-·DISA-STIG-RHEL-06-000224 | ||
| Max diff block lines reached; 145514/150564 bytes (96.65%) of diff not shown. | |||
| Offset 33, 42 lines modified | Offset 33, 57 lines modified | ||
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······sshd_idle_timeout_value:·300 | 36 | ······sshd_idle_timeout_value:·300 |
| 37 | ······rsyslog_remote_loghost_address:·None | 37 | ······rsyslog_remote_loghost_address:·None |
| 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 40 | ······sysctl_net_ipv4_icmp_ | 40 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_ | 44 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 49 | ······sysctl_net_ipv4_icmp_ | 49 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_ | 50 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 51 | ······var_selinux_policy_name:·targeted | 51 | ······var_selinux_policy_name:·targeted |
| 52 | ······var_selinux_state:·enforcing | 52 | ······var_selinux_state:·enforcing |
| 53 | ······var_accounts_password_minlen_login_defs:·15 | 53 | ······var_accounts_password_minlen_login_defs:·15 |
| 54 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 55 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 56 | ······var_accounts_password_warn_age_login_defs:·7 | 54 | ······var_accounts_password_warn_age_login_defs:·7 |
| 55 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 56 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 57 | ······var_password_pam_unix_remember:·5 | 57 | ······var_password_pam_unix_remember:·5 |
| 58 | ······var_accounts_passwords_pam_faillock_deny:·3 | 58 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 59 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 59 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 60 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 60 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 61 | ······var_password_pam_retry:·3 | 61 | ······var_password_pam_retry:·3 |
| 62 | ······var_accounts_tmout:·600 | 62 | ······var_accounts_tmout:·600 |
| 63 | ······var_removable_partition:·/dev/cdrom | ||
| 63 | ······var_auditd_max_log_file:·6 | 64 | ······var_auditd_max_log_file:·6 |
| 64 | ······var_auditd_admin_space_left_action:·single | 65 | ······var_auditd_admin_space_left_action:·single |
| 65 | ······var_auditd_max_log_file_action:·rotate | 66 | ······var_auditd_max_log_file_action:·rotate |
| 66 | ······var_removable_partition:·/dev/cdrom | ||
| 67 | ···tasks: | 67 | ···tasks: |
| 68 | ····-·name:·Ensure·vsftpd·is·installed | ||
| 69 | ······package: | ||
| 70 | ········name="{{item}}" | ||
| 71 | ········state=present | ||
| 72 | ······with_items: | ||
| 73 | ········-·vsftpd | ||
| 74 | ······tags: | ||
| 75 | ········-·package_vsftpd_installed | ||
| 76 | ········-·unknown_severity | ||
| 77 | ········-·enable_strategy | ||
| 78 | ········-·low_complexity | ||
| 79 | ········-·low_disruption | ||
| 80 | ········-·CCE-27187-4 | ||
| 81 | ········-·NIST-800-53-CM-7 | ||
| 82 | ···· | ||
| 68 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | 83 | ····-·name:·Check·if·/etc/samba/smb.conf·exists |
| 69 | ······stat: | 84 | ······stat: |
| 70 | ········path:·/etc/samba/smb.conf | 85 | ········path:·/etc/samba/smb.conf |
| 71 | ······register:·st_smb | 86 | ······register:·st_smb |
| 72 | ······tags: | 87 | ······tags: |
| 73 | ········-·require_smb_client_signing | 88 | ········-·require_smb_client_signing |
| 74 | ········-·unknown_severity | 89 | ········-·unknown_severity |
| Offset 108, 14 lines modified | Offset 123, 81 lines modified | ||
| 108 | ········-·low_complexity | 123 | ········-·low_complexity |
| 109 | ········-·low_disruption | 124 | ········-·low_disruption |
| 110 | ········-·CCE-27093-4 | 125 | ········-·CCE-27093-4 |
| 111 | ········-·NIST-800-53-AU-8(1) | 126 | ········-·NIST-800-53-AU-8(1) |
| 112 | ········-·PCI-DSS-Req-10.4 | 127 | ········-·PCI-DSS-Req-10.4 |
| 113 | ········-·DISA-STIG-RHEL-06-000247 | 128 | ········-·DISA-STIG-RHEL-06-000247 |
| 114 | ···· | 129 | ···· |
| 130 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 131 | ······package: | ||
| 132 | ········name="{{item}}" | ||
| 133 | ········state=absent | ||
| 134 | ······with_items: | ||
| 135 | ········-·openldap-servers | ||
| 136 | ······tags: | ||
| 137 | ········-·package_openldap-servers_removed | ||
| 138 | ········-·unknown_severity | ||
| 139 | ········-·disable_strategy | ||
| 140 | ········-·low_complexity | ||
| 141 | ········-·low_disruption | ||
| 142 | ········-·CCE-26858-1 | ||
| 143 | ········-·NIST-800-53-CM-7 | ||
| 144 | ········-·DISA-STIG-RHEL-06-000256 | ||
| 145 | ···· | ||
| 146 | ····-·name:·Enable·service·crond | ||
| 147 | ······service: | ||
| 148 | ········name="{{item}}" | ||
| 149 | ········enabled="yes" | ||
| 150 | ········state="started" | ||
| 151 | ······with_items: | ||
| 152 | ········-·crond | ||
| 153 | ······tags: | ||
| 154 | ········-·service_crond_enabled | ||
| 155 | ········-·medium_severity | ||
| 156 | ········-·enable_strategy | ||
| 157 | ········-·low_complexity | ||
| 158 | ········-·low_disruption | ||
| 159 | ········-·CCE-27070-2 | ||
| 160 | ········-·NIST-800-53-CM-7 | ||
| 161 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 162 | ···· | ||
| 163 | ····-·name:·Disable·service·atd | ||
| 164 | ······service: | ||
| 165 | ········name="{{item}}" | ||
| 166 | ········enabled="no" | ||
| 167 | ········state="stopped" | ||
| 168 | ······register:·service_result | ||
| 169 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 170 | ······with_items: | ||
| 171 | ········-·atd | ||
| 172 | ······tags: | ||
| 173 | ········-·service_atd_disabled | ||
| 174 | ········-·unknown_severity | ||
| 175 | ········-·disable_strategy | ||
| 176 | ········-·low_complexity | ||
| 177 | ········-·low_disruption | ||
| 178 | ········-·CCE-27249-2 | ||
| 179 | ········-·NIST-800-53-CM-7 | ||
| 180 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 181 | ···· | ||
| 182 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| 183 | ······package: | ||
| 184 | ········name="{{item}}" | ||
| 185 | ········state=absent | ||
| 186 | ······with_items: | ||
| 187 | ········-·xorg-x11-server-common | ||
| 188 | ······tags: | ||
| Max diff block lines reached; 114906/119566 bytes (96.10%) of diff not shown. | |||
| Offset 38, 75 lines modified | Offset 38, 61 lines modified | ||
| 38 | ·········· | 38 | ·········· |
| 39 | ···vars: | 39 | ···vars: |
| 40 | ······sshd_idle_timeout_value:·300 | 40 | ······sshd_idle_timeout_value:·300 |
| 41 | ······rsyslog_remote_loghost_address:·None | 41 | ······rsyslog_remote_loghost_address:·None |
| 42 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 42 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 43 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 44 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 45 | ······sysctl_net_ipv4_icmp_ | 45 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 46 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 46 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 47 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 47 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 49 | ······sysctl_net_ipv4_conf_ | 49 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 50 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 50 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 51 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 51 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 52 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 53 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 53 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 54 | ······sysctl_net_ipv4_icmp_ | 54 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 55 | ······sysctl_net_ipv4_conf_ | 55 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 56 | ······var_selinux_policy_name:·targeted | 56 | ······var_selinux_policy_name:·targeted |
| 57 | ······var_selinux_state:·enforcing | 57 | ······var_selinux_state:·enforcing |
| 58 | ······var_accounts_password_minlen_login_defs:·15 | 58 | ······var_accounts_password_minlen_login_defs:·15 |
| 59 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 60 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 61 | ······var_accounts_password_warn_age_login_defs:·7 | 59 | ······var_accounts_password_warn_age_login_defs:·7 |
| 60 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 61 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 62 | ······var_account_disable_post_pw_expiration:·40 | 62 | ······var_account_disable_post_pw_expiration:·40 |
| 63 | ······var_password_pam_unix_remember:·5 | 63 | ······var_password_pam_unix_remember:·5 |
| 64 | ······var_accounts_passwords_pam_faillock_deny:·3 | 64 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 65 | ······var_accounts_passwords_pam_faillock_unlock_time:·900 | 65 | ······var_accounts_passwords_pam_faillock_unlock_time:·900 |
| 66 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 | 66 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 |
| 67 | ······var_password_pam_retry:·3 | 67 | ······var_password_pam_retry:·3 |
| 68 | ······var_accounts_tmout:·600 | 68 | ······var_accounts_tmout:·600 |
| 69 | ······var_removable_partition:·/dev/cdrom | ||
| 70 | ······var_removable_partition:·/dev/cdrom | ||
| 71 | ······var_removable_partition:·/dev/cdrom | ||
| 69 | ······var_auditd_max_log_file:·6 | 72 | ······var_auditd_max_log_file:·6 |
| 70 | ······var_auditd_action_mail_acct:·admin | 73 | ······var_auditd_action_mail_acct:·admin |
| 71 | ······var_auditd_space_left_action:·suspend | ||
| 72 | ······var_auditd_admin_space_left_action:·single | 74 | ······var_auditd_admin_space_left_action:·single |
| 75 | ······var_auditd_space_left_action:·suspend | ||
| 73 | ······var_auditd_max_log_file_action:·rotate | 76 | ······var_auditd_max_log_file_action:·rotate |
| 74 | ······var_removable_partition:·/dev/cdrom | ||
| 75 | ······var_removable_partition:·/dev/cdrom | ||
| 76 | ······var_removable_partition:·/dev/cdrom | ||
| 77 | ···tasks: | 77 | ···tasks: |
| 78 | ····-·name:· | 78 | ····-·name:·Ensure·vsftpd·is·removed |
| 79 | ······ | 79 | ······package: |
| 80 | ········ | 80 | ········name="{{item}}" |
| 81 | ······ | 81 | ········state=absent |
| 82 | ······t | 82 | ······with_items: |
| 83 | ········-· | 83 | ········-·vsftpd |
| 84 | ········-·unknown_severity | ||
| 85 | ········-·configure_strategy | ||
| 86 | ········-·low_complexity | ||
| 87 | ········-·medium_disruption | ||
| 88 | ········-·CCE-26328-5 | ||
| 89 | ········-·DISA-STIG-RHEL-06-000272 | ||
| 90 | ···· | ||
| 91 | ····-·name:·Require·Client·SMB·Packet·Signing,·if·using·smbclient | ||
| 92 | ······lineinfile: | ||
| 93 | ········dest:·/etc/samba/smb.conf | ||
| 94 | ········line:·client·signing·=·mandatory | ||
| 95 | ········state:·present | ||
| 96 | ········insertafter:·[global] | ||
| 97 | ······when:·st_smb.stat.exists | ||
| 98 | ······tags: | 84 | ······tags: |
| 99 | ········-· | 85 | ········-·package_vsftpd_removed |
| 100 | ········-·unknown_severity | 86 | ········-·unknown_severity |
| 101 | ········-· | 87 | ········-·disable_strategy |
| 102 | ········-·low_complexity | 88 | ········-·low_complexity |
| 103 | ········-· | 89 | ········-·low_disruption |
| 104 | ········-·CCE-26 | 90 | ········-·CCE-26687-4 |
| 105 | ········-· | 91 | ········-·NIST-800-53-CM-7 |
| 106 | ···· | 92 | ···· |
| 107 | ····-·name:·Disable·service·httpd | 93 | ····-·name:·Disable·service·httpd |
| 108 | ······service: | 94 | ······service: |
| 109 | ········name="{{item}}" | 95 | ········name="{{item}}" |
| 110 | ········enabled="no" | 96 | ········enabled="no" |
| 111 | ········state="stopped" | 97 | ········state="stopped" |
| 112 | ······register:·service_result | 98 | ······register:·service_result |
| Offset 133, 62 lines modified | Offset 119, 75 lines modified | ||
| 133 | ········-·unknown_severity | 119 | ········-·unknown_severity |
| 134 | ········-·disable_strategy | 120 | ········-·disable_strategy |
| 135 | ········-·low_complexity | 121 | ········-·low_complexity |
| 136 | ········-·low_disruption | 122 | ········-·low_disruption |
| 137 | ········-·CCE-27133-8 | 123 | ········-·CCE-27133-8 |
| 138 | ········-·NIST-800-53-CM-7 | 124 | ········-·NIST-800-53-CM-7 |
| 139 | ···· | 125 | ···· |
| 140 | ····-·name:· | 126 | ····-·name:·Disable·service·named |
| 141 | ······ | 127 | ······service: |
| 142 | ········name="{{item}}" | 128 | ········name="{{item}}" |
| 143 | ········ | 129 | ········enabled="no" |
| 130 | ········state="stopped" | ||
| 131 | ······register:·service_result | ||
| 132 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 144 | ······with_items: | 133 | ······with_items: |
| 145 | ········-· | 134 | ········-·named |
| 146 | ······tags: | 135 | ······tags: |
| 147 | ········-· | 136 | ········-·service_named_disabled |
| 148 | ········-· | 137 | ········-·unknown_severity |
| 149 | ········-·disable_strategy | 138 | ········-·disable_strategy |
| 150 | ········-·low_complexity | 139 | ········-·low_complexity |
| 151 | ········-·low_disruption | 140 | ········-·low_disruption |
| 152 | ········-·CCE-2 | 141 | ········-·CCE-26873-0 |
| 153 | ········-·NIST-800-53-CM-7 | 142 | ········-·NIST-800-53-CM-7 |
| 154 | ········-·DISA-STIG-RHEL-06-000288 | ||
| 155 | ···· | 143 | ···· |
| 156 | ····-·name:·Ensure· | 144 | ····-·name:·Ensure·bind·is·removed |
| 157 | ······package: | 145 | ······package: |
| 158 | ········name="{{item}}" | 146 | ········name="{{item}}" |
| 159 | ········state=absent | 147 | ········state=absent |
| 160 | ······with_items: | 148 | ······with_items: |
| 161 | ········-· | 149 | ········-·bind |
| 162 | ······tags: | 150 | ······tags: |
| 163 | ········-·package_ | 151 | ········-·package_bind_removed |
| 164 | ········-· | 152 | ········-·unknown_severity |
| 165 | ········-·disable_strategy | 153 | ········-·disable_strategy |
| 166 | ········-·low_complexity | 154 | ········-·low_complexity |
| 167 | ········-·low_disruption | 155 | ········-·low_disruption |
| 168 | ········-·CCE-27 | 156 | ········-·CCE-27030-6 |
| 169 | ········-·NIST-800-53-CM-7 | 157 | ········-·NIST-800-53-CM-7 |
| 170 | ···· | 158 | ···· |
| 171 | ····-·name:· | 159 | ····-·name:·Check·if·/etc/samba/smb.conf·exists |
| 172 | ······s | 160 | ······stat: |
| 173 | ········ | 161 | ········path:·/etc/samba/smb.conf |
| 174 | ······ | 162 | ······register:·st_smb |
| Max diff block lines reached; 169386/174902 bytes (96.85%) of diff not shown. | |||
| Offset 39, 16 lines modified | Offset 39, 16 lines modified | ||
| 39 | ······var_password_pam_unix_remember:·4 | 39 | ······var_password_pam_unix_remember:·4 |
| 40 | ······var_accounts_passwords_pam_faillock_deny:·6 | 40 | ······var_accounts_passwords_pam_faillock_deny:·6 |
| 41 | ······var_accounts_passwords_pam_faillock_unlock_time:·1800 | 41 | ······var_accounts_passwords_pam_faillock_unlock_time:·1800 |
| 42 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 42 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 43 | ······var_password_pam_minlen:·7 | 43 | ······var_password_pam_minlen:·7 |
| 44 | ······var_auditd_max_log_file:·1 | 44 | ······var_auditd_max_log_file:·1 |
| 45 | ······var_auditd_action_mail_acct:·admin | 45 | ······var_auditd_action_mail_acct:·admin |
| 46 | ······var_auditd_space_left_action:·suspend | ||
| 47 | ······var_auditd_admin_space_left_action:·suspend | 46 | ······var_auditd_admin_space_left_action:·suspend |
| 47 | ······var_auditd_space_left_action:·suspend | ||
| 48 | ······var_auditd_max_log_file_action:·ignore | 48 | ······var_auditd_max_log_file_action:·ignore |
| 49 | ···tasks: | 49 | ···tasks: |
| 50 | ····-·name:·Enable·service·ntpd | 50 | ····-·name:·Enable·service·ntpd |
| 51 | ······service: | 51 | ······service: |
| 52 | ········name="{{item}}" | 52 | ········name="{{item}}" |
| 53 | ········enabled="yes" | 53 | ········enabled="yes" |
| 54 | ········state="started" | 54 | ········state="started" |
| Offset 83, 439 lines modified | Offset 83, 14 lines modified | ||
| 83 | ········-·low_disruption | 83 | ········-·low_disruption |
| 84 | ········-·CCE-26919-1 | 84 | ········-·CCE-26919-1 |
| 85 | ········-·NIST-800-53-AC-2(5) | 85 | ········-·NIST-800-53-AC-2(5) |
| 86 | ········-·NIST-800-53-SA-8 | 86 | ········-·NIST-800-53-SA-8 |
| 87 | ········-·PCI-DSS-Req-8.1.8 | 87 | ········-·PCI-DSS-Req-8.1.8 |
| 88 | ········-·DISA-STIG-RHEL-06-000230 | 88 | ········-·DISA-STIG-RHEL-06-000230 |
| 89 | ···· | 89 | ···· |
| 90 | ····-·name:·"Read·list·of·files·with·incorrect·permissions" | ||
| 91 | ······shell:·"rpm·-Va·|·grep·'^.M'·|·cut·-d·'·'·-f5-·|·sed·-r·'s;^.*\\s+(.+);\\1;g'" | ||
| 92 | ······register:·files_with_incorrect_permissions | ||
| 93 | ······failed_when:·False | ||
| 94 | ······changed_when:·False | ||
| 95 | ······check_mode:·no | ||
| 96 | ······tags: | ||
| 97 | ········-·rpm_verify_permissions | ||
| 98 | ········-·unknown_severity | ||
| 99 | ········-·restrict_strategy | ||
| 100 | ········-·high_complexity | ||
| 101 | ········-·medium_disruption | ||
| 102 | ········-·CCE-26731-0 | ||
| 103 | ········-·NIST-800-53-AC-6 | ||
| 104 | ········-·NIST-800-53-CM-6(d) | ||
| 105 | ········-·NIST-800-53-SI-7 | ||
| 106 | ········-·PCI-DSS-Req-11.5 | ||
| 107 | ········-·DISA-STIG-RHEL-06-000518 | ||
| 108 | ···· | ||
| 109 | ····-·name:·"Correct·file·permissions·with·RPM" | ||
| 110 | ······shell:·"rpm·--setperms·$(rpm·-qf·'{{item}}')" | ||
| 111 | ······with_items:·"{{·files_with_incorrect_permissions.stdout_lines·}}" | ||
| 112 | ······when:·files_with_incorrect_permissions.stdout_lines·|·length·>·0 | ||
| 113 | ······tags: | ||
| 114 | ········-·rpm_verify_permissions | ||
| 115 | ········-·unknown_severity | ||
| 116 | ········-·restrict_strategy | ||
| 117 | ········-·high_complexity | ||
| 118 | ········-·medium_disruption | ||
| 119 | ········-·CCE-26731-0 | ||
| 120 | ········-·NIST-800-53-AC-6 | ||
| 121 | ········-·NIST-800-53-CM-6(d) | ||
| 122 | ········-·NIST-800-53-SI-7 | ||
| 123 | ········-·PCI-DSS-Req-11.5 | ||
| 124 | ········-·DISA-STIG-RHEL-06-000518 | ||
| 125 | ···· | ||
| 126 | ····-·name:·"Set·fact:·Package·manager·reinstall·command·(dnf)" | ||
| 127 | ······set_fact: | ||
| 128 | ········package_manager_reinstall_cmd:·dnf·reinstall·-y | ||
| 129 | ······when:·ansible_distribution·==·"Fedora" | ||
| 130 | ······tags: | ||
| 131 | ········-·rpm_verify_hashes | ||
| 132 | ········-·unknown_severity | ||
| 133 | ········-·unknown_strategy | ||
| 134 | ········-·high_complexity | ||
| 135 | ········-·medium_disruption | ||
| 136 | ········-·CCE-27223-7 | ||
| 137 | ········-·NIST-800-53-CM-6(d) | ||
| 138 | ········-·NIST-800-53-SI-7 | ||
| 139 | ········-·PCI-DSS-Req-11.5 | ||
| 140 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 141 | ···· | ||
| 142 | ····-·name:·"Set·fact:·Package·manager·reinstall·command·(yum)" | ||
| 143 | ······set_fact: | ||
| 144 | ········package_manager_reinstall_cmd:·yum·reinstall·-y | ||
| 145 | ······when:·ansible_distribution·==·"RedHat"·or·ansible_distribution·==·"OracleLinux" | ||
| 146 | ······tags: | ||
| 147 | ········-·rpm_verify_hashes | ||
| 148 | ········-·unknown_severity | ||
| 149 | ········-·unknown_strategy | ||
| 150 | ········-·high_complexity | ||
| 151 | ········-·medium_disruption | ||
| 152 | ········-·CCE-27223-7 | ||
| 153 | ········-·NIST-800-53-CM-6(d) | ||
| 154 | ········-·NIST-800-53-SI-7 | ||
| 155 | ········-·PCI-DSS-Req-11.5 | ||
| 156 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 157 | ···· | ||
| 158 | ····-·name:·"Read·files·with·incorrect·hash" | ||
| 159 | ······shell:·"rpm·-Va·|·grep·-E·'^..5.*·/(bin|sbin|lib|lib64|usr)/'·|·sed·-r·'s;^.*\\s+(.+);\\1;g'" | ||
| 160 | ······register:·files_with_incorrect_hash | ||
| 161 | ······changed_when:·False | ||
| 162 | ······when:·package_manager_reinstall_cmd·is·defined | ||
| 163 | ······check_mode:·no | ||
| 164 | ······tags: | ||
| 165 | ········-·rpm_verify_hashes | ||
| 166 | ········-·unknown_severity | ||
| 167 | ········-·unknown_strategy | ||
| 168 | ········-·high_complexity | ||
| 169 | ········-·medium_disruption | ||
| 170 | ········-·CCE-27223-7 | ||
| 171 | ········-·NIST-800-53-CM-6(d) | ||
| 172 | ········-·NIST-800-53-SI-7 | ||
| 173 | ········-·PCI-DSS-Req-11.5 | ||
| 174 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 175 | ···· | ||
| 176 | ····-·name:·"Reinstall·packages·of·files·with·incorrect·hash" | ||
| 177 | ······shell:·"{{package_manager_reinstall_cmd}}·$(rpm·-qf·'{{item}}')" | ||
| 178 | ······with_items:·"{{·files_with_incorrect_hash.stdout_lines·}}" | ||
| 179 | ······when:·package_manager_reinstall_cmd·is·defined·and·(files_with_incorrect_hash.stdout_lines·|·length·>·0) | ||
| 180 | ······tags: | ||
| 181 | ········-·rpm_verify_hashes | ||
| 182 | ········-·unknown_severity | ||
| 183 | ········-·unknown_strategy | ||
| 184 | ········-·high_complexity | ||
| 185 | ········-·medium_disruption | ||
| 186 | ········-·CCE-27223-7 | ||
| 187 | ········-·NIST-800-53-CM-6(d) | ||
| 188 | ········-·NIST-800-53-SI-7 | ||
| 189 | ········-·PCI-DSS-Req-11.5 | ||
| 190 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 191 | ···· | ||
| Max diff block lines reached; 77885/91457 bytes (85.16%) of diff not shown. | |||
| Offset 33, 23 lines modified | Offset 33, 42 lines modified | ||
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······sshd_idle_timeout_value:·300 | 36 | ······sshd_idle_timeout_value:·300 |
| 37 | ······var_selinux_policy_name:·targeted | 37 | ······var_selinux_policy_name:·targeted |
| 38 | ······var_selinux_state:·enforcing | 38 | ······var_selinux_state:·enforcing |
| 39 | ······var_accounts_password_minlen_login_defs:·6 | 39 | ······var_accounts_password_minlen_login_defs:·6 |
| 40 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 41 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 42 | ······var_accounts_password_warn_age_login_defs:·7 | 40 | ······var_accounts_password_warn_age_login_defs:·7 |
| 41 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 42 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 43 | ······var_password_pam_unix_remember:·5 | 43 | ······var_password_pam_unix_remember:·5 |
| 44 | ······var_accounts_passwords_pam_faillock_deny:·5 | 44 | ······var_accounts_passwords_pam_faillock_deny:·5 |
| 45 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 45 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 46 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 46 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 47 | ······var_password_pam_retry:·3 | 47 | ······var_password_pam_retry:·3 |
| 48 | ···tasks: | 48 | ···tasks: |
| 49 | ····-·name:·Disable·service·atd | ||
| 50 | ······service: | ||
| 51 | ········name="{{item}}" | ||
| 52 | ········enabled="no" | ||
| 53 | ········state="stopped" | ||
| 54 | ······register:·service_result | ||
| 55 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 56 | ······with_items: | ||
| 57 | ········-·atd | ||
| 58 | ······tags: | ||
| 59 | ········-·service_atd_disabled | ||
| 60 | ········-·unknown_severity | ||
| 61 | ········-·disable_strategy | ||
| 62 | ········-·low_complexity | ||
| 63 | ········-·low_disruption | ||
| 64 | ········-·CCE-27249-2 | ||
| 65 | ········-·NIST-800-53-CM-7 | ||
| 66 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 67 | ···· | ||
| 49 | ····-·name:·Ensure·rsh-server·is·removed | 68 | ····-·name:·Ensure·rsh-server·is·removed |
| 50 | ······package: | 69 | ······package: |
| 51 | ········name="{{item}}" | 70 | ········name="{{item}}" |
| 52 | ········state=absent | 71 | ········state=absent |
| 53 | ······with_items: | 72 | ······with_items: |
| 54 | ········-·rsh-server | 73 | ········-·rsh-server |
| 55 | ······tags: | 74 | ······tags: |
| Offset 179, 33 lines modified | Offset 198, 14 lines modified | ||
| 179 | ········-·disable_strategy | 198 | ········-·disable_strategy |
| 180 | ········-·low_complexity | 199 | ········-·low_complexity |
| 181 | ········-·low_disruption | 200 | ········-·low_disruption |
| 182 | ········-·CCE-27005-8 | 201 | ········-·CCE-27005-8 |
| 183 | ········-·NIST-800-53-CM-7 | 202 | ········-·NIST-800-53-CM-7 |
| 184 | ········-·DISA-STIG-RHEL-06-000204 | 203 | ········-·DISA-STIG-RHEL-06-000204 |
| 185 | ···· | 204 | ···· |
| 186 | ····-·name:·Disable·service·atd | ||
| 187 | ······service: | ||
| 188 | ········name="{{item}}" | ||
| 189 | ········enabled="no" | ||
| 190 | ········state="stopped" | ||
| 191 | ······register:·service_result | ||
| 192 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 193 | ······with_items: | ||
| 194 | ········-·atd | ||
| 195 | ······tags: | ||
| 196 | ········-·service_atd_disabled | ||
| 197 | ········-·unknown_severity | ||
| 198 | ········-·disable_strategy | ||
| 199 | ········-·low_complexity | ||
| 200 | ········-·low_disruption | ||
| 201 | ········-·CCE-27249-2 | ||
| 202 | ········-·NIST-800-53-CM-7 | ||
| 203 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 204 | ···· | ||
| 205 | ····-·name:·Disable·service·rdisc | 205 | ····-·name:·Disable·service·rdisc |
| 206 | ······service: | 206 | ······service: |
| 207 | ········name="{{item}}" | 207 | ········name="{{item}}" |
| 208 | ········enabled="no" | 208 | ········enabled="no" |
| 209 | ········state="stopped" | 209 | ········state="stopped" |
| 210 | ······register:·service_result | 210 | ······register:·service_result |
| 211 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 211 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| Offset 294, 14 lines modified | Offset 294, 33 lines modified | ||
| 294 | ········-·disable_strategy | 294 | ········-·disable_strategy |
| 295 | ········-·low_complexity | 295 | ········-·low_complexity |
| 296 | ········-·low_disruption | 296 | ········-·low_disruption |
| 297 | ········-·CCE-27256-7 | 297 | ········-·CCE-27256-7 |
| 298 | ········-·NIST-800-53-CM-7 | 298 | ········-·NIST-800-53-CM-7 |
| 299 | ········-·DISA-STIG-RHEL-06-000265 | 299 | ········-·DISA-STIG-RHEL-06-000265 |
| 300 | ···· | 300 | ···· |
| 301 | ····-·name:·Disable·service·avahi-daemon | ||
| 302 | ······service: | ||
| 303 | ········name="{{item}}" | ||
| 304 | ········enabled="no" | ||
| 305 | ········state="stopped" | ||
| 306 | ······register:·service_result | ||
| 307 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 308 | ······with_items: | ||
| 309 | ········-·avahi-daemon | ||
| 310 | ······tags: | ||
| 311 | ········-·service_avahi-daemon_disabled | ||
| 312 | ········-·unknown_severity | ||
| 313 | ········-·disable_strategy | ||
| 314 | ········-·low_complexity | ||
| 315 | ········-·low_disruption | ||
| 316 | ········-·CCE-27087-6 | ||
| 317 | ········-·NIST-800-53-CM-7 | ||
| 318 | ········-·DISA-STIG-RHEL-06-000246 | ||
| 319 | ···· | ||
| 301 | ····-·name:·Disable·SSH·Support·for·.rhosts·Files | 320 | ····-·name:·Disable·SSH·Support·for·.rhosts·Files |
| 302 | ······lineinfile: | 321 | ······lineinfile: |
| 303 | ········create:·yes | 322 | ········create:·yes |
| 304 | ········dest:·/etc/ssh/sshd_config | 323 | ········dest:·/etc/ssh/sshd_config |
| 305 | ········regexp:·^IgnoreRhosts | 324 | ········regexp:·^IgnoreRhosts |
| 306 | ········line:·IgnoreRhosts·yes | 325 | ········line:·IgnoreRhosts·yes |
| 307 | ········validate:·sshd·-t·-f·%s | 326 | ········validate:·sshd·-t·-f·%s |
| Offset 440, 33 lines modified | Offset 459, 14 lines modified | ||
| 440 | ········-·restrict_strategy | 459 | ········-·restrict_strategy |
| 441 | ········-·low_complexity | 460 | ········-·low_complexity |
| 442 | ········-·low_disruption | 461 | ········-·low_disruption |
| 443 | ········-·CCE-27091-8 | 462 | ········-·CCE-27091-8 |
| 444 | ········-·NIST-800-53-AC-3 | 463 | ········-·NIST-800-53-AC-3 |
| 445 | ········-·DISA-STIG-RHEL-06-000236 | 464 | ········-·DISA-STIG-RHEL-06-000236 |
| 446 | ···· | 465 | ···· |
| 447 | ···· | ||
| 448 | ····-·name:·"Allow·Only·SSH·Protocol·2" | ||
| 449 | ······lineinfile: | ||
| 450 | ········dest:·/etc/ssh/sshd_config | ||
| 451 | ········regexp:·"^Protocol·[0-9]" | ||
| 452 | ········line:·"Protocol·2" | ||
| 453 | ········validate:·sshd·-t·-f·%s | ||
| Max diff block lines reached; 22675/26927 bytes (84.21%) of diff not shown. | |||
| Offset 34, 41 lines modified | Offset 34, 41 lines modified | ||
| 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 35 | ·········· | 35 | ·········· |
| 36 | ···vars: | 36 | ···vars: |
| 37 | ······sshd_idle_timeout_value:·300 | 37 | ······sshd_idle_timeout_value:·300 |
| 38 | ······rsyslog_remote_loghost_address:·None | 38 | ······rsyslog_remote_loghost_address:·None |
| 39 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 39 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 40 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 40 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 41 | ······sysctl_net_ipv4_icmp_ | 41 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 42 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 42 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 43 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 43 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 44 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 44 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 45 | ······sysctl_net_ipv4_conf_ | 45 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 50 | ······sysctl_net_ipv4_icmp_ | 50 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 51 | ······sysctl_net_ipv4_conf_ | 51 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 52 | ······var_selinux_policy_name:·targeted | 52 | ······var_selinux_policy_name:·targeted |
| 53 | ······var_selinux_state:·enforcing | 53 | ······var_selinux_state:·enforcing |
| 54 | ······var_accounts_password_minlen_login_defs:·15 | 54 | ······var_accounts_password_minlen_login_defs:·15 |
| 55 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 56 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 57 | ······var_accounts_password_warn_age_login_defs:·7 | 55 | ······var_accounts_password_warn_age_login_defs:·7 |
| 56 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 57 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 58 | ······var_password_pam_unix_remember:·5 | 58 | ······var_password_pam_unix_remember:·5 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 59 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 62 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_tmout:·600 | 63 | ······var_accounts_tmout:·600 |
| 64 | ······var_removable_partition:·/dev/cdrom | ||
| 64 | ······var_auditd_max_log_file:·6 | 65 | ······var_auditd_max_log_file:·6 |
| 65 | ······var_auditd_admin_space_left_action:·single | 66 | ······var_auditd_admin_space_left_action:·single |
| 66 | ······var_auditd_max_log_file_action:·rotate | 67 | ······var_auditd_max_log_file_action:·rotate |
| 67 | ······var_removable_partition:·/dev/cdrom | ||
| 68 | ···tasks: | 68 | ···tasks: |
| 69 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | 69 | ····-·name:·Check·if·/etc/samba/smb.conf·exists |
| 70 | ······stat: | 70 | ······stat: |
| 71 | ········path:·/etc/samba/smb.conf | 71 | ········path:·/etc/samba/smb.conf |
| 72 | ······register:·st_smb | 72 | ······register:·st_smb |
| 73 | ······tags: | 73 | ······tags: |
| 74 | ········-·require_smb_client_signing | 74 | ········-·require_smb_client_signing |
| Offset 109, 14 lines modified | Offset 109, 81 lines modified | ||
| 109 | ········-·low_complexity | 109 | ········-·low_complexity |
| 110 | ········-·low_disruption | 110 | ········-·low_disruption |
| 111 | ········-·CCE-27093-4 | 111 | ········-·CCE-27093-4 |
| 112 | ········-·NIST-800-53-AU-8(1) | 112 | ········-·NIST-800-53-AU-8(1) |
| 113 | ········-·PCI-DSS-Req-10.4 | 113 | ········-·PCI-DSS-Req-10.4 |
| 114 | ········-·DISA-STIG-RHEL-06-000247 | 114 | ········-·DISA-STIG-RHEL-06-000247 |
| 115 | ···· | 115 | ···· |
| 116 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 117 | ······package: | ||
| 118 | ········name="{{item}}" | ||
| 119 | ········state=absent | ||
| 120 | ······with_items: | ||
| 121 | ········-·openldap-servers | ||
| 122 | ······tags: | ||
| 123 | ········-·package_openldap-servers_removed | ||
| 124 | ········-·unknown_severity | ||
| 125 | ········-·disable_strategy | ||
| 126 | ········-·low_complexity | ||
| 127 | ········-·low_disruption | ||
| 128 | ········-·CCE-26858-1 | ||
| 129 | ········-·NIST-800-53-CM-7 | ||
| 130 | ········-·DISA-STIG-RHEL-06-000256 | ||
| 131 | ···· | ||
| 132 | ····-·name:·Enable·service·crond | ||
| 133 | ······service: | ||
| 134 | ········name="{{item}}" | ||
| 135 | ········enabled="yes" | ||
| 136 | ········state="started" | ||
| 137 | ······with_items: | ||
| 138 | ········-·crond | ||
| 139 | ······tags: | ||
| 140 | ········-·service_crond_enabled | ||
| 141 | ········-·medium_severity | ||
| 142 | ········-·enable_strategy | ||
| 143 | ········-·low_complexity | ||
| 144 | ········-·low_disruption | ||
| 145 | ········-·CCE-27070-2 | ||
| 146 | ········-·NIST-800-53-CM-7 | ||
| 147 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 148 | ···· | ||
| 149 | ····-·name:·Disable·service·atd | ||
| 150 | ······service: | ||
| 151 | ········name="{{item}}" | ||
| 152 | ········enabled="no" | ||
| 153 | ········state="stopped" | ||
| 154 | ······register:·service_result | ||
| 155 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 156 | ······with_items: | ||
| 157 | ········-·atd | ||
| 158 | ······tags: | ||
| 159 | ········-·service_atd_disabled | ||
| 160 | ········-·unknown_severity | ||
| 161 | ········-·disable_strategy | ||
| 162 | ········-·low_complexity | ||
| 163 | ········-·low_disruption | ||
| 164 | ········-·CCE-27249-2 | ||
| 165 | ········-·NIST-800-53-CM-7 | ||
| 166 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 167 | ···· | ||
| 168 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| 169 | ······package: | ||
| 170 | ········name="{{item}}" | ||
| 171 | ········state=absent | ||
| 172 | ······with_items: | ||
| 173 | ········-·xorg-x11-server-common | ||
| 174 | ······tags: | ||
| 175 | ········-·package_xorg-x11-server-common_removed | ||
| 176 | ········-·unknown_severity | ||
| 177 | ········-·disable_strategy | ||
| 178 | ········-·low_complexity | ||
| 179 | ········-·low_disruption | ||
| 180 | ········-·CCE-27198-1 | ||
| 181 | ········-·DISA-STIG-RHEL-06-000291 | ||
| 182 | ···· | ||
| 116 | ····-·name:·Ensure·rsh-server·is·removed | 183 | ····-·name:·Ensure·rsh-server·is·removed |
| 117 | ······package: | 184 | ······package: |
| 118 | ········name="{{item}}" | 185 | ········name="{{item}}" |
| 119 | ········state=absent | 186 | ········state=absent |
| 120 | ······with_items: | 187 | ······with_items: |
| 121 | ········-·rsh-server | 188 | ········-·rsh-server |
| 122 | ······tags: | 189 | ······tags: |
| Offset 271, 65 lines modified | Offset 338, 14 lines modified | ||
| Max diff block lines reached; 114413/118830 bytes (96.28%) of diff not shown. | |||
| Offset 35, 41 lines modified | Offset 35, 41 lines modified | ||
| 35 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 35 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 36 | ·········· | 36 | ·········· |
| 37 | ···vars: | 37 | ···vars: |
| 38 | ······sshd_idle_timeout_value:·300 | 38 | ······sshd_idle_timeout_value:·300 |
| 39 | ······rsyslog_remote_loghost_address:·None | 39 | ······rsyslog_remote_loghost_address:·None |
| 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 42 | ······sysctl_net_ipv4_icmp_ | 42 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_ | 46 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 51 | ······sysctl_net_ipv4_icmp_ | 51 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 52 | ······sysctl_net_ipv4_conf_ | 52 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 53 | ······var_selinux_policy_name:·targeted | 53 | ······var_selinux_policy_name:·targeted |
| 54 | ······var_selinux_state:·enforcing | 54 | ······var_selinux_state:·enforcing |
| 55 | ······var_accounts_password_minlen_login_defs:·15 | 55 | ······var_accounts_password_minlen_login_defs:·15 |
| 56 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 57 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 58 | ······var_accounts_password_warn_age_login_defs:·7 | 56 | ······var_accounts_password_warn_age_login_defs:·7 |
| 57 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 58 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 59 | ······var_password_pam_unix_remember:·5 | 59 | ······var_password_pam_unix_remember:·5 |
| 60 | ······var_accounts_passwords_pam_faillock_deny:·3 | 60 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 61 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 61 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 62 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 62 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 63 | ······var_password_pam_retry:·3 | 63 | ······var_password_pam_retry:·3 |
| 64 | ······var_accounts_tmout:·600 | 64 | ······var_accounts_tmout:·600 |
| 65 | ······var_removable_partition:·/dev/cdrom | ||
| 65 | ······var_auditd_max_log_file:·6 | 66 | ······var_auditd_max_log_file:·6 |
| 66 | ······var_auditd_admin_space_left_action:·single | 67 | ······var_auditd_admin_space_left_action:·single |
| 67 | ······var_auditd_max_log_file_action:·rotate | 68 | ······var_auditd_max_log_file_action:·rotate |
| 68 | ······var_removable_partition:·/dev/cdrom | ||
| 69 | ···tasks: | 69 | ···tasks: |
| 70 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | 70 | ····-·name:·Check·if·/etc/samba/smb.conf·exists |
| 71 | ······stat: | 71 | ······stat: |
| 72 | ········path:·/etc/samba/smb.conf | 72 | ········path:·/etc/samba/smb.conf |
| 73 | ······register:·st_smb | 73 | ······register:·st_smb |
| 74 | ······tags: | 74 | ······tags: |
| 75 | ········-·require_smb_client_signing | 75 | ········-·require_smb_client_signing |
| Offset 110, 14 lines modified | Offset 110, 66 lines modified | ||
| 110 | ········-·low_complexity | 110 | ········-·low_complexity |
| 111 | ········-·low_disruption | 111 | ········-·low_disruption |
| 112 | ········-·CCE-27093-4 | 112 | ········-·CCE-27093-4 |
| 113 | ········-·NIST-800-53-AU-8(1) | 113 | ········-·NIST-800-53-AU-8(1) |
| 114 | ········-·PCI-DSS-Req-10.4 | 114 | ········-·PCI-DSS-Req-10.4 |
| 115 | ········-·DISA-STIG-RHEL-06-000247 | 115 | ········-·DISA-STIG-RHEL-06-000247 |
| 116 | ···· | 116 | ···· |
| 117 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 118 | ······package: | ||
| 119 | ········name="{{item}}" | ||
| 120 | ········state=absent | ||
| 121 | ······with_items: | ||
| 122 | ········-·openldap-servers | ||
| 123 | ······tags: | ||
| 124 | ········-·package_openldap-servers_removed | ||
| 125 | ········-·unknown_severity | ||
| 126 | ········-·disable_strategy | ||
| 127 | ········-·low_complexity | ||
| 128 | ········-·low_disruption | ||
| 129 | ········-·CCE-26858-1 | ||
| 130 | ········-·NIST-800-53-CM-7 | ||
| 131 | ········-·DISA-STIG-RHEL-06-000256 | ||
| 132 | ···· | ||
| 133 | ····-·name:·Enable·service·crond | ||
| 134 | ······service: | ||
| 135 | ········name="{{item}}" | ||
| 136 | ········enabled="yes" | ||
| 137 | ········state="started" | ||
| 138 | ······with_items: | ||
| 139 | ········-·crond | ||
| 140 | ······tags: | ||
| 141 | ········-·service_crond_enabled | ||
| 142 | ········-·medium_severity | ||
| 143 | ········-·enable_strategy | ||
| 144 | ········-·low_complexity | ||
| 145 | ········-·low_disruption | ||
| 146 | ········-·CCE-27070-2 | ||
| 147 | ········-·NIST-800-53-CM-7 | ||
| 148 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 149 | ···· | ||
| 150 | ····-·name:·Disable·service·atd | ||
| 151 | ······service: | ||
| 152 | ········name="{{item}}" | ||
| 153 | ········enabled="no" | ||
| 154 | ········state="stopped" | ||
| 155 | ······register:·service_result | ||
| 156 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 157 | ······with_items: | ||
| 158 | ········-·atd | ||
| 159 | ······tags: | ||
| 160 | ········-·service_atd_disabled | ||
| 161 | ········-·unknown_severity | ||
| 162 | ········-·disable_strategy | ||
| 163 | ········-·low_complexity | ||
| 164 | ········-·low_disruption | ||
| 165 | ········-·CCE-27249-2 | ||
| 166 | ········-·NIST-800-53-CM-7 | ||
| 167 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 168 | ···· | ||
| 117 | ····-·name:·Ensure·rsh-server·is·removed | 169 | ····-·name:·Ensure·rsh-server·is·removed |
| 118 | ······package: | 170 | ······package: |
| 119 | ········name="{{item}}" | 171 | ········name="{{item}}" |
| 120 | ········state=absent | 172 | ········state=absent |
| 121 | ······with_items: | 173 | ······with_items: |
| 122 | ········-·rsh-server | 174 | ········-·rsh-server |
| 123 | ······tags: | 175 | ······tags: |
| Offset 272, 50 lines modified | Offset 324, 14 lines modified | ||
| 272 | ········-·disable_strategy | 324 | ········-·disable_strategy |
| 273 | ········-·low_complexity | 325 | ········-·low_complexity |
| 274 | ········-·low_disruption | 326 | ········-·low_disruption |
| 275 | ········-·CCE-27005-8 | 327 | ········-·CCE-27005-8 |
| 276 | ········-·NIST-800-53-CM-7 | 328 | ········-·NIST-800-53-CM-7 |
| 277 | ········-·DISA-STIG-RHEL-06-000204 | 329 | ········-·DISA-STIG-RHEL-06-000204 |
| 278 | ···· | 330 | ···· |
| 279 | ····-·name:·Enable·service·crond | ||
| 280 | ······service: | ||
| 281 | ········name="{{item}}" | ||
| 282 | ········enabled="yes" | ||
| 283 | ········state="started" | ||
| 284 | ······with_items: | ||
| 285 | ········-·crond | ||
| 286 | ······tags: | ||
| Max diff block lines reached; 112847/118018 bytes (95.62%) of diff not shown. | |||
| Offset 40, 49 lines modified | Offset 40, 49 lines modified | ||
| 40 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 40 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 41 | ·········· | 41 | ·········· |
| 42 | ···vars: | 42 | ···vars: |
| 43 | ······sshd_idle_timeout_value:·900 | 43 | ······sshd_idle_timeout_value:·900 |
| 44 | ······rsyslog_remote_loghost_address:·None | 44 | ······rsyslog_remote_loghost_address:·None |
| 45 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 45 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 46 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 47 | ······sysctl_net_ipv4_icmp_ | 47 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 49 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 50 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 51 | ······sysctl_net_ipv4_conf_ | 51 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 52 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 52 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 53 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 53 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 54 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 54 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 55 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 55 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 56 | ······sysctl_net_ipv4_icmp_ | 56 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 57 | ······sysctl_net_ipv4_conf_ | 57 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 58 | ······var_selinux_policy_name:·targeted | 58 | ······var_selinux_policy_name:·targeted |
| 59 | ······var_selinux_state:·enforcing | 59 | ······var_selinux_state:·enforcing |
| 60 | ······var_accounts_password_minlen_login_defs:·15 | 60 | ······var_accounts_password_minlen_login_defs:·15 |
| 61 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 62 | ······var_accounts_maximum_age_login_defs:·60 | ||
| 63 | ······var_accounts_password_warn_age_login_defs:·7 | 61 | ······var_accounts_password_warn_age_login_defs:·7 |
| 62 | ······var_accounts_maximum_age_login_defs:·60 | ||
| 63 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 64 | ······var_account_disable_post_pw_expiration:·35 | 64 | ······var_account_disable_post_pw_expiration:·35 |
| 65 | ······var_password_pam_unix_remember:·5 | 65 | ······var_password_pam_unix_remember:·5 |
| 66 | ······var_accounts_passwords_pam_faillock_deny:·3 | 66 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 67 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 67 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 68 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 | 68 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 |
| 69 | ······var_password_pam_maxrepeat:·3 | 69 | ······var_password_pam_maxrepeat:·3 |
| 70 | ······var_password_pam_retry:·3 | 70 | ······var_password_pam_retry:·3 |
| 71 | ······var_accounts_user_umask:·077 | 71 | ······var_accounts_user_umask:·077 |
| 72 | ······var_accounts_tmout:·600 | 72 | ······var_accounts_tmout:·600 |
| 73 | ······var_accounts_max_concurrent_login_sessions:·10 | 73 | ······var_accounts_max_concurrent_login_sessions:·10 |
| 74 | ······var_removable_partition:·/dev/cdrom | ||
| 75 | ······var_removable_partition:·/dev/cdrom | ||
| 76 | ······var_removable_partition:·/dev/cdrom | ||
| 74 | ······var_auditd_max_log_file:·6 | 77 | ······var_auditd_max_log_file:·6 |
| 75 | ······var_auditd_action_mail_acct:·admin | 78 | ······var_auditd_action_mail_acct:·admin |
| 76 | ······var_auditd_space_left_action:·suspend | ||
| 77 | ······var_auditd_admin_space_left_action:·single | 79 | ······var_auditd_admin_space_left_action:·single |
| 80 | ······var_auditd_space_left_action:·suspend | ||
| 78 | ······var_auditd_max_log_file_action:·rotate | 81 | ······var_auditd_max_log_file_action:·rotate |
| 79 | ······var_removable_partition:·/dev/cdrom | ||
| 80 | ······var_removable_partition:·/dev/cdrom | ||
| 81 | ······var_removable_partition:·/dev/cdrom | ||
| 82 | ···tasks: | 82 | ···tasks: |
| 83 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | 83 | ····-·name:·Check·if·/etc/samba/smb.conf·exists |
| 84 | ······stat: | 84 | ······stat: |
| 85 | ········path:·/etc/samba/smb.conf | 85 | ········path:·/etc/samba/smb.conf |
| 86 | ······register:·st_smb | 86 | ······register:·st_smb |
| 87 | ······tags: | 87 | ······tags: |
| 88 | ········-·require_smb_client_signing | 88 | ········-·require_smb_client_signing |
| Offset 105, 63 lines modified | Offset 105, 98 lines modified | ||
| 105 | ········-·unknown_severity | 105 | ········-·unknown_severity |
| 106 | ········-·configure_strategy | 106 | ········-·configure_strategy |
| 107 | ········-·low_complexity | 107 | ········-·low_complexity |
| 108 | ········-·medium_disruption | 108 | ········-·medium_disruption |
| 109 | ········-·CCE-26328-5 | 109 | ········-·CCE-26328-5 |
| 110 | ········-·DISA-STIG-RHEL-06-000272 | 110 | ········-·DISA-STIG-RHEL-06-000272 |
| 111 | ···· | 111 | ···· |
| 112 | ····-·name:·En | 112 | ····-·name:·Enable·service·ntpd |
| 113 | ······service: | ||
| 114 | ········name="{{item}}" | ||
| 115 | ········enabled="yes" | ||
| 116 | ········state="started" | ||
| 117 | ······with_items: | ||
| 118 | ········-·ntpd | ||
| 119 | ······tags: | ||
| 120 | ········-·service_ntpd_enabled | ||
| 121 | ········-·medium_severity | ||
| 122 | ········-·enable_strategy | ||
| 123 | ········-·low_complexity | ||
| 124 | ········-·low_disruption | ||
| 125 | ········-·CCE-27093-4 | ||
| 126 | ········-·NIST-800-53-AU-8(1) | ||
| 127 | ········-·PCI-DSS-Req-10.4 | ||
| 128 | ········-·DISA-STIG-RHEL-06-000247 | ||
| 129 | ···· | ||
| 130 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 113 | ······package: | 131 | ······package: |
| 114 | ········name="{{item}}" | 132 | ········name="{{item}}" |
| 115 | ········state=absent | 133 | ········state=absent |
| 116 | ······with_items: | 134 | ······with_items: |
| 117 | ········-· | 135 | ········-·openldap-servers |
| 118 | ······tags: | 136 | ······tags: |
| 119 | ········-·package_ | 137 | ········-·package_openldap-servers_removed |
| 120 | ········-· | 138 | ········-·unknown_severity |
| 121 | ········-·disable_strategy | 139 | ········-·disable_strategy |
| 122 | ········-·low_complexity | 140 | ········-·low_complexity |
| 123 | ········-·low_disruption | 141 | ········-·low_disruption |
| 124 | ········-·CCE-2 | 142 | ········-·CCE-26858-1 |
| 125 | ········-·NIST-800-53-CM-7 | 143 | ········-·NIST-800-53-CM-7 |
| 126 | ········-·DISA-STIG-RHEL-06-0002 | 144 | ········-·DISA-STIG-RHEL-06-000256 |
| 127 | ···· | 145 | ···· |
| 128 | ····-·name:·Enable·service· | 146 | ····-·name:·Enable·service·crond |
| 129 | ······service: | 147 | ······service: |
| 130 | ········name="{{item}}" | 148 | ········name="{{item}}" |
| 131 | ········enabled="yes" | 149 | ········enabled="yes" |
| 132 | ········state="started" | 150 | ········state="started" |
| 133 | ······with_items: | 151 | ······with_items: |
| 134 | ········-· | 152 | ········-·crond |
| 135 | ······tags: | 153 | ······tags: |
| 136 | ········-·service_ | 154 | ········-·service_crond_enabled |
| 137 | ········-· | 155 | ········-·medium_severity |
| 138 | ········-·enable_strategy | 156 | ········-·enable_strategy |
| 139 | ········-·low_complexity | 157 | ········-·low_complexity |
| 140 | ········-·low_disruption | 158 | ········-·low_disruption |
| 141 | ········-·CCE-2 | 159 | ········-·CCE-27070-2 |
| 142 | ········-· | 160 | ········-·NIST-800-53-CM-7 |
| 161 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 143 | ···· | 162 | ···· |
| 144 | ····-·name:· | 163 | ····-·name:·Disable·service·atd |
| 145 | ······service: | 164 | ······service: |
| 146 | ········name="{{item}}" | 165 | ········name="{{item}}" |
| 147 | ········enabled=" | 166 | ········enabled="no" |
| 148 | ········state="st | 167 | ········state="stopped" |
| 168 | ······register:·service_result | ||
| 169 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 149 | ······with_items: | 170 | ······with_items: |
| 150 | ········-· | 171 | ········-·atd |
| 151 | ······tags: | 172 | ······tags: |
| 152 | ········-·service_ | 173 | ········-·service_atd_disabled |
| 153 | ········-· | 174 | ········-·unknown_severity |
| 154 | ········-· | 175 | ········-·disable_strategy |
| Max diff block lines reached; 146690/151852 bytes (96.60%) of diff not shown. | |||
| Offset 35, 85 lines modified | Offset 35, 72 lines modified | ||
| 35 | ·········· | 35 | ·········· |
| 36 | ···vars: | 36 | ···vars: |
| 37 | ······sshd_idle_timeout_value:·300 | 37 | ······sshd_idle_timeout_value:·300 |
| 38 | ······rsyslog_remote_loghost_address:·None | 38 | ······rsyslog_remote_loghost_address:·None |
| 39 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 39 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 42 | ······sysctl_net_ipv4_icmp_ | 42 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 | ||
| 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 51 | ······sysctl_net_ipv4_icmp_ | 50 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 51 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 | ||
| 52 | ······var_selinux_policy_name:·targeted | 52 | ······var_selinux_policy_name:·targeted |
| 53 | ······var_selinux_state:·enforcing | 53 | ······var_selinux_state:·enforcing |
| 54 | ······var_accounts_password_minlen_login_defs:·12 | 54 | ······var_accounts_password_minlen_login_defs:·12 |
| 55 | ······var_accounts_maximum_age_login_defs:·60 | ||
| 56 | ······var_accounts_password_warn_age_login_defs:·14 | 55 | ······var_accounts_password_warn_age_login_defs:·14 |
| 56 | ······var_accounts_maximum_age_login_defs:·60 | ||
| 57 | ······var_account_disable_post_pw_expiration:·30 | 57 | ······var_account_disable_post_pw_expiration:·30 |
| 58 | ······var_password_pam_unix_remember:·24 | 58 | ······var_password_pam_unix_remember:·24 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·5 | 59 | ······var_accounts_passwords_pam_faillock_deny:·5 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 62 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_user_umask:·077 | 63 | ······var_accounts_user_umask:·077 |
| 64 | ······var_removable_partition:·/dev/cdrom | 64 | ······var_removable_partition:·/dev/cdrom |
| 65 | ······var_removable_partition:·/dev/cdrom | 65 | ······var_removable_partition:·/dev/cdrom |
| 66 | ······var_removable_partition:·/dev/cdrom | 66 | ······var_removable_partition:·/dev/cdrom |
| 67 | ···tasks: | 67 | ···tasks: |
| 68 | ····-·name:·Disable·service·s | 68 | ····-·name:·Disable·service·vsftpd |
| 69 | ······service: | 69 | ······service: |
| 70 | ········name="{{item}}" | 70 | ········name="{{item}}" |
| 71 | ········enabled="no" | 71 | ········enabled="no" |
| 72 | ········state="stopped" | 72 | ········state="stopped" |
| 73 | ······register:·service_result | 73 | ······register:·service_result |
| 74 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 74 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 75 | ······with_items: | 75 | ······with_items: |
| 76 | ········-·s | 76 | ········-·vsftpd |
| 77 | ······tags: | 77 | ······tags: |
| 78 | ········-·service_s | 78 | ········-·service_vsftpd_disabled |
| 79 | ········-·unknown_severity | 79 | ········-·unknown_severity |
| 80 | ········-·disable_strategy | 80 | ········-·disable_strategy |
| 81 | ········-·low_complexity | 81 | ········-·low_complexity |
| 82 | ········-·low_disruption | 82 | ········-·low_disruption |
| 83 | ········-·CCE-2 | 83 | ········-·CCE-26948-0 |
| 84 | ···· | 84 | ········-·NIST-800-53-CM-7 |
| 85 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | ||
| 86 | ······stat: | ||
| 87 | ········path:·/etc/samba/smb.conf | ||
| 88 | ······register:·st_smb | ||
| 89 | ······tags: | ||
| 90 | ········-·require_smb_client_signing | ||
| 91 | ········-·unknown_severity | ||
| 92 | ········-·configure_strategy | ||
| 93 | ········-·low_complexity | ||
| 94 | ········-·medium_disruption | ||
| 95 | ········-·CCE-26328-5 | ||
| 96 | ········-·DISA-STIG-RHEL-06-000272 | ||
| 97 | ···· | 85 | ···· |
| 98 | ····-·name:· | 86 | ····-·name:·Ensure·vsftpd·is·removed |
| 99 | ······ | 87 | ······package: |
| 100 | ········ | 88 | ········name="{{item}}" |
| 101 | ········ | 89 | ········state=absent |
| 102 | ······ | 90 | ······with_items: |
| 103 | ········ | 91 | ········-·vsftpd |
| 104 | ······when:·st_smb.stat.exists | ||
| 105 | ······tags: | 92 | ······tags: |
| 106 | ········-· | 93 | ········-·package_vsftpd_removed |
| 107 | ········-·unknown_severity | 94 | ········-·unknown_severity |
| 108 | ········-· | 95 | ········-·disable_strategy |
| 109 | ········-·low_complexity | 96 | ········-·low_complexity |
| 110 | ········-· | 97 | ········-·low_disruption |
| 111 | ········-·CCE-26 | 98 | ········-·CCE-26687-4 |
| 112 | ········-· | 99 | ········-·NIST-800-53-CM-7 |
| 113 | ···· | 100 | ···· |
| 114 | ····-·name:·Disable·service·httpd | 101 | ····-·name:·Disable·service·httpd |
| 115 | ······service: | 102 | ······service: |
| 116 | ········name="{{item}}" | 103 | ········name="{{item}}" |
| 117 | ········enabled="no" | 104 | ········enabled="no" |
| 118 | ········state="stopped" | 105 | ········state="stopped" |
| 119 | ······register:·service_result | 106 | ······register:·service_result |
| Offset 140, 62 lines modified | Offset 127, 92 lines modified | ||
| 140 | ········-·unknown_severity | 127 | ········-·unknown_severity |
| 141 | ········-·disable_strategy | 128 | ········-·disable_strategy |
| 142 | ········-·low_complexity | 129 | ········-·low_complexity |
| 143 | ········-·low_disruption | 130 | ········-·low_disruption |
| 144 | ········-·CCE-27133-8 | 131 | ········-·CCE-27133-8 |
| 145 | ········-·NIST-800-53-CM-7 | 132 | ········-·NIST-800-53-CM-7 |
| 146 | ···· | 133 | ···· |
| 147 | ····-·name:· | 134 | ····-·name:·Disable·service·named |
| 148 | ······ | 135 | ······service: |
| 149 | ········name="{{item}}" | 136 | ········name="{{item}}" |
| 150 | ········ | 137 | ········enabled="no" |
| 138 | ········state="stopped" | ||
| 139 | ······register:·service_result | ||
| 140 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 151 | ······with_items: | 141 | ······with_items: |
| 152 | ········-· | 142 | ········-·named |
| 153 | ······tags: | 143 | ······tags: |
| 154 | ········-· | 144 | ········-·service_named_disabled |
| 155 | ········-· | 145 | ········-·unknown_severity |
| 156 | ········-·disable_strategy | 146 | ········-·disable_strategy |
| 157 | ········-·low_complexity | 147 | ········-·low_complexity |
| 158 | ········-·low_disruption | 148 | ········-·low_disruption |
| 159 | ········-·CCE-2 | 149 | ········-·CCE-26873-0 |
| 160 | ········-·NIST-800-53-CM-7 | 150 | ········-·NIST-800-53-CM-7 |
| 161 | ········-·DISA-STIG-RHEL-06-000288 | ||
| 162 | ···· | 151 | ···· |
| 163 | ····-·name:·Ensure· | 152 | ····-·name:·Ensure·bind·is·removed |
| 164 | ······package: | 153 | ······package: |
| 165 | ········name="{{item}}" | 154 | ········name="{{item}}" |
| 166 | ········state=absent | 155 | ········state=absent |
| 167 | ······with_items: | 156 | ······with_items: |
| 168 | ········-· | 157 | ········-·bind |
| 169 | ······tags: | 158 | ······tags: |
| 170 | ········-·package_ | 159 | ········-·package_bind_removed |
| 171 | ········-· | 160 | ········-·unknown_severity |
| 172 | ········-·disable_strategy | 161 | ········-·disable_strategy |
| 173 | ········-·low_complexity | 162 | ········-·low_complexity |
| 174 | ········-·low_disruption | 163 | ········-·low_disruption |
| 175 | ········-·CCE-27 | 164 | ········-·CCE-27030-6 |
| Max diff block lines reached; 159145/164250 bytes (96.89%) of diff not shown. | |||
| Offset 46, 26 lines modified | Offset 46, 26 lines modified | ||
| 46 | ······sshd_idle_timeout_value:·7200 | 46 | ······sshd_idle_timeout_value:·7200 |
| 47 | ······rsyslog_remote_loghost_address:·logcollector | 47 | ······rsyslog_remote_loghost_address:·logcollector |
| 48 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 49 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 50 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 | 50 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 |
| 51 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 51 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 52 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 53 | ······sysctl_net_ipv4_icmp_ | 53 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 54 | ······sysctl_net_ipv4_conf_default_ | 54 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 55 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 55 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 56 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 56 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 57 | ······sysctl_net_ipv4_conf_ | 57 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 58 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 58 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 59 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 59 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 60 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 60 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 61 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 61 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 62 | ······sysctl_net_ipv4_icmp_ | 62 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 63 | ······sysctl_net_ipv4_conf_ | 63 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 64 | ······sysctl_net_ipv4_conf_default_ | 64 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 |
| 65 | ······var_selinux_policy_name:·targeted | 65 | ······var_selinux_policy_name:·targeted |
| 66 | ······var_selinux_state:·enforcing | 66 | ······var_selinux_state:·enforcing |
| 67 | ······var_accounts_password_warn_age_login_defs:·7 | 67 | ······var_accounts_password_warn_age_login_defs:·7 |
| 68 | ······var_accounts_minimum_age_login_defs:·7 | 68 | ······var_accounts_minimum_age_login_defs:·7 |
| 69 | ······var_accounts_maximum_age_login_defs:·90 | 69 | ······var_accounts_maximum_age_login_defs:·90 |
| 70 | ······var_account_disable_post_pw_expiration:·30 | 70 | ······var_account_disable_post_pw_expiration:·30 |
| 71 | ······var_password_pam_unix_remember:·5 | 71 | ······var_password_pam_unix_remember:·5 |
| Offset 274, 14 lines modified | Offset 274, 30 lines modified | ||
| 274 | ········-·disable_strategy | 274 | ········-·disable_strategy |
| 275 | ········-·low_complexity | 275 | ········-·low_complexity |
| 276 | ········-·low_disruption | 276 | ········-·low_disruption |
| 277 | ········-·CCE-80212-4 | 277 | ········-·CCE-80212-4 |
| 278 | ········-·NIST-800-53-AC-17(8) | 278 | ········-·NIST-800-53-AC-17(8) |
| 279 | ········-·NIST-800-53-CM-7 | 279 | ········-·NIST-800-53-CM-7 |
| 280 | ···· | 280 | ···· |
| 281 | ····-·name:·Ensure·tcp_wrappers·is·installed | ||
| 282 | ······package: | ||
| 283 | ········name="{{item}}" | ||
| 284 | ········state=present | ||
| 285 | ······with_items: | ||
| 286 | ········-·tcp_wrappers | ||
| 287 | ······tags: | ||
| 288 | ········-·package_tcp_wrappers_installed | ||
| 289 | ········-·medium_severity | ||
| 290 | ········-·enable_strategy | ||
| 291 | ········-·low_complexity | ||
| 292 | ········-·low_disruption | ||
| 293 | ········-·CCE-27361-5 | ||
| 294 | ········-·NIST-800-53-CM-6(b) | ||
| 295 | ········-·DISA-STIG-RHEL-07-TBD | ||
| 296 | ···· | ||
| 281 | ····-·name:·Disable·service·xinetd | 297 | ····-·name:·Disable·service·xinetd |
| 282 | ······service: | 298 | ······service: |
| 283 | ········name="{{item}}" | 299 | ········name="{{item}}" |
| 284 | ········enabled="no" | 300 | ········enabled="no" |
| 285 | ········state="stopped" | 301 | ········state="stopped" |
| 286 | ······register:·service_result | 302 | ······register:·service_result |
| 287 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 303 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| Offset 294, 30 lines modified | Offset 310, 14 lines modified | ||
| 294 | ········-·low_complexity | 310 | ········-·low_complexity |
| 295 | ········-·low_disruption | 311 | ········-·low_disruption |
| 296 | ········-·CCE-27443-1 | 312 | ········-·CCE-27443-1 |
| 297 | ········-·NIST-800-53-AC-17(8) | 313 | ········-·NIST-800-53-AC-17(8) |
| 298 | ········-·NIST-800-53-CM-7 | 314 | ········-·NIST-800-53-CM-7 |
| 299 | ········-·NIST-800-171-3.4.7 | 315 | ········-·NIST-800-171-3.4.7 |
| 300 | ···· | 316 | ···· |
| 301 | ····-·name:·Ensure·tcp_wrappers·is·installed | ||
| 302 | ······package: | ||
| 303 | ········name="{{item}}" | ||
| 304 | ········state=present | ||
| 305 | ······with_items: | ||
| 306 | ········-·tcp_wrappers | ||
| 307 | ······tags: | ||
| 308 | ········-·package_tcp_wrappers_installed | ||
| 309 | ········-·medium_severity | ||
| 310 | ········-·enable_strategy | ||
| 311 | ········-·low_complexity | ||
| 312 | ········-·low_disruption | ||
| 313 | ········-·CCE-27361-5 | ||
| 314 | ········-·NIST-800-53-CM-6(b) | ||
| 315 | ········-·DISA-STIG-RHEL-07-TBD | ||
| 316 | ···· | ||
| 317 | ····-·name:·Ensure·talk·is·removed | 317 | ····-·name:·Ensure·talk·is·removed |
| 318 | ······package: | 318 | ······package: |
| 319 | ········name="{{item}}" | 319 | ········name="{{item}}" |
| 320 | ········state=absent | 320 | ········state=absent |
| 321 | ······with_items: | 321 | ······with_items: |
| 322 | ········-·talk | 322 | ········-·talk |
| 323 | ······tags: | 323 | ······tags: |
| Offset 338, 14 lines modified | Offset 338, 31 lines modified | ||
| 338 | ········-·package_talk-server_removed | 338 | ········-·package_talk-server_removed |
| 339 | ········-·medium_severity | 339 | ········-·medium_severity |
| 340 | ········-·disable_strategy | 340 | ········-·disable_strategy |
| 341 | ········-·low_complexity | 341 | ········-·low_complexity |
| 342 | ········-·low_disruption | 342 | ········-·low_disruption |
| 343 | ········-·CCE-27210-4 | 343 | ········-·CCE-27210-4 |
| 344 | ···· | 344 | ···· |
| 345 | ····-·name:·Disable·service·dovecot | ||
| 346 | ······service: | ||
| 347 | ········name="{{item}}" | ||
| 348 | ········enabled="no" | ||
| 349 | ········state="stopped" | ||
| 350 | ······register:·service_result | ||
| 351 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 352 | ······with_items: | ||
| 353 | ········-·dovecot | ||
| 354 | ······tags: | ||
| 355 | ········-·service_dovecot_disabled | ||
| 356 | ········-·unknown_severity | ||
| 357 | ········-·disable_strategy | ||
| 358 | ········-·low_complexity | ||
| 359 | ········-·low_disruption | ||
| 360 | ········-·CCE-80294-2 | ||
| 361 | ···· | ||
| 345 | ····-·name:·Disable·service·vsftpd | 362 | ····-·name:·Disable·service·vsftpd |
| 346 | ······service: | 363 | ······service: |
| 347 | ········name="{{item}}" | 364 | ········name="{{item}}" |
| 348 | ········enabled="no" | 365 | ········enabled="no" |
| 349 | ········state="stopped" | 366 | ········state="stopped" |
| 350 | ······register:·service_result | 367 | ······register:·service_result |
| 351 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 368 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| Offset 496, 31 lines modified | Offset 513, 14 lines modified | ||
| 496 | ········-·medium_severity | 513 | ········-·medium_severity |
| 497 | ········-·disable_strategy | 514 | ········-·disable_strategy |
| 498 | ········-·low_complexity | 515 | ········-·low_complexity |
| 499 | ········-·low_disruption | 516 | ········-·low_disruption |
| 500 | ········-·CCE-80330-4 | 517 | ········-·CCE-80330-4 |
| 501 | ········-·NIST-800-53-CM-7 | 518 | ········-·NIST-800-53-CM-7 |
| Max diff block lines reached; 97763/102303 bytes (95.56%) of diff not shown. | |||
| Offset 37, 28 lines modified | Offset 37, 28 lines modified | ||
| 37 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 37 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 38 | ·········· | 38 | ·········· |
| 39 | ···vars: | 39 | ···vars: |
| 40 | ······sshd_idle_timeout_value:·1800 | 40 | ······sshd_idle_timeout_value:·1800 |
| 41 | ······sshd_listening_port:·22 | 41 | ······sshd_listening_port:·22 |
| 42 | ······inactivity_timeout_value:·1800 | 42 | ······inactivity_timeout_value:·1800 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 44 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 45 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | ||
| 46 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | 44 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 47 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | ||
| 48 | ······var_accounts_minimum_age_login_defs:·1 | 48 | ······var_accounts_minimum_age_login_defs:·1 |
| 49 | ······var_account_disable_post_pw_expiration:·0 | 49 | ······var_account_disable_post_pw_expiration:·0 |
| 50 | ······var_password_pam_minlen:·12 | 50 | ······var_password_pam_minlen:·12 |
| 51 | ······var_password_pam_difok:·6 | 51 | ······var_password_pam_difok:·6 |
| 52 | ······var_accounts_max_concurrent_login_sessions:·3 | 52 | ······var_accounts_max_concurrent_login_sessions:·3 |
| 53 | ······var_auditd_max_log_file:·1 | 53 | ······var_auditd_max_log_file:·1 |
| 54 | ······var_auditd_action_mail_acct:·admin | 54 | ······var_auditd_action_mail_acct:·admin |
| 55 | ······var_auditd_space_left_action:·suspend | ||
| 56 | ······var_auditd_admin_space_left_action:·suspend | 55 | ······var_auditd_admin_space_left_action:·suspend |
| 57 | ······var_auditd_max_log_file_action:·rotate | 56 | ······var_auditd_max_log_file_action:·rotate |
| 57 | ······var_auditd_space_left_action:·suspend | ||
| 58 | ···tasks: | 58 | ···tasks: |
| 59 | ····-·name:·Disable·SSH·Access·via·Empty·Passwords | 59 | ····-·name:·Disable·SSH·Access·via·Empty·Passwords |
| 60 | ······lineinfile: | 60 | ······lineinfile: |
| 61 | ········create:·yes | 61 | ········create:·yes |
| 62 | ········dest:·/etc/ssh/sshd_config | 62 | ········dest:·/etc/ssh/sshd_config |
| 63 | ········regexp:·^PermitEmptyPasswords | 63 | ········regexp:·^PermitEmptyPasswords |
| 64 | ········line:·PermitEmptyPasswords·no | 64 | ········line:·PermitEmptyPasswords·no |
| Offset 96, 14 lines modified | Offset 96, 39 lines modified | ||
| 96 | ········-·NIST-800-53-AC-2(5) | 96 | ········-·NIST-800-53-AC-2(5) |
| 97 | ········-·NIST-800-53-SA-8 | 97 | ········-·NIST-800-53-SA-8 |
| 98 | ········-·NIST-800-53-AC-12 | 98 | ········-·NIST-800-53-AC-12 |
| 99 | ········-·NIST-800-171-3.1.11 | 99 | ········-·NIST-800-171-3.1.11 |
| 100 | ········-·CJIS-5.5.6 | 100 | ········-·CJIS-5.5.6 |
| 101 | ········-·DISA-STIG-RHEL-07-040340 | 101 | ········-·DISA-STIG-RHEL-07-040340 |
| 102 | ···· | 102 | ···· |
| 103 | ···· | ||
| 104 | ···· | ||
| 105 | ····-·name:·Set·SSH·Idle·Timeout·Interval | ||
| 106 | ······lineinfile: | ||
| 107 | ········create:·yes | ||
| 108 | ········dest:·/etc/ssh/sshd_config | ||
| 109 | ········regexp:·^ClientAliveInterval | ||
| 110 | ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}" | ||
| 111 | ········validate:·sshd·-t·-f·%s | ||
| 112 | ······#notify:·restart·sshd | ||
| 113 | ······tags: | ||
| 114 | ········-·sshd_set_idle_timeout | ||
| 115 | ········-·unknown_severity | ||
| 116 | ········-·restrict_strategy | ||
| 117 | ········-·low_complexity | ||
| 118 | ········-·low_disruption | ||
| 119 | ········-·CCE-27433-2 | ||
| 120 | ········-·NIST-800-53-AC-2(5) | ||
| 121 | ········-·NIST-800-53-SA-8(i) | ||
| 122 | ········-·NIST-800-53-AC-12 | ||
| 123 | ········-·NIST-800-171-3.1.11 | ||
| 124 | ········-·PCI-DSS-Req-8.1.8 | ||
| 125 | ········-·CJIS-5.5.6 | ||
| 126 | ········-·DISA-STIG-RHEL-07-040320 | ||
| 127 | ···· | ||
| 103 | ····-·name:·Enable·SSH·Warning·Banner | 128 | ····-·name:·Enable·SSH·Warning·Banner |
| 104 | ······lineinfile: | 129 | ······lineinfile: |
| 105 | ········create:·yes | 130 | ········create:·yes |
| 106 | ········dest:·/etc/ssh/sshd_config | 131 | ········dest:·/etc/ssh/sshd_config |
| 107 | ········regexp:·^Banner | 132 | ········regexp:·^Banner |
| 108 | ········line:·Banner·/etc/issue | 133 | ········line:·Banner·/etc/issue |
| 109 | ········validate:·sshd·-t·-f·%s | 134 | ········validate:·sshd·-t·-f·%s |
| Offset 119, 33 lines modified | Offset 144, 14 lines modified | ||
| 119 | ········-·NIST-800-53-AC-8(c)(1) | 144 | ········-·NIST-800-53-AC-8(c)(1) |
| 120 | ········-·NIST-800-53-AC-8(c)(2) | 145 | ········-·NIST-800-53-AC-8(c)(2) |
| 121 | ········-·NIST-800-53-AC-8(c)(3) | 146 | ········-·NIST-800-53-AC-8(c)(3) |
| 122 | ········-·NIST-800-171-3.1.9 | 147 | ········-·NIST-800-171-3.1.9 |
| 123 | ········-·CJIS-5.5.6 | 148 | ········-·CJIS-5.5.6 |
| 124 | ········-·DISA-STIG-RHEL-07-040170 | 149 | ········-·DISA-STIG-RHEL-07-040170 |
| 125 | ···· | 150 | ···· |
| 126 | ····-·name:·Do·Not·Allow·SSH·Environment·Options | ||
| 127 | ······lineinfile: | ||
| 128 | ········create:·yes | ||
| 129 | ········dest:·/etc/ssh/sshd_config | ||
| 130 | ········regexp:·^PermitUserEnvironment | ||
| 131 | ········line:·PermitUserEnvironment·no | ||
| 132 | ········validate:·sshd·-t·-f·%s | ||
| 133 | ······tags: | ||
| 134 | ········-·sshd_do_not_permit_user_env | ||
| 135 | ········-·medium_severity | ||
| 136 | ········-·restrict_strategy | ||
| 137 | ········-·low_complexity | ||
| 138 | ········-·low_disruption | ||
| 139 | ········-·CCE-27363-1 | ||
| 140 | ········-·NIST-800-53-CM-6(b) | ||
| 141 | ········-·NIST-800-171-3.1.12 | ||
| 142 | ········-·CJIS-5.5.6 | ||
| 143 | ········-·DISA-STIG-RHEL-07-010460 | ||
| 144 | ···· | ||
| 145 | ···· | 151 | ···· |
| 146 | ····-·name:·"Allow·Only·SSH·Protocol·2" | 152 | ····-·name:·"Allow·Only·SSH·Protocol·2" |
| 147 | ······lineinfile: | 153 | ······lineinfile: |
| 148 | ········dest:·/etc/ssh/sshd_config | 154 | ········dest:·/etc/ssh/sshd_config |
| 149 | ········regexp:·"^Protocol·[0-9]" | 155 | ········regexp:·"^Protocol·[0-9]" |
| 150 | ········line:·"Protocol·2" | 156 | ········line:·"Protocol·2" |
| 151 | ········validate:·sshd·-t·-f·%s | 157 | ········validate:·sshd·-t·-f·%s |
| Offset 180, 38 lines modified | Offset 186, 32 lines modified | ||
| 180 | ········-·CCE-27377-1 | 186 | ········-·CCE-27377-1 |
| 181 | ········-·NIST-800-53-AC-3 | 187 | ········-·NIST-800-53-AC-3 |
| 182 | ········-·NIST-800-53-CM-6(a) | 188 | ········-·NIST-800-53-CM-6(a) |
| 183 | ········-·NIST-800-171-3.1.12 | 189 | ········-·NIST-800-171-3.1.12 |
| 184 | ········-·CJIS-5.5.6 | 190 | ········-·CJIS-5.5.6 |
| 185 | ········-·DISA-STIG-RHEL-07-040350 | 191 | ········-·DISA-STIG-RHEL-07-040350 |
| 186 | ···· | 192 | ···· |
| 187 | ···· | 193 | ····-·name:·Do·Not·Allow·SSH·Environment·Options |
| 188 | ···· | ||
| 189 | ····-·name:·Set·SSH·Idle·Timeout·Interval | ||
| 190 | ······lineinfile: | 194 | ······lineinfile: |
| 191 | ········create:·yes | 195 | ········create:·yes |
| 192 | ········dest:·/etc/ssh/sshd_config | 196 | ········dest:·/etc/ssh/sshd_config |
| 193 | ········regexp:·^ | 197 | ········regexp:·^PermitUserEnvironment |
| 194 | ········line:· | 198 | ········line:·PermitUserEnvironment·no |
| 195 | ········validate:·sshd·-t·-f·%s | 199 | ········validate:·sshd·-t·-f·%s |
| 196 | ······#notify:·restart·sshd | ||
| 197 | ······tags: | 200 | ······tags: |
| 198 | ········-·sshd_ | 201 | ········-·sshd_do_not_permit_user_env |
| 199 | ········-· | 202 | ········-·medium_severity |
| 200 | ········-·restrict_strategy | 203 | ········-·restrict_strategy |
| Max diff block lines reached; 66416/70623 bytes (94.04%) of diff not shown. | |||
| Offset 220, 14 lines modified | Offset 220, 28 lines modified | ||
| 220 | ········-·low_complexity | 220 | ········-·low_complexity |
| 221 | ········-·low_disruption | 221 | ········-·low_disruption |
| 222 | ········-·CCE-27165-0 | 222 | ········-·CCE-27165-0 |
| 223 | ········-·NIST-800-53-AC-17(8) | 223 | ········-·NIST-800-53-AC-17(8) |
| 224 | ········-·NIST-800-53-CM-7(a) | 224 | ········-·NIST-800-53-CM-7(a) |
| 225 | ········-·DISA-STIG-RHEL-07-021710 | 225 | ········-·DISA-STIG-RHEL-07-021710 |
| 226 | ···· | 226 | ···· |
| 227 | ····-·name:·Ensure·ypbind·is·removed | ||
| 228 | ······package: | ||
| 229 | ········name="{{item}}" | ||
| 230 | ········state=absent | ||
| 231 | ······with_items: | ||
| 232 | ········-·ypbind | ||
| 233 | ······tags: | ||
| 234 | ········-·package_ypbind_removed | ||
| 235 | ········-·unknown_severity | ||
| 236 | ········-·disable_strategy | ||
| 237 | ········-·low_complexity | ||
| 238 | ········-·low_disruption | ||
| 239 | ········-·CCE-27396-1 | ||
| 240 | ···· | ||
| 227 | ····-·name:·Disable·service·ypbind | 241 | ····-·name:·Disable·service·ypbind |
| 228 | ······service: | 242 | ······service: |
| 229 | ········name="{{item}}" | 243 | ········name="{{item}}" |
| 230 | ········enabled="no" | 244 | ········enabled="no" |
| 231 | ········state="stopped" | 245 | ········state="stopped" |
| 232 | ······register:·service_result | 246 | ······register:·service_result |
| 233 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 247 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| Offset 239, 28 lines modified | Offset 253, 14 lines modified | ||
| 239 | ········-·disable_strategy | 253 | ········-·disable_strategy |
| 240 | ········-·low_complexity | 254 | ········-·low_complexity |
| 241 | ········-·low_disruption | 255 | ········-·low_disruption |
| 242 | ········-·CCE-27385-4 | 256 | ········-·CCE-27385-4 |
| 243 | ········-·NIST-800-53-AC-17(8) | 257 | ········-·NIST-800-53-AC-17(8) |
| 244 | ········-·NIST-800-53-CM-7 | 258 | ········-·NIST-800-53-CM-7 |
| 245 | ···· | 259 | ···· |
| 246 | ····-·name:·Ensure·ypbind·is·removed | ||
| 247 | ······package: | ||
| 248 | ········name="{{item}}" | ||
| 249 | ········state=absent | ||
| 250 | ······with_items: | ||
| 251 | ········-·ypbind | ||
| 252 | ······tags: | ||
| 253 | ········-·package_ypbind_removed | ||
| 254 | ········-·unknown_severity | ||
| 255 | ········-·disable_strategy | ||
| 256 | ········-·low_complexity | ||
| 257 | ········-·low_disruption | ||
| 258 | ········-·CCE-27396-1 | ||
| 259 | ···· | ||
| 260 | ····-·name:·Ensure·ypserv·is·removed | 260 | ····-·name:·Ensure·ypserv·is·removed |
| 261 | ······package: | 261 | ······package: |
| 262 | ········name="{{item}}" | 262 | ········name="{{item}}" |
| 263 | ········state=absent | 263 | ········state=absent |
| 264 | ······with_items: | 264 | ······with_items: |
| 265 | ········-·ypserv | 265 | ········-·ypserv |
| 266 | ······tags: | 266 | ······tags: |
| Offset 389, 14 lines modified | Offset 389, 33 lines modified | ||
| 389 | ········-·low_disruption | 389 | ········-·low_disruption |
| 390 | ········-·CCE-80258-7 | 390 | ········-·CCE-80258-7 |
| 391 | ········-·NIST-800-53-AC-17(8) | 391 | ········-·NIST-800-53-AC-17(8) |
| 392 | ········-·NIST-800-53-CM-7 | 392 | ········-·NIST-800-53-CM-7 |
| 393 | ········-·NIST-800-53-CM-6(b) | 393 | ········-·NIST-800-53-CM-6(b) |
| 394 | ········-·DISA-STIG-RHEL-07-021300 | 394 | ········-·DISA-STIG-RHEL-07-021300 |
| 395 | ···· | 395 | ···· |
| 396 | ····-·name:·"Enable·Use·of·Strict·Mode·Checking" | ||
| 397 | ······lineinfile: | ||
| 398 | ········create:·yes | ||
| 399 | ········dest:·/etc/ssh/sshd_config | ||
| 400 | ········regexp:·(?i)^#?strictmodes | ||
| 401 | ········line:·StrictModes·yes | ||
| 402 | ········validate:·sshd·-t·-f·%s | ||
| 403 | ······#notify:·restart·sshd | ||
| 404 | ······tags: | ||
| 405 | ········-·sshd_enable_strictmodes | ||
| 406 | ········-·medium_severity | ||
| 407 | ········-·restrict_strategy | ||
| 408 | ········-·low_complexity | ||
| 409 | ········-·low_disruption | ||
| 410 | ········-·CCE-80222-3 | ||
| 411 | ········-·NIST-800-53-AC-6 | ||
| 412 | ········-·NIST-800-171-3.1.12 | ||
| 413 | ········-·DISA-STIG-RHEL-07-040450 | ||
| 414 | ···· | ||
| 396 | ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts" | 415 | ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts" |
| 397 | ······lineinfile: | 416 | ······lineinfile: |
| 398 | ········create:·yes | 417 | ········create:·yes |
| 399 | ········dest:·/etc/ssh/sshd_config | 418 | ········dest:·/etc/ssh/sshd_config |
| 400 | ········regexp:·^IgnoreUserKnownHosts | 419 | ········regexp:·^IgnoreUserKnownHosts |
| 401 | ········line:·IgnoreUserKnownHosts·yes | 420 | ········line:·IgnoreUserKnownHosts·yes |
| 402 | ········validate:·sshd·-t·-f·%s | 421 | ········validate:·sshd·-t·-f·%s |
| Offset 452, 32 lines modified | Offset 471, 14 lines modified | ||
| 452 | ········-·NIST-800-53-AC-2(5) | 471 | ········-·NIST-800-53-AC-2(5) |
| 453 | ········-·NIST-800-53-SA-8 | 472 | ········-·NIST-800-53-SA-8 |
| 454 | ········-·NIST-800-53-AC-12 | 473 | ········-·NIST-800-53-AC-12 |
| 455 | ········-·NIST-800-171-3.1.11 | 474 | ········-·NIST-800-171-3.1.11 |
| 456 | ········-·CJIS-5.5.6 | 475 | ········-·CJIS-5.5.6 |
| 457 | ········-·DISA-STIG-RHEL-07-040340 | 476 | ········-·DISA-STIG-RHEL-07-040340 |
| 458 | ···· | 477 | ···· |
| 459 | ····-·name:·Disable·SSH·Support·for·Rhosts·RSA·Authentication | ||
| 460 | ······lineinfile: | ||
| 461 | ········create:·yes | ||
| 462 | ········dest:·/etc/ssh/sshd_config | ||
| 463 | ········regexp:·^RhostsRSAAuthentication | ||
| 464 | ········line:·RhostsRSAAuthentication·no | ||
| 465 | ········validate:·sshd·-t·-f·%s | ||
| 466 | ······tags: | ||
| 467 | ········-·sshd_disable_rhosts_rsa | ||
| 468 | ········-·medium_severity | ||
| 469 | ········-·restrict_strategy | ||
| 470 | ········-·low_complexity | ||
| 471 | ········-·low_disruption | ||
| 472 | ········-·CCE-80373-4 | ||
| 473 | ········-·NIST-800-53-CM-6(a) | ||
| 474 | ········-·NIST-800-171-3.1.12 | ||
| 475 | ········-·DISA-STIG-RHEL-07-040330 | ||
| 476 | ···· | ||
| 477 | ····-·name:·Enable·SSH·Warning·Banner | 478 | ····-·name:·Enable·SSH·Warning·Banner |
| 478 | ······lineinfile: | 479 | ······lineinfile: |
| 479 | ········create:·yes | 480 | ········create:·yes |
| 480 | ········dest:·/etc/ssh/sshd_config | 481 | ········dest:·/etc/ssh/sshd_config |
| 481 | ········regexp:·^Banner | 482 | ········regexp:·^Banner |
| 482 | ········line:·Banner·/etc/issue | 483 | ········line:·Banner·/etc/issue |
| 483 | ········validate:·sshd·-t·-f·%s | 484 | ········validate:·sshd·-t·-f·%s |
| Offset 516, 33 lines modified | Offset 517, 14 lines modified | ||
| 516 | ········-·NIST-800-53-IA-7 | 517 | ········-·NIST-800-53-IA-7 |
| 517 | ········-·NIST-800-53-SC-13 | 518 | ········-·NIST-800-53-SC-13 |
| Max diff block lines reached; 98846/102348 bytes (96.58%) of diff not shown. | |||
| Offset 50, 93 lines modified | Offset 50, 93 lines modified | ||
| 50 | ·········· | 50 | ·········· |
| 51 | ···vars: | 51 | ···vars: |
| 52 | ······sshd_idle_timeout_value:·600 | 52 | ······sshd_idle_timeout_value:·600 |
| 53 | ······sshd_listening_port:·22 | 53 | ······sshd_listening_port:·22 |
| 54 | ······inactivity_timeout_value:·600 | 54 | ······inactivity_timeout_value:·600 |
| 55 | ······rsyslog_remote_loghost_address:·logcollector | 55 | ······rsyslog_remote_loghost_address:·logcollector |
| 56 | ······sysctl_net_ipv6_conf_default_accept_source_route_value:·0 | 56 | ······sysctl_net_ipv6_conf_default_accept_source_route_value:·0 |
| 57 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 | ||
| 58 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 | 57 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 |
| 58 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 | ||
| 59 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 | 59 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 |
| 60 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 60 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 61 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 | 61 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 |
| 62 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 62 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 63 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 63 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 64 | ······sysctl_net_ipv4_icmp_ | 64 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 65 | ······sysctl_net_ipv4_conf_default_ | 65 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 66 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 66 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 67 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 67 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 68 | ······sysctl_net_ipv4_conf_ | 68 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 69 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 69 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 70 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 70 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 71 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 71 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 72 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 72 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 73 | ······sysctl_net_ipv4_icmp_ | 73 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 74 | ······sysctl_net_ipv4_conf_ | 74 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 75 | ······sysctl_net_ipv4_conf_default_ | 75 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 |
| 76 | ······var_ssh_sysadm_login:·false | 76 | ······var_ssh_sysadm_login:·false |
| 77 | ······var_login_console_enabled:·true | ||
| 77 | ······var_auditadm_exec_content:·true | 78 | ······var_auditadm_exec_content:·true |
| 78 | ······var_selinuxuser_execstack:·true | 79 | ······var_selinuxuser_execstack:·true |
| 79 | ······var_mount_anyfile:·true | 80 | ······var_mount_anyfile:·true |
| 80 | ······var_ | 81 | ······var_cron_system_cronjob_use_shares:·false |
| 81 | ······var_cron_can_relabel:·false | 82 | ······var_cron_can_relabel:·false |
| 83 | ······var_guest_exec_content:·true | ||
| 84 | ······var_secure_mode:·false | ||
| 82 | ······var_user_exec_content:·true | 85 | ······var_user_exec_content:·true |
| 83 | ······var_deny_ptrace:·false | 86 | ······var_deny_ptrace:·false |
| 84 | ······var_guest_exec_content:·true | ||
| 85 | ······var_xserver_object_manager:·false | 87 | ······var_xserver_object_manager:·false |
| 86 | ······var_xdm_sysadm_login:·false | 88 | ······var_xdm_sysadm_login:·false |
| 89 | ······var_sysadm_exec_content:·true | ||
| 87 | ······var_selinuxuser_mysql_connect_enabled:·false | 90 | ······var_selinuxuser_mysql_connect_enabled:·false |
| 88 | ······var_ | 91 | ······var_selinuxuser_udp_server:·false |
| 89 | ······var_secure_mode:·false | ||
| 90 | ······var_ssh_keysign:·false | 92 | ······var_ssh_keysign:·false |
| 91 | ······var_staff_exec_content:·true | 93 | ······var_staff_exec_content:·true |
| 94 | ······var_gpg_web_anon_write:·false | ||
| 92 | ······var_xserver_execmem:·false | 95 | ······var_xserver_execmem:·false |
| 93 | ······var_ | 96 | ······var_cron_userdomain_transition:·true |
| 97 | ······var_xguest_mount_media:·true | ||
| 94 | ······var_selinuxuser_rw_noexattrfile:·true | 98 | ······var_selinuxuser_rw_noexattrfile:·true |
| 95 | ······var_deny_execmem:·false | 99 | ······var_deny_execmem:·false |
| 96 | ······var_ssh_chroot_rw_homedirs:·false | 100 | ······var_ssh_chroot_rw_homedirs:·false |
| 97 | ······var_logging_syslogd_can_sendmail:·false | ||
| 98 | ······var_abrt_anon_write:·false | 101 | ······var_abrt_anon_write:·false |
| 99 | ······var_ | 102 | ······var_kerberos_enabled:·true |
| 100 | ······var_logging_syslogd_use_tty:·true | 103 | ······var_logging_syslogd_use_tty:·true |
| 101 | ······var_login_console_enabled:·true | ||
| 102 | ······var_abrt_handle_event:·false | 104 | ······var_abrt_handle_event:·false |
| 105 | ······var_mock_enable_homedirs:·false | ||
| 106 | ······var_secure_mode_insmod:·false | ||
| 103 | ······var_unconfined_login:·true | 107 | ······var_unconfined_login:·true |
| 108 | ······var_logging_syslogd_can_sendmail:·false | ||
| 104 | ······var_selinuxuser_postgresql_connect_enabled:·false | 109 | ······var_selinuxuser_postgresql_connect_enabled:·false |
| 110 | ······var_daemons_use_tcp_wrapper:·false | ||
| 105 | ······var_abrt_upload_watch_anon_write:·true | 111 | ······var_abrt_upload_watch_anon_write:·true |
| 106 | ······var_daemons_use_tty:·false | 112 | ······var_daemons_use_tty:·false |
| 107 | ······var_selinuxuser_tcp_server:·false | 113 | ······var_selinuxuser_tcp_server:·false |
| 108 | ······var_selinuxuser_direct_dri_enabled:·true | 114 | ······var_selinuxuser_direct_dri_enabled:·true |
| 109 | ······var_xdm_bind_vnc_tcp_port:·false | 115 | ······var_xdm_bind_vnc_tcp_port:·false |
| 110 | ······var_xserver_clients_write_xshm:·false | 116 | ······var_xserver_clients_write_xshm:·false |
| 111 | ······var_use_ecryptfs_home_dirs:·false | 117 | ······var_use_ecryptfs_home_dirs:·false |
| 112 | ······var_mock_enable_homedirs:·false | ||
| 113 | ······var_xguest_exec_content:·true | 118 | ······var_xguest_exec_content:·true |
| 119 | ······var_xdm_write_home:·false | ||
| 120 | ······var_logadm_exec_content:·true | ||
| 114 | ······var_domain_fd_use:·true | 121 | ······var_domain_fd_use:·true |
| 115 | ······var_selinuxuser_udp_server:·false | ||
| 116 | ······var_mmap_low_allowed:·false | 122 | ······var_mmap_low_allowed:·false |
| 117 | ······var_selinuxuser_share_music:·false | 123 | ······var_selinuxuser_share_music:·false |
| 118 | ······var_selinuxuser_execmod:·true | 124 | ······var_selinuxuser_execmod:·true |
| 119 | ······var_cron_system_cronjob_use_shares:·false | ||
| 120 | ······var_logadm_exec_content:·true | ||
| 121 | ······var_xguest_connect_network:·true | 125 | ······var_xguest_connect_network:·true |
| 122 | ······var_xdm_write_home:·false | ||
| 123 | ······var_sysadm_exec_content:·true | ||
| 124 | ······var_xguest_use_bluetooth:·true | 126 | ······var_xguest_use_bluetooth:·true |
| 125 | ······var_ | 127 | ······var_selinuxuser_execheap:·false |
| 126 | ······var_secure_mode_policyload:·false | ||
| 127 | ······var_daemons_dump_core:·false | 128 | ······var_daemons_dump_core:·false |
| 128 | ······var_xdm_exec_bootloader:·false | 129 | ······var_xdm_exec_bootloader:·false |
| 129 | ······var_gpg_web_anon_write:·false | ||
| 130 | ······var_fips_mode:·true | 130 | ······var_fips_mode:·true |
| 131 | ······var_polyinstantiation_enabled:·false | 131 | ······var_polyinstantiation_enabled:·false |
| 132 | ······var_domain_kernel_load_modules:·false | 132 | ······var_domain_kernel_load_modules:·false |
| 133 | ······var_selinuxuser_use_ssh_chroot:·false | 133 | ······var_selinuxuser_use_ssh_chroot:·false |
| 134 | ······var_selinuxuser_ping:·true | 134 | ······var_selinuxuser_ping:·true |
| 135 | ······var_se | 135 | ······var_secure_mode_policyload:·false |
| 136 | ······var_secadm_exec_content:·true | 136 | ······var_secadm_exec_content:·true |
| 137 | ······var_selinux_policy_name:·targeted | 137 | ······var_selinux_policy_name:·targeted |
| 138 | ······var_selinux_state:·enforcing | 138 | ······var_selinux_state:·enforcing |
| 139 | ······var_accounts_password_minlen_login_defs:·6 | 139 | ······var_accounts_password_minlen_login_defs:·6 |
| 140 | ······var_accounts_password_warn_age_login_defs:·7 | 140 | ······var_accounts_password_warn_age_login_defs:·7 |
| 141 | ······var_accounts_minimum_age_login_defs:·7 | 141 | ······var_accounts_minimum_age_login_defs:·7 |
| 142 | ······var_accounts_maximum_age_login_defs:·60 | 142 | ······var_accounts_maximum_age_login_defs:·60 |
| Offset 156, 22 lines modified | Offset 156, 22 lines modified | ||
| 156 | ······var_password_pam_difok:·8 | 156 | ······var_password_pam_difok:·8 |
| 157 | ······var_password_pam_ocredit:·-1 | 157 | ······var_password_pam_ocredit:·-1 |
| 158 | ······var_password_pam_lcredit:·-1 | 158 | ······var_password_pam_lcredit:·-1 |
| 159 | ······var_password_pam_ucredit:·-1 | 159 | ······var_password_pam_ucredit:·-1 |
| 160 | ······var_password_pam_retry:·3 | 160 | ······var_password_pam_retry:·3 |
| 161 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. | 161 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. |
| 162 | ······var_accounts_user_umask:·077 | 162 | ······var_accounts_user_umask:·077 |
| 163 | ······var_accounts_max_concurrent_login_sessions:·10 | ||
| 163 | ······var_accounts_fail_delay:·4 | 164 | ······var_accounts_fail_delay:·4 |
| 164 | ······var_accounts_tmout:·600 | 165 | ······var_accounts_tmout:·600 |
| 165 | ······var_accounts_max_concurrent_login_sessions:·10 | ||
| 166 | ······var_auditd_max_log_file:·6 | 166 | ······var_auditd_max_log_file:·6 |
| 167 | ······var_auditd_action_mail_acct:·root | 167 | ······var_auditd_action_mail_acct:·root |
| 168 | ······var_auditd_space_left_action:·email | ||
| 169 | ······var_auditd_admin_space_left_action:·single | 168 | ······var_auditd_admin_space_left_action:·single |
| 170 | ······var_auditd_max_log_file_action:·rotate | 169 | ······var_auditd_max_log_file_action:·rotate |
| 170 | ······var_auditd_space_left_action:·email | ||
| 171 | ······var_removable_partition:·/dev/cdrom | 171 | ······var_removable_partition:·/dev/cdrom |
| 172 | ······var_removable_partition:·/dev/cdrom | 172 | ······var_removable_partition:·/dev/cdrom |
| 173 | ······var_removable_partition:·/dev/cdrom | 173 | ······var_removable_partition:·/dev/cdrom |
| Max diff block lines reached; 173777/180658 bytes (96.19%) of diff not shown. | |||
| Offset 61, 93 lines modified | Offset 61, 93 lines modified | ||
| 61 | ·········· | 61 | ·········· |
| 62 | ···vars: | 62 | ···vars: |
| 63 | ······sshd_idle_timeout_value:·600 | 63 | ······sshd_idle_timeout_value:·600 |
| 64 | ······sshd_listening_port:·22 | 64 | ······sshd_listening_port:·22 |
| 65 | ······inactivity_timeout_value:·900 | 65 | ······inactivity_timeout_value:·900 |
| 66 | ······rsyslog_remote_loghost_address:·logcollector | 66 | ······rsyslog_remote_loghost_address:·logcollector |
| 67 | ······sysctl_net_ipv6_conf_default_accept_source_route_value:·0 | 67 | ······sysctl_net_ipv6_conf_default_accept_source_route_value:·0 |
| 68 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 | ||
| 69 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 | 68 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 |
| 69 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 | ||
| 70 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 | 70 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 |
| 71 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 71 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 72 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 | 72 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 |
| 73 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 73 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 74 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 74 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 75 | ······sysctl_net_ipv4_icmp_ | 75 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 76 | ······sysctl_net_ipv4_conf_default_ | 76 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 77 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 77 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 78 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 78 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 79 | ······sysctl_net_ipv4_conf_ | 79 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 80 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 80 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 81 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 81 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 82 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 82 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 83 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 83 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 84 | ······sysctl_net_ipv4_icmp_ | 84 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 85 | ······sysctl_net_ipv4_conf_ | 85 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 86 | ······sysctl_net_ipv4_conf_default_ | 86 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 |
| 87 | ······var_ssh_sysadm_login:·false | 87 | ······var_ssh_sysadm_login:·false |
| 88 | ······var_login_console_enabled:·true | ||
| 88 | ······var_auditadm_exec_content:·true | 89 | ······var_auditadm_exec_content:·true |
| 89 | ······var_selinuxuser_execstack:·true | 90 | ······var_selinuxuser_execstack:·true |
| 90 | ······var_mount_anyfile:·true | 91 | ······var_mount_anyfile:·true |
| 91 | ······var_ | 92 | ······var_cron_system_cronjob_use_shares:·false |
| 92 | ······var_cron_can_relabel:·false | 93 | ······var_cron_can_relabel:·false |
| 94 | ······var_guest_exec_content:·true | ||
| 95 | ······var_secure_mode:·false | ||
| 93 | ······var_user_exec_content:·true | 96 | ······var_user_exec_content:·true |
| 94 | ······var_deny_ptrace:·false | 97 | ······var_deny_ptrace:·false |
| 95 | ······var_guest_exec_content:·true | ||
| 96 | ······var_xserver_object_manager:·false | 98 | ······var_xserver_object_manager:·false |
| 97 | ······var_xdm_sysadm_login:·false | 99 | ······var_xdm_sysadm_login:·false |
| 100 | ······var_sysadm_exec_content:·true | ||
| 98 | ······var_selinuxuser_mysql_connect_enabled:·false | 101 | ······var_selinuxuser_mysql_connect_enabled:·false |
| 99 | ······var_ | 102 | ······var_selinuxuser_udp_server:·false |
| 100 | ······var_secure_mode:·false | ||
| 101 | ······var_ssh_keysign:·false | 103 | ······var_ssh_keysign:·false |
| 102 | ······var_staff_exec_content:·true | 104 | ······var_staff_exec_content:·true |
| 105 | ······var_gpg_web_anon_write:·false | ||
| 103 | ······var_xserver_execmem:·false | 106 | ······var_xserver_execmem:·false |
| 104 | ······var_ | 107 | ······var_cron_userdomain_transition:·true |
| 108 | ······var_xguest_mount_media:·true | ||
| 105 | ······var_selinuxuser_rw_noexattrfile:·true | 109 | ······var_selinuxuser_rw_noexattrfile:·true |
| 106 | ······var_deny_execmem:·false | 110 | ······var_deny_execmem:·false |
| 107 | ······var_ssh_chroot_rw_homedirs:·false | 111 | ······var_ssh_chroot_rw_homedirs:·false |
| 108 | ······var_logging_syslogd_can_sendmail:·false | ||
| 109 | ······var_abrt_anon_write:·false | 112 | ······var_abrt_anon_write:·false |
| 110 | ······var_ | 113 | ······var_kerberos_enabled:·true |
| 111 | ······var_logging_syslogd_use_tty:·true | 114 | ······var_logging_syslogd_use_tty:·true |
| 112 | ······var_login_console_enabled:·true | ||
| 113 | ······var_abrt_handle_event:·false | 115 | ······var_abrt_handle_event:·false |
| 116 | ······var_mock_enable_homedirs:·false | ||
| 117 | ······var_secure_mode_insmod:·false | ||
| 114 | ······var_unconfined_login:·true | 118 | ······var_unconfined_login:·true |
| 119 | ······var_logging_syslogd_can_sendmail:·false | ||
| 115 | ······var_selinuxuser_postgresql_connect_enabled:·false | 120 | ······var_selinuxuser_postgresql_connect_enabled:·false |
| 121 | ······var_daemons_use_tcp_wrapper:·false | ||
| 116 | ······var_abrt_upload_watch_anon_write:·true | 122 | ······var_abrt_upload_watch_anon_write:·true |
| 117 | ······var_daemons_use_tty:·false | 123 | ······var_daemons_use_tty:·false |
| 118 | ······var_selinuxuser_tcp_server:·false | 124 | ······var_selinuxuser_tcp_server:·false |
| 119 | ······var_selinuxuser_direct_dri_enabled:·true | 125 | ······var_selinuxuser_direct_dri_enabled:·true |
| 120 | ······var_xdm_bind_vnc_tcp_port:·false | 126 | ······var_xdm_bind_vnc_tcp_port:·false |
| 121 | ······var_xserver_clients_write_xshm:·false | 127 | ······var_xserver_clients_write_xshm:·false |
| 122 | ······var_use_ecryptfs_home_dirs:·false | 128 | ······var_use_ecryptfs_home_dirs:·false |
| 123 | ······var_mock_enable_homedirs:·false | ||
| 124 | ······var_xguest_exec_content:·true | 129 | ······var_xguest_exec_content:·true |
| 130 | ······var_xdm_write_home:·false | ||
| 131 | ······var_logadm_exec_content:·true | ||
| 125 | ······var_domain_fd_use:·true | 132 | ······var_domain_fd_use:·true |
| 126 | ······var_selinuxuser_udp_server:·false | ||
| 127 | ······var_mmap_low_allowed:·false | 133 | ······var_mmap_low_allowed:·false |
| 128 | ······var_selinuxuser_share_music:·false | 134 | ······var_selinuxuser_share_music:·false |
| 129 | ······var_selinuxuser_execmod:·true | 135 | ······var_selinuxuser_execmod:·true |
| 130 | ······var_cron_system_cronjob_use_shares:·false | ||
| 131 | ······var_logadm_exec_content:·true | ||
| 132 | ······var_xguest_connect_network:·true | 136 | ······var_xguest_connect_network:·true |
| 133 | ······var_xdm_write_home:·false | ||
| 134 | ······var_sysadm_exec_content:·true | ||
| 135 | ······var_xguest_use_bluetooth:·true | 137 | ······var_xguest_use_bluetooth:·true |
| 136 | ······var_ | 138 | ······var_selinuxuser_execheap:·false |
| 137 | ······var_secure_mode_policyload:·false | ||
| 138 | ······var_daemons_dump_core:·false | 139 | ······var_daemons_dump_core:·false |
| 139 | ······var_xdm_exec_bootloader:·false | 140 | ······var_xdm_exec_bootloader:·false |
| 140 | ······var_gpg_web_anon_write:·false | ||
| 141 | ······var_fips_mode:·true | 141 | ······var_fips_mode:·true |
| 142 | ······var_polyinstantiation_enabled:·false | 142 | ······var_polyinstantiation_enabled:·false |
| 143 | ······var_domain_kernel_load_modules:·false | 143 | ······var_domain_kernel_load_modules:·false |
| 144 | ······var_selinuxuser_use_ssh_chroot:·false | 144 | ······var_selinuxuser_use_ssh_chroot:·false |
| 145 | ······var_selinuxuser_ping:·true | 145 | ······var_selinuxuser_ping:·true |
| 146 | ······var_se | 146 | ······var_secure_mode_policyload:·false |
| 147 | ······var_secadm_exec_content:·true | 147 | ······var_secadm_exec_content:·true |
| 148 | ······var_selinux_policy_name:·targeted | 148 | ······var_selinux_policy_name:·targeted |
| 149 | ······var_selinux_state:·enforcing | 149 | ······var_selinux_state:·enforcing |
| 150 | ······var_accounts_password_minlen_login_defs:·6 | 150 | ······var_accounts_password_minlen_login_defs:·6 |
| 151 | ······var_accounts_password_warn_age_login_defs:·7 | 151 | ······var_accounts_password_warn_age_login_defs:·7 |
| 152 | ······var_accounts_minimum_age_login_defs:·7 | 152 | ······var_accounts_minimum_age_login_defs:·7 |
| 153 | ······var_accounts_maximum_age_login_defs:·60 | 153 | ······var_accounts_maximum_age_login_defs:·60 |
| Offset 167, 22 lines modified | Offset 167, 22 lines modified | ||
| 167 | ······var_password_pam_difok:·8 | 167 | ······var_password_pam_difok:·8 |
| 168 | ······var_password_pam_ocredit:·-1 | 168 | ······var_password_pam_ocredit:·-1 |
| 169 | ······var_password_pam_lcredit:·-1 | 169 | ······var_password_pam_lcredit:·-1 |
| 170 | ······var_password_pam_ucredit:·-1 | 170 | ······var_password_pam_ucredit:·-1 |
| 171 | ······var_password_pam_retry:·3 | 171 | ······var_password_pam_retry:·3 |
| 172 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. | 172 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. |
| 173 | ······var_accounts_user_umask:·077 | 173 | ······var_accounts_user_umask:·077 |
| 174 | ······var_accounts_max_concurrent_login_sessions:·10 | ||
| 174 | ······var_accounts_fail_delay:·4 | 175 | ······var_accounts_fail_delay:·4 |
| 175 | ······var_accounts_tmout:·600 | 176 | ······var_accounts_tmout:·600 |
| 176 | ······var_accounts_max_concurrent_login_sessions:·10 | ||
| 177 | ······var_auditd_max_log_file:·6 | 177 | ······var_auditd_max_log_file:·6 |
| 178 | ······var_auditd_action_mail_acct:·root | 178 | ······var_auditd_action_mail_acct:·root |
| 179 | ······var_auditd_space_left_action:·email | ||
| 180 | ······var_auditd_admin_space_left_action:·single | 179 | ······var_auditd_admin_space_left_action:·single |
| 181 | ······var_auditd_max_log_file_action:·rotate | 180 | ······var_auditd_max_log_file_action:·rotate |
| 181 | ······var_auditd_space_left_action:·email | ||
| 182 | ······var_removable_partition:·/dev/cdrom | 182 | ······var_removable_partition:·/dev/cdrom |
| 183 | ······var_removable_partition:·/dev/cdrom | 183 | ······var_removable_partition:·/dev/cdrom |
| 184 | ······var_removable_partition:·/dev/cdrom | 184 | ······var_removable_partition:·/dev/cdrom |
| Max diff block lines reached; 173778/180659 bytes (96.19%) of diff not shown. | |||
| Offset 43, 17 lines modified | Offset 43, 17 lines modified | ||
| 43 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 43 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 44 | ······var_password_pam_minlen:·7 | 44 | ······var_password_pam_minlen:·7 |
| 45 | ······var_password_pam_dcredit:·-1 | 45 | ······var_password_pam_dcredit:·-1 |
| 46 | ······var_password_pam_lcredit:·-1 | 46 | ······var_password_pam_lcredit:·-1 |
| 47 | ······var_password_pam_ucredit:·-1 | 47 | ······var_password_pam_ucredit:·-1 |
| 48 | ······var_auditd_max_log_file:·1 | 48 | ······var_auditd_max_log_file:·1 |
| 49 | ······var_auditd_action_mail_acct:·admin | 49 | ······var_auditd_action_mail_acct:·admin |
| 50 | ······var_auditd_space_left_action:·suspend | ||
| 51 | ······var_auditd_admin_space_left_action:·suspend | 50 | ······var_auditd_admin_space_left_action:·suspend |
| 52 | ······var_auditd_max_log_file_action:·rotate | 51 | ······var_auditd_max_log_file_action:·rotate |
| 52 | ······var_auditd_space_left_action:·suspend | ||
| 53 | ···tasks: | 53 | ···tasks: |
| 54 | ···· | 54 | ···· |
| 55 | ···· | 55 | ···· |
| 56 | ····-·name:·Set·SSH·Idle·Timeout·Interval | 56 | ····-·name:·Set·SSH·Idle·Timeout·Interval |
| 57 | ······lineinfile: | 57 | ······lineinfile: |
| 58 | ········create:·yes | 58 | ········create:·yes |
| 59 | ········dest:·/etc/ssh/sshd_config | 59 | ········dest:·/etc/ssh/sshd_config |
| Offset 596, 91 lines modified | Offset 596, 91 lines modified | ||
| 596 | ········-·CCE-80111-8 | 596 | ········-·CCE-80111-8 |
| 597 | ········-·NIST-800-53-AC-11(a) | 597 | ········-·NIST-800-53-AC-11(a) |
| 598 | ········-·NIST-800-171-3.1.10 | 598 | ········-·NIST-800-171-3.1.10 |
| 599 | ········-·PCI-DSS-Req-8.1.8 | 599 | ········-·PCI-DSS-Req-8.1.8 |
| 600 | ········-·CJIS-5.5.5 | 600 | ········-·CJIS-5.5.5 |
| 601 | ········-·DISA-STIG-RHEL-07-010100 | 601 | ········-·DISA-STIG-RHEL-07-010100 |
| 602 | ···· | 602 | ···· |
| 603 | ···· | 603 | ····-·name:·"Implement·Blank·Screensaver" |
| 604 | ···· | ||
| 605 | ····-·name:·"Set·GNOME3·Screensaver·Inactivity·Timeout" | ||
| 606 | ······ini_file: | 604 | ······ini_file: |
| 607 | ········dest:·"/etc/dconf/db/local.d/00-security-settings" | 605 | ········dest:·"/etc/dconf/db/local.d/00-security-settings" |
| 608 | ········section:·"org/gnome/desktop/screensaver" | 606 | ········section:·"org/gnome/desktop/screensaver" |
| 609 | ········option:·i | 607 | ········option:·picture-uri |
| 610 | ········value:· | 608 | ········value:·string·'' |
| 611 | ········create:·yes | 609 | ········create:·yes |
| 612 | ······tags: | 610 | ······tags: |
| 613 | ········-·dconf_gnome_screensaver_ | 611 | ········-·dconf_gnome_screensaver_mode_blank |
| 614 | ········-· | 612 | ········-·unknown_severity |
| 615 | ········-·unknown_strategy | 613 | ········-·unknown_strategy |
| 616 | ········-·low_complexity | 614 | ········-·low_complexity |
| 617 | ········-·medium_disruption | 615 | ········-·medium_disruption |
| 618 | ········-·CCE-8011 | 616 | ········-·CCE-80113-4 |
| 619 | ········-·NIST-800-53-AC-11( | 617 | ········-·NIST-800-53-AC-11(b) |
| 620 | ········-·NIST-800-171-3.1.10 | 618 | ········-·NIST-800-171-3.1.10 |
| 621 | ········-·PCI-DSS-Req-8.1.8 | 619 | ········-·PCI-DSS-Req-8.1.8 |
| 622 | ········-·CJIS-5.5.5 | 620 | ········-·CJIS-5.5.5 |
| 623 | ········-·DISA-STIG-RHEL-07-010070 | ||
| 624 | ···· | 621 | ···· |
| 625 | ····-·name:·"Prevent·user·modification·of·GNOME·i | 622 | ····-·name:·"Prevent·user·modification·of·GNOME·picture-uri" |
| 626 | ······lineinfile: | 623 | ······lineinfile: |
| 627 | ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock | 624 | ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock |
| 628 | ········regexp:·'^/org/gnome/desktop/screensaver/i | 625 | ········regexp:·'^/org/gnome/desktop/screensaver/picture-uri' |
| 629 | ········line:·'/org/gnome/desktop/screensaver/i | 626 | ········line:·'/org/gnome/desktop/screensaver/picture-uri' |
| 630 | ········create:·yes | 627 | ········create:·yes |
| 631 | ······tags: | 628 | ······tags: |
| 632 | ········-·dconf_gnome_screensaver_ | 629 | ········-·dconf_gnome_screensaver_mode_blank |
| 633 | ········-· | 630 | ········-·unknown_severity |
| 634 | ········-·unknown_strategy | 631 | ········-·unknown_strategy |
| 635 | ········-·low_complexity | 632 | ········-·low_complexity |
| 636 | ········-·medium_disruption | 633 | ········-·medium_disruption |
| 637 | ········-·CCE-8011 | 634 | ········-·CCE-80113-4 |
| 638 | ········-·NIST-800-53-AC-11( | 635 | ········-·NIST-800-53-AC-11(b) |
| 639 | ········-·NIST-800-171-3.1.10 | 636 | ········-·NIST-800-171-3.1.10 |
| 640 | ········-·PCI-DSS-Req-8.1.8 | 637 | ········-·PCI-DSS-Req-8.1.8 |
| 641 | ········-·CJIS-5.5.5 | 638 | ········-·CJIS-5.5.5 |
| 642 | ········-·DISA-STIG-RHEL-07-010070 | ||
| 643 | ···· | 639 | ···· |
| 644 | ···· | 640 | ···· |
| 641 | ···· | ||
| 642 | ····-·name:·"Set·GNOME3·Screensaver·Inactivity·Timeout" | ||
| 645 | ······ini_file: | 643 | ······ini_file: |
| 646 | ········dest:·"/etc/dconf/db/local.d/00-security-settings" | 644 | ········dest:·"/etc/dconf/db/local.d/00-security-settings" |
| 647 | ········section:·"org/gnome/desktop/screensaver" | 645 | ········section:·"org/gnome/desktop/screensaver" |
| 648 | ········option:· | 646 | ········option:·idle-delay |
| 649 | ········value:· | 647 | ········value:·"{{·inactivity_timeout_value·}}" |
| 650 | ········create:·yes | 648 | ········create:·yes |
| 651 | ······tags: | 649 | ······tags: |
| 652 | ········-·dconf_gnome_screensaver_ | 650 | ········-·dconf_gnome_screensaver_idle_delay |
| 653 | ········-· | 651 | ········-·medium_severity |
| 654 | ········-·unknown_strategy | 652 | ········-·unknown_strategy |
| 655 | ········-·low_complexity | 653 | ········-·low_complexity |
| 656 | ········-·medium_disruption | 654 | ········-·medium_disruption |
| 657 | ········-·CCE-8011 | 655 | ········-·CCE-80110-0 |
| 658 | ········-·NIST-800-53-AC-11( | 656 | ········-·NIST-800-53-AC-11(a) |
| 659 | ········-·NIST-800-171-3.1.10 | 657 | ········-·NIST-800-171-3.1.10 |
| 660 | ········-·PCI-DSS-Req-8.1.8 | 658 | ········-·PCI-DSS-Req-8.1.8 |
| 661 | ········-·CJIS-5.5.5 | 659 | ········-·CJIS-5.5.5 |
| 660 | ········-·DISA-STIG-RHEL-07-010070 | ||
| 662 | ···· | 661 | ···· |
| 663 | ····-·name:·"Prevent·user·modification·of·GNOME· | 662 | ····-·name:·"Prevent·user·modification·of·GNOME·idle-delay" |
| 664 | ······lineinfile: | 663 | ······lineinfile: |
| 665 | ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock | 664 | ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock |
| 666 | ········regexp:·'^/org/gnome/desktop/screensaver/ | 665 | ········regexp:·'^/org/gnome/desktop/screensaver/idle-delay' |
| 667 | ········line:·'/org/gnome/desktop/screensaver/ | 666 | ········line:·'/org/gnome/desktop/screensaver/idle-delay' |
| 668 | ········create:·yes | 667 | ········create:·yes |
| 669 | ······tags: | 668 | ······tags: |
| 670 | ········-·dconf_gnome_screensaver_ | 669 | ········-·dconf_gnome_screensaver_idle_delay |
| 671 | ········-· | 670 | ········-·medium_severity |
| 672 | ········-·unknown_strategy | 671 | ········-·unknown_strategy |
| 673 | ········-·low_complexity | 672 | ········-·low_complexity |
| 674 | ········-·medium_disruption | 673 | ········-·medium_disruption |
| 675 | ········-·CCE-8011 | 674 | ········-·CCE-80110-0 |
| 676 | ········-·NIST-800-53-AC-11( | 675 | ········-·NIST-800-53-AC-11(a) |
| 677 | ········-·NIST-800-171-3.1.10 | 676 | ········-·NIST-800-171-3.1.10 |
| 678 | ········-·PCI-DSS-Req-8.1.8 | 677 | ········-·PCI-DSS-Req-8.1.8 |
| 679 | ········-·CJIS-5.5.5 | 678 | ········-·CJIS-5.5.5 |
| 679 | ········-·DISA-STIG-RHEL-07-010070 | ||
| 680 | ···· | 680 | ···· |
| 681 | ····-·name:·"Enable·GNOME3·Screensaver·Lock·After·Idle·Period" | 681 | ····-·name:·"Enable·GNOME3·Screensaver·Lock·After·Idle·Period" |
| 682 | ······ini_file: | 682 | ······ini_file: |
| 683 | ········dest:·"/etc/dconf/db/local.d/00-security-settings" | 683 | ········dest:·"/etc/dconf/db/local.d/00-security-settings" |
| 684 | ········section:·"org/gnome/desktop/screensaver" | 684 | ········section:·"org/gnome/desktop/screensaver" |
| 685 | ········option:·lock-enabled | 685 | ········option:·lock-enabled |
| 686 | ········value:·"true" | 686 | ········value:·"true" |
| Offset 1129, 79 lines modified | Offset 1129, 79 lines modified | ||
| 1129 | ········-·NIST-800-171-3.3.1 | 1129 | ········-·NIST-800-171-3.3.1 |
| 1130 | ········-·PCI-DSS-Req-10.7.a | 1130 | ········-·PCI-DSS-Req-10.7.a |
| 1131 | ········-·CJIS-5.4.1.1 | 1131 | ········-·CJIS-5.4.1.1 |
| 1132 | ········-·DISA-STIG-RHEL-07-030350 | 1132 | ········-·DISA-STIG-RHEL-07-030350 |
| 1133 | ···· | 1133 | ···· |
| 1134 | ···· | 1134 | ···· |
| 1135 | ···· | 1135 | ···· |
| 1136 | ····-·name:·Configure·auditd·space_left·Action·on·Low·Disk·Space | 1136 | ····-·name:·Configure·auditd·admin_space_left·Action·on·Low·Disk·Space |
| 1137 | ······lineinfile: | 1137 | ······lineinfile: |
| 1138 | ········dest:·/etc/audit/auditd.conf | 1138 | ········dest:·/etc/audit/auditd.conf |
| 1139 | ········line:·"space_left_action·=·{{·var_auditd_space_left_action·}}" | 1139 | ········line:·"admin_space_left_action·=·{{·var_auditd_admin_space_left_action·}}" |
| 1140 | ········regexp:·^space_left_action* | 1140 | ········regexp:·"^admin_space_left_action*" |
| Max diff block lines reached; 56742/62091 bytes (91.39%) of diff not shown. | |||
| Offset 164, 14 lines modified | Offset 164, 39 lines modified | ||
| 164 | ········-·NIST-800-53-AC-2(5) | 164 | ········-·NIST-800-53-AC-2(5) |
| 165 | ········-·NIST-800-53-SA-8 | 165 | ········-·NIST-800-53-SA-8 |
| 166 | ········-·NIST-800-53-AC-12 | 166 | ········-·NIST-800-53-AC-12 |
| 167 | ········-·NIST-800-171-3.1.11 | 167 | ········-·NIST-800-171-3.1.11 |
| 168 | ········-·CJIS-5.5.6 | 168 | ········-·CJIS-5.5.6 |
| 169 | ········-·DISA-STIG-RHEL-07-040340 | 169 | ········-·DISA-STIG-RHEL-07-040340 |
| 170 | ···· | 170 | ···· |
| 171 | ···· | ||
| 172 | ···· | ||
| 173 | ····-·name:·Set·SSH·Idle·Timeout·Interval | ||
| 174 | ······lineinfile: | ||
| 175 | ········create:·yes | ||
| 176 | ········dest:·/etc/ssh/sshd_config | ||
| 177 | ········regexp:·^ClientAliveInterval | ||
| 178 | ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}" | ||
| 179 | ········validate:·sshd·-t·-f·%s | ||
| 180 | ······#notify:·restart·sshd | ||
| 181 | ······tags: | ||
| 182 | ········-·sshd_set_idle_timeout | ||
| 183 | ········-·unknown_severity | ||
| 184 | ········-·restrict_strategy | ||
| 185 | ········-·low_complexity | ||
| 186 | ········-·low_disruption | ||
| 187 | ········-·CCE-27433-2 | ||
| 188 | ········-·NIST-800-53-AC-2(5) | ||
| 189 | ········-·NIST-800-53-SA-8(i) | ||
| 190 | ········-·NIST-800-53-AC-12 | ||
| 191 | ········-·NIST-800-171-3.1.11 | ||
| 192 | ········-·PCI-DSS-Req-8.1.8 | ||
| 193 | ········-·CJIS-5.5.6 | ||
| 194 | ········-·DISA-STIG-RHEL-07-040320 | ||
| 195 | ···· | ||
| 171 | ····-·name:·Enable·SSH·Warning·Banner | 196 | ····-·name:·Enable·SSH·Warning·Banner |
| 172 | ······lineinfile: | 197 | ······lineinfile: |
| 173 | ········create:·yes | 198 | ········create:·yes |
| 174 | ········dest:·/etc/ssh/sshd_config | 199 | ········dest:·/etc/ssh/sshd_config |
| 175 | ········regexp:·^Banner | 200 | ········regexp:·^Banner |
| 176 | ········line:·Banner·/etc/issue | 201 | ········line:·Banner·/etc/issue |
| 177 | ········validate:·sshd·-t·-f·%s | 202 | ········validate:·sshd·-t·-f·%s |
| Offset 187, 33 lines modified | Offset 212, 14 lines modified | ||
| 187 | ········-·NIST-800-53-AC-8(c)(1) | 212 | ········-·NIST-800-53-AC-8(c)(1) |
| 188 | ········-·NIST-800-53-AC-8(c)(2) | 213 | ········-·NIST-800-53-AC-8(c)(2) |
| 189 | ········-·NIST-800-53-AC-8(c)(3) | 214 | ········-·NIST-800-53-AC-8(c)(3) |
| 190 | ········-·NIST-800-171-3.1.9 | 215 | ········-·NIST-800-171-3.1.9 |
| 191 | ········-·CJIS-5.5.6 | 216 | ········-·CJIS-5.5.6 |
| 192 | ········-·DISA-STIG-RHEL-07-040170 | 217 | ········-·DISA-STIG-RHEL-07-040170 |
| 193 | ···· | 218 | ···· |
| 194 | ····-·name:·Do·Not·Allow·SSH·Environment·Options | ||
| 195 | ······lineinfile: | ||
| 196 | ········create:·yes | ||
| 197 | ········dest:·/etc/ssh/sshd_config | ||
| 198 | ········regexp:·^PermitUserEnvironment | ||
| 199 | ········line:·PermitUserEnvironment·no | ||
| 200 | ········validate:·sshd·-t·-f·%s | ||
| 201 | ······tags: | ||
| 202 | ········-·sshd_do_not_permit_user_env | ||
| 203 | ········-·medium_severity | ||
| 204 | ········-·restrict_strategy | ||
| 205 | ········-·low_complexity | ||
| 206 | ········-·low_disruption | ||
| 207 | ········-·CCE-27363-1 | ||
| 208 | ········-·NIST-800-53-CM-6(b) | ||
| 209 | ········-·NIST-800-171-3.1.12 | ||
| 210 | ········-·CJIS-5.5.6 | ||
| 211 | ········-·DISA-STIG-RHEL-07-010460 | ||
| 212 | ···· | ||
| 213 | ···· | 219 | ···· |
| 214 | ····-·name:·"Allow·Only·SSH·Protocol·2" | 220 | ····-·name:·"Allow·Only·SSH·Protocol·2" |
| 215 | ······lineinfile: | 221 | ······lineinfile: |
| 216 | ········dest:·/etc/ssh/sshd_config | 222 | ········dest:·/etc/ssh/sshd_config |
| 217 | ········regexp:·"^Protocol·[0-9]" | 223 | ········regexp:·"^Protocol·[0-9]" |
| 218 | ········line:·"Protocol·2" | 224 | ········line:·"Protocol·2" |
| 219 | ········validate:·sshd·-t·-f·%s | 225 | ········validate:·sshd·-t·-f·%s |
| Offset 248, 38 lines modified | Offset 254, 32 lines modified | ||
| 248 | ········-·CCE-27377-1 | 254 | ········-·CCE-27377-1 |
| 249 | ········-·NIST-800-53-AC-3 | 255 | ········-·NIST-800-53-AC-3 |
| 250 | ········-·NIST-800-53-CM-6(a) | 256 | ········-·NIST-800-53-CM-6(a) |
| 251 | ········-·NIST-800-171-3.1.12 | 257 | ········-·NIST-800-171-3.1.12 |
| 252 | ········-·CJIS-5.5.6 | 258 | ········-·CJIS-5.5.6 |
| 253 | ········-·DISA-STIG-RHEL-07-040350 | 259 | ········-·DISA-STIG-RHEL-07-040350 |
| 254 | ···· | 260 | ···· |
| 255 | ···· | 261 | ····-·name:·Do·Not·Allow·SSH·Environment·Options |
| 256 | ···· | ||
| 257 | ····-·name:·Set·SSH·Idle·Timeout·Interval | ||
| 258 | ······lineinfile: | 262 | ······lineinfile: |
| 259 | ········create:·yes | 263 | ········create:·yes |
| 260 | ········dest:·/etc/ssh/sshd_config | 264 | ········dest:·/etc/ssh/sshd_config |
| 261 | ········regexp:·^ | 265 | ········regexp:·^PermitUserEnvironment |
| 262 | ········line:· | 266 | ········line:·PermitUserEnvironment·no |
| 263 | ········validate:·sshd·-t·-f·%s | 267 | ········validate:·sshd·-t·-f·%s |
| 264 | ······#notify:·restart·sshd | ||
| 265 | ······tags: | 268 | ······tags: |
| 266 | ········-·sshd_ | 269 | ········-·sshd_do_not_permit_user_env |
| 267 | ········-· | 270 | ········-·medium_severity |
| 268 | ········-·restrict_strategy | 271 | ········-·restrict_strategy |
| 269 | ········-·low_complexity | 272 | ········-·low_complexity |
| 270 | ········-·low_disruption | 273 | ········-·low_disruption |
| 271 | ········-·CCE-27 | 274 | ········-·CCE-27363-1 |
| 272 | ········-·NIST-800-53- | 275 | ········-·NIST-800-53-CM-6(b) |
| 273 | ········-·NIST-800- | 276 | ········-·NIST-800-171-3.1.12 |
| 274 | ········-·NIST-800-53-AC-12 | ||
| 275 | ········-·NIST-800-171-3.1.11 | ||
| 276 | ········-·PCI-DSS-Req-8.1.8 | ||
| 277 | ········-·CJIS-5.5.6 | 277 | ········-·CJIS-5.5.6 |
| 278 | ········-·DISA-STIG-RHEL-07-0 | 278 | ········-·DISA-STIG-RHEL-07-010460 |
| 279 | ···· | 279 | ···· |
| 280 | ····-·name:·Use·Only·Approved·Ciphers | 280 | ····-·name:·Use·Only·Approved·Ciphers |
| 281 | ······lineinfile: | 281 | ······lineinfile: |
| 282 | ········create:·yes | 282 | ········create:·yes |
| 283 | ········dest:·/etc/ssh/sshd_config | 283 | ········dest:·/etc/ssh/sshd_config |
| 284 | ········regexp:·^Ciphers | 284 | ········regexp:·^Ciphers |
| 285 | ········line:·Ciphers·aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc | 285 | ········line:·Ciphers·aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc |
| Offset 1435, 72 lines modified | Offset 1435, 72 lines modified | ||
| 1435 | ········-·low_complexity | 1435 | ········-·low_complexity |
| 1436 | ········-·low_disruption | 1436 | ········-·low_disruption |
| 1437 | ········-·CCE-26887-0 | 1437 | ········-·CCE-26887-0 |
| 1438 | ········-·NIST-800-53-AC-6 | 1438 | ········-·NIST-800-53-AC-6 |
| 1439 | ········-·PCI-DSS-Req-8.7.c | 1439 | ········-·PCI-DSS-Req-8.7.c |
| 1440 | ········-·CJIS-5.5.2.2 | 1440 | ········-·CJIS-5.5.2.2 |
| 1441 | ···· | 1441 | ···· |
| 1442 | ····-·name:·"Read·list· | 1442 | ····-·name:·"Read·list·of·world·and·group·writable·system·executables" |
| 1443 | ······shell:·"find· | 1443 | ······shell:·"find·/bin·/usr/bin·/usr/local/bin·/sbin·/usr/sbin·/usr/local/sbin·/usr/libexec·-perm·/022·-type·f" |
| 1444 | ······register:· | 1444 | ······register:·world_writable_library_files |
| 1445 | ······changed_when:·False | 1445 | ······changed_when:·False |
| 1446 | ······failed_when:·False | 1446 | ······failed_when:·False |
| 1447 | ······check_mode:·no | 1447 | ······check_mode:·no |
| 1448 | ······tags: | 1448 | ······tags: |
| Max diff block lines reached; 2725/7023 bytes (38.80%) of diff not shown. | |||
| Offset 832, 1269 lines modified | Offset 832, 1269 lines modified | ||
| 832 | ········-·CJIS-5.4.1.1 | 832 | ········-·CJIS-5.4.1.1 |
| 833 | ········-·DISA-STIG-RHEL-07-030440 | 833 | ········-·DISA-STIG-RHEL-07-030440 |
| 834 | ···· | 834 | ···· |
| 835 | ···· | 835 | ···· |
| 836 | ····# | 836 | ····# |
| 837 | ····#·What·architecture·are·we·on? | 837 | ····#·What·architecture·are·we·on? |
| 838 | ····# | 838 | ····# |
| 839 | ····-·name:·Set·architecture·for·audit· | 839 | ····-·name:·Set·architecture·for·audit·chown·tasks |
| 840 | ······set_fact: | 840 | ······set_fact: |
| 841 | ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}" | 841 | ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}" |
| 842 | ···· | 842 | ···· |
| 843 | ····# | 843 | ····# |
| 844 | ····#·Inserts/replaces·the·rule·in·/etc/audit/rules.d | 844 | ····#·Inserts/replaces·the·rule·in·/etc/audit/rules.d |
| 845 | ····# | 845 | ····# |
| 846 | ····-·name:·Search·/etc/audit/rules.d·for·other·DAC·audit·rules | 846 | ····-·name:·Search·/etc/audit/rules.d·for·other·DAC·audit·rules |
| 847 | ······find: | 847 | ······find: |
| 848 | ········paths:·"/etc/audit/rules.d" | 848 | ········paths:·"/etc/audit/rules.d" |
| 849 | ········recurse:·no | 849 | ········recurse:·no |
| 850 | ········contains:·"-F·key=perm_mod$" | 850 | ········contains:·"-F·key=perm_mod$" |
| 851 | ········patterns:·"*.rules" | 851 | ········patterns:·"*.rules" |
| 852 | ······register:·find_ | 852 | ······register:·find_chown |
| 853 | ···· | 853 | ···· |
| 854 | ····-·name:·If·existing·DAC·ruleset·not·found,·use·/etc/audit/rules.d/privileged.rules·as·the·recipient·for·the·rule | 854 | ····-·name:·If·existing·DAC·ruleset·not·found,·use·/etc/audit/rules.d/privileged.rules·as·the·recipient·for·the·rule |
| 855 | ······set_fact: | 855 | ······set_fact: |
| 856 | ········all_files:· | 856 | ········all_files:· |
| 857 | ··········-·/etc/audit/rules.d/privileged.rules | 857 | ··········-·/etc/audit/rules.d/privileged.rules |
| 858 | ······when:·find_ | 858 | ······when:·find_chown.matched·==·0 |
| 859 | ···· | 859 | ···· |
| 860 | ····-·name:·Use·matched·file·as·the·recipient·for·the·rule | 860 | ····-·name:·Use·matched·file·as·the·recipient·for·the·rule |
| 861 | ······set_fact: | 861 | ······set_fact: |
| 862 | ········all_files: | 862 | ········all_files: |
| 863 | ··········-·"{{·find_ | 863 | ··········-·"{{·find_chown.files·|·map(attribute='path')·|·list·|·first·}}" |
| 864 | ······when:·find_ | 864 | ······when:·find_chown.matched·>·0 |
| 865 | ···· | 865 | ···· |
| 866 | ····-·name:·Inserts/replaces·the· | 866 | ····-·name:·Inserts/replaces·the·chown·rule·in·rules.d·when·on·x86 |
| 867 | ······lineinfile: | 867 | ······lineinfile: |
| 868 | ········path:·"{{·all_files[0]·}}" | 868 | ········path:·"{{·all_files[0]·}}" |
| 869 | ········line:·"-a·always,exit·-F·arch=b32·-S· | 869 | ········line:·"-a·always,exit·-F·arch=b32·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod" |
| 870 | ········create:·yes | 870 | ········create:·yes |
| 871 | ······tags: | 871 | ······tags: |
| 872 | ········-·audit_rules_dac_modification_ | 872 | ········-·audit_rules_dac_modification_chown |
| 873 | ········-·unknown_severity | 873 | ········-·unknown_severity |
| 874 | ········-·restrict_strategy | 874 | ········-·restrict_strategy |
| 875 | ········-·low_complexity | 875 | ········-·low_complexity |
| 876 | ········-·low_disruption | 876 | ········-·low_disruption |
| 877 | ········-·CCE-273 | 877 | ········-·CCE-27364-9 |
| 878 | ········-·NIST-800-53-AC-17(7) | 878 | ········-·NIST-800-53-AC-17(7) |
| 879 | ········-·NIST-800-53-AU-1(b) | 879 | ········-·NIST-800-53-AU-1(b) |
| 880 | ········-·NIST-800-53-AU-2(a) | 880 | ········-·NIST-800-53-AU-2(a) |
| 881 | ········-·NIST-800-53-AU-2(c) | 881 | ········-·NIST-800-53-AU-2(c) |
| 882 | ········-·NIST-800-53-AU-2(d) | 882 | ········-·NIST-800-53-AU-2(d) |
| 883 | ········-·NIST-800-53-AU-12(a) | 883 | ········-·NIST-800-53-AU-12(a) |
| 884 | ········-·NIST-800-53-AU-12(c) | 884 | ········-·NIST-800-53-AU-12(c) |
| 885 | ········-·NIST-800-53-IR-5 | 885 | ········-·NIST-800-53-IR-5 |
| 886 | ········-·NIST-800-171-3.1.7 | 886 | ········-·NIST-800-171-3.1.7 |
| 887 | ········-·PCI-DSS-Req-10.5.5 | 887 | ········-·PCI-DSS-Req-10.5.5 |
| 888 | ········-·CJIS-5.4.1.1 | 888 | ········-·CJIS-5.4.1.1 |
| 889 | ········-·DISA-STIG-RHEL-07-030 | 889 | ········-·DISA-STIG-RHEL-07-030370 |
| 890 | ···· | 890 | ···· |
| 891 | ····-·name:·Inserts/replaces·the· | 891 | ····-·name:·Inserts/replaces·the·chown·rule·in·rules.d·when·on·x86_64 |
| 892 | ······lineinfile: | 892 | ······lineinfile: |
| 893 | ········path:·"{{·all_files[0]·}}" | 893 | ········path:·"{{·all_files[0]·}}" |
| 894 | ········line:·"-a·always,exit·-F·arch=b64·-S· | 894 | ········line:·"-a·always,exit·-F·arch=b64·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod" |
| 895 | ········create:·yes | 895 | ········create:·yes |
| 896 | ······when:·audit_arch·==·'b64' | 896 | ······when:·audit_arch·==·'b64' |
| 897 | ······tags: | 897 | ······tags: |
| 898 | ········-·audit_rules_dac_modification_ | 898 | ········-·audit_rules_dac_modification_chown |
| 899 | ········-·unknown_severity | 899 | ········-·unknown_severity |
| 900 | ········-·restrict_strategy | 900 | ········-·restrict_strategy |
| 901 | ········-·low_complexity | 901 | ········-·low_complexity |
| 902 | ········-·low_disruption | 902 | ········-·low_disruption |
| 903 | ········-·CCE-273 | 903 | ········-·CCE-27364-9 |
| 904 | ········-·NIST-800-53-AC-17(7) | 904 | ········-·NIST-800-53-AC-17(7) |
| 905 | ········-·NIST-800-53-AU-1(b) | 905 | ········-·NIST-800-53-AU-1(b) |
| 906 | ········-·NIST-800-53-AU-2(a) | 906 | ········-·NIST-800-53-AU-2(a) |
| 907 | ········-·NIST-800-53-AU-2(c) | 907 | ········-·NIST-800-53-AU-2(c) |
| 908 | ········-·NIST-800-53-AU-2(d) | 908 | ········-·NIST-800-53-AU-2(d) |
| 909 | ········-·NIST-800-53-AU-12(a) | 909 | ········-·NIST-800-53-AU-12(a) |
| 910 | ········-·NIST-800-53-AU-12(c) | 910 | ········-·NIST-800-53-AU-12(c) |
| 911 | ········-·NIST-800-53-IR-5 | 911 | ········-·NIST-800-53-IR-5 |
| 912 | ········-·NIST-800-171-3.1.7 | 912 | ········-·NIST-800-171-3.1.7 |
| 913 | ········-·PCI-DSS-Req-10.5.5 | 913 | ········-·PCI-DSS-Req-10.5.5 |
| 914 | ········-·CJIS-5.4.1.1 | 914 | ········-·CJIS-5.4.1.1 |
| 915 | ········-·DISA-STIG-RHEL-07-030 | 915 | ········-·DISA-STIG-RHEL-07-030370 |
| 916 | ····#···· | 916 | ····#···· |
| 917 | ····#·Inserts/replaces·the·rule·in·/etc/audit/audit.rules | 917 | ····#·Inserts/replaces·the·rule·in·/etc/audit/audit.rules |
| 918 | ····# | 918 | ····# |
| 919 | ····-·name:·Inserts/replaces·the· | 919 | ····-·name:·Inserts/replaces·the·chown·rule·in·/etc/audit/audit.rules·when·on·x86 |
| 920 | ······lineinfile: | 920 | ······lineinfile: |
| 921 | ········line:·"{{·item·}}" | 921 | ········line:·"{{·item·}}" |
| 922 | ········state:·present | 922 | ········state:·present |
| 923 | ········dest:·/etc/audit/audit.rules | 923 | ········dest:·/etc/audit/audit.rules |
| 924 | ······with_items: | 924 | ······with_items: |
| 925 | ········-·"-a·always,exit·-F·arch=b32·-S· | 925 | ········-·"-a·always,exit·-F·arch=b32·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod" |
| 926 | ······tags: | 926 | ······tags: |
| 927 | ········-·audit_rules_dac_modification_ | 927 | ········-·audit_rules_dac_modification_chown |
| 928 | ········-·unknown_severity | 928 | ········-·unknown_severity |
| 929 | ········-·restrict_strategy | 929 | ········-·restrict_strategy |
| 930 | ········-·low_complexity | 930 | ········-·low_complexity |
| 931 | ········-·low_disruption | 931 | ········-·low_disruption |
| 932 | ········-·CCE-273 | 932 | ········-·CCE-27364-9 |
| 933 | ········-·NIST-800-53-AC-17(7) | 933 | ········-·NIST-800-53-AC-17(7) |
| 934 | ········-·NIST-800-53-AU-1(b) | 934 | ········-·NIST-800-53-AU-1(b) |
| 935 | ········-·NIST-800-53-AU-2(a) | 935 | ········-·NIST-800-53-AU-2(a) |
| 936 | ········-·NIST-800-53-AU-2(c) | 936 | ········-·NIST-800-53-AU-2(c) |
| 937 | ········-·NIST-800-53-AU-2(d) | 937 | ········-·NIST-800-53-AU-2(d) |
| 938 | ········-·NIST-800-53-AU-12(a) | 938 | ········-·NIST-800-53-AU-12(a) |
| 939 | ········-·NIST-800-53-AU-12(c) | 939 | ········-·NIST-800-53-AU-12(c) |
| 940 | ········-·NIST-800-53-IR-5 | 940 | ········-·NIST-800-53-IR-5 |
| 941 | ········-·NIST-800-171-3.1.7 | 941 | ········-·NIST-800-171-3.1.7 |
| 942 | ········-·PCI-DSS-Req-10.5.5 | 942 | ········-·PCI-DSS-Req-10.5.5 |
| 943 | ········-·CJIS-5.4.1.1 | 943 | ········-·CJIS-5.4.1.1 |
| 944 | ········-·DISA-STIG-RHEL-07-030 | 944 | ········-·DISA-STIG-RHEL-07-030370 |
| 945 | ···· | 945 | ···· |
| 946 | ····-·name:·Inserts/replaces·the· | 946 | ····-·name:·Inserts/replaces·the·chown·rule·in·audit.rules·when·on·x86_64 |
| 947 | ······lineinfile: | 947 | ······lineinfile: |
| 948 | ········line:·"{{·item·}}" | 948 | ········line:·"{{·item·}}" |
| 949 | ········state:·present | 949 | ········state:·present |
| 950 | ········dest:·/etc/audit/audit.rules | 950 | ········dest:·/etc/audit/audit.rules |
| 951 | ········create:·yes | 951 | ········create:·yes |
| 952 | ······with_items: | 952 | ······with_items: |
| 953 | ········-·"-a·always,exit·-F·arch=b64·-S· | 953 | ········-·"-a·always,exit·-F·arch=b64·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod" |
| 954 | ······when:·audit_arch·==·'b64' | 954 | ······when:·audit_arch·==·'b64' |
| 955 | ······tags: | 955 | ······tags: |
| 956 | ········-·audit_rules_dac_modification_ | 956 | ········-·audit_rules_dac_modification_chown |
| 957 | ········-·unknown_severity | 957 | ········-·unknown_severity |
| 958 | ········-·restrict_strategy | 958 | ········-·restrict_strategy |
| Max diff block lines reached; 48574/54119 bytes (89.75%) of diff not shown. | |||
| Offset 44, 18 lines modified | Offset 44, 18 lines modified | ||
| 44 | ·········· | 44 | ·········· |
| 45 | ···vars: | 45 | ···vars: |
| 46 | ······sshd_idle_timeout_value:·600 | 46 | ······sshd_idle_timeout_value:·600 |
| 47 | ······inactivity_timeout_value:·900 | 47 | ······inactivity_timeout_value:·900 |
| 48 | ······rsyslog_remote_loghost_address:·logcollector | 48 | ······rsyslog_remote_loghost_address:·logcollector |
| 49 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 | 49 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 |
| 50 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 50 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 51 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | ||
| 52 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | 51 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 53 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 | ||
| 54 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 52 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 53 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 | ||
| 54 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | ||
| 55 | ······var_selinux_policy_name:·targeted | 55 | ······var_selinux_policy_name:·targeted |
| 56 | ······var_selinux_state:·enforcing | 56 | ······var_selinux_state:·enforcing |
| 57 | ······var_accounts_minimum_age_login_defs:·1 | 57 | ······var_accounts_minimum_age_login_defs:·1 |
| 58 | ······var_accounts_maximum_age_login_defs:·60 | 58 | ······var_accounts_maximum_age_login_defs:·60 |
| 59 | ······var_account_disable_post_pw_expiration:·0 | 59 | ······var_account_disable_post_pw_expiration:·0 |
| 60 | ······var_accounts_passwords_pam_faillock_deny:·3 | 60 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 61 | ······var_accounts_passwords_pam_faillock_unlock_time:·never | 61 | ······var_accounts_passwords_pam_faillock_unlock_time:·never |
| Offset 72, 17 lines modified | Offset 72, 17 lines modified | ||
| 72 | ······var_password_pam_difok:·8 | 72 | ······var_password_pam_difok:·8 |
| 73 | ······var_password_pam_ocredit:·-1 | 73 | ······var_password_pam_ocredit:·-1 |
| 74 | ······var_password_pam_lcredit:·-1 | 74 | ······var_password_pam_lcredit:·-1 |
| 75 | ······var_password_pam_ucredit:·-1 | 75 | ······var_password_pam_ucredit:·-1 |
| 76 | ······var_password_pam_retry:·3 | 76 | ······var_password_pam_retry:·3 |
| 77 | ······login_banner_text:·^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$) | 77 | ······login_banner_text:·^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$) |
| 78 | ······var_accounts_user_umask:·077 | 78 | ······var_accounts_user_umask:·077 |
| 79 | ······var_accounts_max_concurrent_login_sessions:·10 | ||
| 79 | ······var_accounts_fail_delay:·4 | 80 | ······var_accounts_fail_delay:·4 |
| 80 | ······var_accounts_tmout:·600 | 81 | ······var_accounts_tmout:·600 |
| 81 | ······var_accounts_max_concurrent_login_sessions:·10 | ||
| 82 | ······var_auditd_action_mail_acct:·root | 82 | ······var_auditd_action_mail_acct:·root |
| 83 | ······var_auditd_space_left_action:·email | 83 | ······var_auditd_space_left_action:·email |
| 84 | ······var_removable_partition:·/dev/cdrom | 84 | ······var_removable_partition:·/dev/cdrom |
| 85 | ···tasks: | 85 | ···tasks: |
| 86 | ····-·name:·Ensure·rsh-server·is·removed | 86 | ····-·name:·Ensure·rsh-server·is·removed |
| 87 | ······package: | 87 | ······package: |
| 88 | ········name="{{item}}" | 88 | ········name="{{item}}" |
| Offset 250, 14 lines modified | Offset 250, 33 lines modified | ||
| 250 | ········-·low_disruption | 250 | ········-·low_disruption |
| 251 | ········-·CCE-80258-7 | 251 | ········-·CCE-80258-7 |
| 252 | ········-·NIST-800-53-AC-17(8) | 252 | ········-·NIST-800-53-AC-17(8) |
| 253 | ········-·NIST-800-53-CM-7 | 253 | ········-·NIST-800-53-CM-7 |
| 254 | ········-·NIST-800-53-CM-6(b) | 254 | ········-·NIST-800-53-CM-6(b) |
| 255 | ········-·DISA-STIG-RHEL-07-021300 | 255 | ········-·DISA-STIG-RHEL-07-021300 |
| 256 | ···· | 256 | ···· |
| 257 | ····-·name:·"Enable·Use·of·Strict·Mode·Checking" | ||
| 258 | ······lineinfile: | ||
| 259 | ········create:·yes | ||
| 260 | ········dest:·/etc/ssh/sshd_config | ||
| 261 | ········regexp:·(?i)^#?strictmodes | ||
| 262 | ········line:·StrictModes·yes | ||
| 263 | ········validate:·sshd·-t·-f·%s | ||
| 264 | ······#notify:·restart·sshd | ||
| 265 | ······tags: | ||
| 266 | ········-·sshd_enable_strictmodes | ||
| 267 | ········-·medium_severity | ||
| 268 | ········-·restrict_strategy | ||
| 269 | ········-·low_complexity | ||
| 270 | ········-·low_disruption | ||
| 271 | ········-·CCE-80222-3 | ||
| 272 | ········-·NIST-800-53-AC-6 | ||
| 273 | ········-·NIST-800-171-3.1.12 | ||
| 274 | ········-·DISA-STIG-RHEL-07-040450 | ||
| 275 | ···· | ||
| 257 | ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts" | 276 | ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts" |
| 258 | ······lineinfile: | 277 | ······lineinfile: |
| 259 | ········create:·yes | 278 | ········create:·yes |
| 260 | ········dest:·/etc/ssh/sshd_config | 279 | ········dest:·/etc/ssh/sshd_config |
| 261 | ········regexp:·^IgnoreUserKnownHosts | 280 | ········regexp:·^IgnoreUserKnownHosts |
| 262 | ········line:·IgnoreUserKnownHosts·yes | 281 | ········line:·IgnoreUserKnownHosts·yes |
| 263 | ········validate:·sshd·-t·-f·%s | 282 | ········validate:·sshd·-t·-f·%s |
| Offset 313, 31 lines modified | Offset 332, 38 lines modified | ||
| 313 | ········-·NIST-800-53-AC-2(5) | 332 | ········-·NIST-800-53-AC-2(5) |
| 314 | ········-·NIST-800-53-SA-8 | 333 | ········-·NIST-800-53-SA-8 |
| 315 | ········-·NIST-800-53-AC-12 | 334 | ········-·NIST-800-53-AC-12 |
| 316 | ········-·NIST-800-171-3.1.11 | 335 | ········-·NIST-800-171-3.1.11 |
| 317 | ········-·CJIS-5.5.6 | 336 | ········-·CJIS-5.5.6 |
| 318 | ········-·DISA-STIG-RHEL-07-040340 | 337 | ········-·DISA-STIG-RHEL-07-040340 |
| 319 | ···· | 338 | ···· |
| 320 | ···· | 339 | ···· |
| 340 | ···· | ||
| 341 | ····-·name:·Set·SSH·Idle·Timeout·Interval | ||
| 321 | ······lineinfile: | 342 | ······lineinfile: |
| 322 | ········create:·yes | 343 | ········create:·yes |
| 323 | ········dest:·/etc/ssh/sshd_config | 344 | ········dest:·/etc/ssh/sshd_config |
| 324 | ········regexp:·^ | 345 | ········regexp:·^ClientAliveInterval |
| 325 | ········line:· | 346 | ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}" |
| 326 | ········validate:·sshd·-t·-f·%s | 347 | ········validate:·sshd·-t·-f·%s |
| 348 | ······#notify:·restart·sshd | ||
| 327 | ······tags: | 349 | ······tags: |
| 328 | ········-·sshd_ | 350 | ········-·sshd_set_idle_timeout |
| 329 | ········-· | 351 | ········-·unknown_severity |
| 330 | ········-·restrict_strategy | 352 | ········-·restrict_strategy |
| 331 | ········-·low_complexity | 353 | ········-·low_complexity |
| 332 | ········-·low_disruption | 354 | ········-·low_disruption |
| 333 | ········-·CCE- | 355 | ········-·CCE-27433-2 |
| 334 | ········-·NIST-800-53- | 356 | ········-·NIST-800-53-AC-2(5) |
| 335 | ········-·NIST-800- | 357 | ········-·NIST-800-53-SA-8(i) |
| 336 | ········-· | 358 | ········-·NIST-800-53-AC-12 |
| 359 | ········-·NIST-800-171-3.1.11 | ||
| 360 | ········-·PCI-DSS-Req-8.1.8 | ||
| 361 | ········-·CJIS-5.5.6 | ||
| 362 | ········-·DISA-STIG-RHEL-07-040320 | ||
| 337 | ···· | 363 | ···· |
| 338 | ····-·name:·Enable·SSH·Warning·Banner | 364 | ····-·name:·Enable·SSH·Warning·Banner |
| 339 | ······lineinfile: | 365 | ······lineinfile: |
| 340 | ········create:·yes | 366 | ········create:·yes |
| 341 | ········dest:·/etc/ssh/sshd_config | 367 | ········dest:·/etc/ssh/sshd_config |
| 342 | ········regexp:·^Banner | 368 | ········regexp:·^Banner |
| 343 | ········line:·Banner·/etc/issue | 369 | ········line:·Banner·/etc/issue |
| Offset 377, 33 lines modified | Offset 403, 14 lines modified | ||
| 377 | ········-·NIST-800-53-IA-7 | 403 | ········-·NIST-800-53-IA-7 |
| 378 | ········-·NIST-800-53-SC-13 | 404 | ········-·NIST-800-53-SC-13 |
| 379 | ········-·NIST-800-171-3.1.13 | 405 | ········-·NIST-800-171-3.1.13 |
| 380 | ········-·NIST-800-171-3.13.11 | 406 | ········-·NIST-800-171-3.13.11 |
| 381 | ········-·NIST-800-171-3.13.8 | 407 | ········-·NIST-800-171-3.13.8 |
| 382 | ········-·DISA-STIG-RHEL-07-040400 | 408 | ········-·DISA-STIG-RHEL-07-040400 |
| 383 | ···· | 409 | ···· |
| 384 | ····-·name:·Do·Not·Allow·SSH·Environment·Options | ||
| 385 | ······lineinfile: | ||
| 386 | ········create:·yes | ||
| 387 | ········dest:·/etc/ssh/sshd_config | ||
| 388 | ········regexp:·^PermitUserEnvironment | ||
| 389 | ········line:·PermitUserEnvironment·no | ||
| 390 | ········validate:·sshd·-t·-f·%s | ||
| Max diff block lines reached; 106151/113585 bytes (93.46%) of diff not shown. | |||
| Offset 43, 57 lines modified | Offset 43, 58 lines modified | ||
| 43 | ·········· | 43 | ·········· |
| 44 | ···vars: | 44 | ···vars: |
| 45 | ······sshd_idle_timeout_value:·300 | 45 | ······sshd_idle_timeout_value:·300 |
| 46 | ······rsyslog_remote_loghost_address:·None | 46 | ······rsyslog_remote_loghost_address:·None |
| 47 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 47 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 48 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 49 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 50 | ······sysctl_net_ipv4_icmp_ | 50 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 51 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 51 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 52 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 53 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 53 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 54 | ······sysctl_net_ipv4_conf_ | 54 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 55 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 55 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 56 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 56 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 57 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 57 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 58 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 58 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 59 | ······sysctl_net_ipv4_icmp_ | 59 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 60 | ······sysctl_net_ipv4_conf_ | 60 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 61 | ······var_selinux_policy_name:·targeted | 61 | ······var_selinux_policy_name:·targeted |
| 62 | ······var_selinux_state:·enforcing | 62 | ······var_selinux_state:·enforcing |
| 63 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 64 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 65 | ······var_accounts_password_warn_age_login_defs:·7 | 63 | ······var_accounts_password_warn_age_login_defs:·7 |
| 64 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 65 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 66 | ······var_account_disable_post_pw_expiration:·35 | 66 | ······var_account_disable_post_pw_expiration:·35 |
| 67 | ······var_password_pam_unix_remember:·0 | 67 | ······var_password_pam_unix_remember:·0 |
| 68 | ······var_accounts_passwords_pam_faillock_deny:·3 | 68 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 69 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 69 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 70 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 70 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 71 | ······var_removable_partition:·/dev/cdrom | ||
| 72 | ······var_removable_partition:·/dev/cdrom | ||
| 73 | ······var_removable_partition:·/dev/cdrom | ||
| 71 | ······var_auditd_max_log_file:·1 | 74 | ······var_auditd_max_log_file:·1 |
| 72 | ······var_auditd_action_mail_acct:·admin | 75 | ······var_auditd_action_mail_acct:·admin |
| 73 | ······var_auditd_space_left_action:·suspend | ||
| 74 | ······var_auditd_admin_space_left_action:·suspend | 76 | ······var_auditd_admin_space_left_action:·suspend |
| 77 | ······var_auditd_space_left_action:·suspend | ||
| 75 | ······var_auditd_max_log_file_action:·ignore | 78 | ······var_auditd_max_log_file_action:·ignore |
| 76 | ······var_removable_partition:·/dev/cdrom | ||
| 77 | ······var_removable_partition:·/dev/cdrom | ||
| 78 | ······var_removable_partition:·/dev/cdrom | ||
| 79 | ···tasks: | 79 | ···tasks: |
| 80 | ····-·name:·Ensure·s | 80 | ····-·name:·Ensure·vsftpd·is·removed |
| 81 | ······package: | 81 | ······package: |
| 82 | ········name="{{item}}" | 82 | ········name="{{item}}" |
| 83 | ········state=absent | 83 | ········state=absent |
| 84 | ······with_items: | 84 | ······with_items: |
| 85 | ········-·s | 85 | ········-·vsftpd |
| 86 | ······tags: | 86 | ······tags: |
| 87 | ········-·package_s | 87 | ········-·package_vsftpd_removed |
| 88 | ········-·unknown_severity | 88 | ········-·unknown_severity |
| 89 | ········-·disable_strategy | 89 | ········-·disable_strategy |
| 90 | ········-·low_complexity | 90 | ········-·low_complexity |
| 91 | ········-·low_disruption | 91 | ········-·low_disruption |
| 92 | ········-·CCE-2 | 92 | ········-·CCE-26687-4 |
| 93 | ········-·NIST-800-53-CM-7 | ||
| 93 | ···· | 94 | ···· |
| 94 | ····-·name:·Ensure·httpd·is·removed | 95 | ····-·name:·Ensure·httpd·is·removed |
| 95 | ······package: | 96 | ······package: |
| 96 | ········name="{{item}}" | 97 | ········name="{{item}}" |
| 97 | ········state=absent | 98 | ········state=absent |
| 98 | ······with_items: | 99 | ······with_items: |
| 99 | ········-·httpd | 100 | ········-·httpd |
| Offset 102, 29 lines modified | Offset 103, 43 lines modified | ||
| 102 | ········-·unknown_severity | 103 | ········-·unknown_severity |
| 103 | ········-·disable_strategy | 104 | ········-·disable_strategy |
| 104 | ········-·low_complexity | 105 | ········-·low_complexity |
| 105 | ········-·low_disruption | 106 | ········-·low_disruption |
| 106 | ········-·CCE-27133-8 | 107 | ········-·CCE-27133-8 |
| 107 | ········-·NIST-800-53-CM-7 | 108 | ········-·NIST-800-53-CM-7 |
| 108 | ···· | 109 | ···· |
| 109 | ····-·name:·Ensure· | 110 | ····-·name:·Ensure·bind·is·removed |
| 110 | ······package: | 111 | ······package: |
| 111 | ········name="{{item}}" | 112 | ········name="{{item}}" |
| 112 | ········state=absent | 113 | ········state=absent |
| 113 | ······with_items: | 114 | ······with_items: |
| 114 | ········-· | 115 | ········-·bind |
| 115 | ······tags: | 116 | ······tags: |
| 116 | ········-·package_ | 117 | ········-·package_bind_removed |
| 117 | ········-· | 118 | ········-·unknown_severity |
| 118 | ········-·disable_strategy | 119 | ········-·disable_strategy |
| 119 | ········-·low_complexity | 120 | ········-·low_complexity |
| 120 | ········-·low_disruption | 121 | ········-·low_disruption |
| 121 | ········-·CCE-27 | 122 | ········-·CCE-27030-6 |
| 122 | ········-·NIST-800-53-CM-7 | 123 | ········-·NIST-800-53-CM-7 |
| 123 | ···· | 124 | ···· |
| 125 | ····-·name:·Ensure·samba·is·removed | ||
| 126 | ······package: | ||
| 127 | ········name="{{item}}" | ||
| 128 | ········state=absent | ||
| 129 | ······with_items: | ||
| 130 | ········-·samba | ||
| 131 | ······tags: | ||
| 132 | ········-·package_samba_removed | ||
| 133 | ········-·unknown_severity | ||
| 134 | ········-·disable_strategy | ||
| 135 | ········-·low_complexity | ||
| 136 | ········-·low_disruption | ||
| 137 | ········-·CCE-27102-3 | ||
| 138 | ···· | ||
| 124 | ····-·name:·Enable·service·ntpd | 139 | ····-·name:·Enable·service·ntpd |
| 125 | ······service: | 140 | ······service: |
| 126 | ········name="{{item}}" | 141 | ········name="{{item}}" |
| 127 | ········enabled="yes" | 142 | ········enabled="yes" |
| 128 | ········state="started" | 143 | ········state="started" |
| 129 | ······with_items: | 144 | ······with_items: |
| 130 | ········-·ntpd | 145 | ········-·ntpd |
| Offset 135, 45 lines modified | Offset 150, 94 lines modified | ||
| 135 | ········-·low_complexity | 150 | ········-·low_complexity |
| 136 | ········-·low_disruption | 151 | ········-·low_disruption |
| 137 | ········-·CCE-27093-4 | 152 | ········-·CCE-27093-4 |
| 138 | ········-·NIST-800-53-AU-8(1) | 153 | ········-·NIST-800-53-AU-8(1) |
| 139 | ········-·PCI-DSS-Req-10.4 | 154 | ········-·PCI-DSS-Req-10.4 |
| 140 | ········-·DISA-STIG-RHEL-06-000247 | 155 | ········-·DISA-STIG-RHEL-06-000247 |
| 141 | ···· | 156 | ···· |
| 142 | ····-·name:· | 157 | ····-·name:·Ensure·openldap-servers·is·removed |
| 158 | ······package: | ||
| 159 | ········name="{{item}}" | ||
| 160 | ········state=absent | ||
| 161 | ······with_items: | ||
| 162 | ········-·openldap-servers | ||
| 163 | ······tags: | ||
| 164 | ········-·package_openldap-servers_removed | ||
| 165 | ········-·unknown_severity | ||
| 166 | ········-·disable_strategy | ||
| 167 | ········-·low_complexity | ||
| Max diff block lines reached; 83773/89246 bytes (93.87%) of diff not shown. | |||
| Offset 33, 88 lines modified | Offset 33, 75 lines modified | ||
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······rsyslog_remote_loghost_address:·None | 36 | ······rsyslog_remote_loghost_address:·None |
| 37 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 37 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 40 | ······sysctl_net_ipv4_icmp_ | 40 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 44 | ······sysctl_net_ipv4_conf_ | 44 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 49 | ······sysctl_net_ipv4_icmp_ | 49 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_ | 50 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 51 | ······var_selinux_policy_name:·targeted | 51 | ······var_selinux_policy_name:·targeted |
| 52 | ······var_selinux_state:·enforcing | 52 | ······var_selinux_state:·enforcing |
| 53 | ······var_accounts_password_minlen_login_defs:·14 | 53 | ······var_accounts_password_minlen_login_defs:·14 |
| 54 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 55 | ······var_accounts_maximum_age_login_defs:·180 | ||
| 56 | ······var_accounts_password_warn_age_login_defs:·7 | 54 | ······var_accounts_password_warn_age_login_defs:·7 |
| 55 | ······var_accounts_maximum_age_login_defs:·180 | ||
| 56 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 57 | ······var_account_disable_post_pw_expiration:·35 | 57 | ······var_account_disable_post_pw_expiration:·35 |
| 58 | ······var_password_pam_unix_remember:·10 | 58 | ······var_password_pam_unix_remember:·10 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 59 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 62 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_user_umask:·077 | 63 | ······var_accounts_user_umask:·077 |
| 64 | ······var_accounts_max_concurrent_login_sessions:·3 | 64 | ······var_accounts_max_concurrent_login_sessions:·3 |
| 65 | ······var_removable_partition:·/dev/cdrom | 65 | ······var_removable_partition:·/dev/cdrom |
| 66 | ······var_removable_partition:·/dev/cdrom | 66 | ······var_removable_partition:·/dev/cdrom |
| 67 | ······var_removable_partition:·/dev/cdrom | 67 | ······var_removable_partition:·/dev/cdrom |
| 68 | ···tasks: | 68 | ···tasks: |
| 69 | ····-·name:·Disable·service·s | 69 | ····-·name:·Disable·service·vsftpd |
| 70 | ······service: | 70 | ······service: |
| 71 | ········name="{{item}}" | 71 | ········name="{{item}}" |
| 72 | ········enabled="no" | 72 | ········enabled="no" |
| 73 | ········state="stopped" | 73 | ········state="stopped" |
| 74 | ······register:·service_result | 74 | ······register:·service_result |
| 75 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 75 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 76 | ······with_items: | 76 | ······with_items: |
| 77 | ········-·s | 77 | ········-·vsftpd |
| 78 | ······tags: | 78 | ······tags: |
| 79 | ········-·service_s | 79 | ········-·service_vsftpd_disabled |
| 80 | ········-·unknown_severity | 80 | ········-·unknown_severity |
| 81 | ········-·disable_strategy | 81 | ········-·disable_strategy |
| 82 | ········-·low_complexity | 82 | ········-·low_complexity |
| 83 | ········-·low_disruption | 83 | ········-·low_disruption |
| 84 | ········-·CCE-2 | 84 | ········-·CCE-26948-0 |
| 85 | ···· | 85 | ········-·NIST-800-53-CM-7 |
| 86 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | ||
| 87 | ······stat: | ||
| 88 | ········path:·/etc/samba/smb.conf | ||
| 89 | ······register:·st_smb | ||
| 90 | ······tags: | ||
| 91 | ········-·require_smb_client_signing | ||
| 92 | ········-·unknown_severity | ||
| 93 | ········-·configure_strategy | ||
| 94 | ········-·low_complexity | ||
| 95 | ········-·medium_disruption | ||
| 96 | ········-·CCE-26328-5 | ||
| 97 | ········-·DISA-STIG-RHEL-06-000272 | ||
| 98 | ···· | 86 | ···· |
| 99 | ····-·name:· | 87 | ····-·name:·Ensure·vsftpd·is·removed |
| 100 | ······ | 88 | ······package: |
| 101 | ········ | 89 | ········name="{{item}}" |
| 102 | ········ | 90 | ········state=absent |
| 103 | ······ | 91 | ······with_items: |
| 104 | ········ | 92 | ········-·vsftpd |
| 105 | ······when:·st_smb.stat.exists | ||
| 106 | ······tags: | 93 | ······tags: |
| 107 | ········-· | 94 | ········-·package_vsftpd_removed |
| 108 | ········-·unknown_severity | 95 | ········-·unknown_severity |
| 109 | ········-· | 96 | ········-·disable_strategy |
| 110 | ········-·low_complexity | 97 | ········-·low_complexity |
| 111 | ········-· | 98 | ········-·low_disruption |
| 112 | ········-·CCE-26 | 99 | ········-·CCE-26687-4 |
| 113 | ········-· | 100 | ········-·NIST-800-53-CM-7 |
| 114 | ···· | 101 | ···· |
| 115 | ····-·name:·Ensure·httpd·is·removed | 102 | ····-·name:·Ensure·httpd·is·removed |
| 116 | ······package: | 103 | ······package: |
| 117 | ········name="{{item}}" | 104 | ········name="{{item}}" |
| 118 | ········state=absent | 105 | ········state=absent |
| 119 | ······with_items: | 106 | ······with_items: |
| 120 | ········-·httpd | 107 | ········-·httpd |
| Offset 153, 45 lines modified | Offset 140, 92 lines modified | ||
| 153 | ········-·unknown_severity | 140 | ········-·unknown_severity |
| 154 | ········-·configure_strategy | 141 | ········-·configure_strategy |
| 155 | ········-·low_complexity | 142 | ········-·low_complexity |
| 156 | ········-·low_disruption | 143 | ········-·low_disruption |
| 157 | ········-·CCE-27316-9 | 144 | ········-·CCE-27316-9 |
| 158 | ········-·NIST-800-53-CM-7 | 145 | ········-·NIST-800-53-CM-7 |
| 159 | ···· | 146 | ···· |
| 160 | ····-·name:· | 147 | ····-·name:·Disable·service·named |
| 148 | ······service: | ||
| 149 | ········name="{{item}}" | ||
| 150 | ········enabled="no" | ||
| 151 | ········state="stopped" | ||
| 152 | ······register:·service_result | ||
| 153 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 154 | ······with_items: | ||
| 155 | ········-·named | ||
| 156 | ······tags: | ||
| 157 | ········-·service_named_disabled | ||
| 158 | ········-·unknown_severity | ||
| 159 | ········-·disable_strategy | ||
| 160 | ········-·low_complexity | ||
| 161 | ········-·low_disruption | ||
| 162 | ········-·CCE-26873-0 | ||
| 163 | ········-·NIST-800-53-CM-7 | ||
| 164 | ···· | ||
| 165 | ····-·name:·Ensure·bind·is·removed | ||
| 161 | ······package: | 166 | ······package: |
| 162 | ········name="{{item}}" | 167 | ········name="{{item}}" |
| 163 | ········state=absent | 168 | ········state=absent |
| 164 | ······with_items: | 169 | ······with_items: |
| 165 | ········-· | 170 | ········-·bind |
| 166 | ······tags: | 171 | ······tags: |
| 167 | ········-·package_ | 172 | ········-·package_bind_removed |
| 168 | ········-· | 173 | ········-·unknown_severity |
| 169 | ········-·disable_strategy | 174 | ········-·disable_strategy |
| 170 | ········-·low_complexity | 175 | ········-·low_complexity |
| Max diff block lines reached; 175955/181073 bytes (97.17%) of diff not shown. | |||
| Offset 35, 39 lines modified | Offset 35, 72 lines modified | ||
| 35 | ·······assert: | 35 | ·······assert: |
| 36 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 36 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 37 | ·········msg:·> | 37 | ·········msg:·> |
| 38 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 38 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 39 | ·········· | 39 | ·········· |
| 40 | ···vars: | 40 | ···vars: |
| 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 42 | ······sysctl_net_ipv4_icmp_ | 42 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 46 | ······sysctl_net_ipv4_conf_ | 46 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 51 | ······sysctl_net_ipv4_icmp_ | 51 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 52 | ······sysctl_net_ipv4_conf_ | 52 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 53 | ······var_selinux_policy_name:·mls | 53 | ······var_selinux_policy_name:·mls |
| 54 | ······var_selinux_state:·enforcing | 54 | ······var_selinux_state:·enforcing |
| 55 | ······var_accounts_password_minlen_login_defs:·12 | 55 | ······var_accounts_password_minlen_login_defs:·12 |
| 56 | ······var_accounts_maximum_age_login_defs:·180 | ||
| 57 | ······var_accounts_password_warn_age_login_defs:·7 | 56 | ······var_accounts_password_warn_age_login_defs:·7 |
| 57 | ······var_accounts_maximum_age_login_defs:·180 | ||
| 58 | ······var_account_disable_post_pw_expiration:·35 | 58 | ······var_account_disable_post_pw_expiration:·35 |
| 59 | ······var_password_pam_unix_remember:·0 | 59 | ······var_password_pam_unix_remember:·0 |
| 60 | ······var_password_pam_retry:·3 | 60 | ······var_password_pam_retry:·3 |
| 61 | ······var_auditd_max_log_file:·1 | 61 | ······var_auditd_max_log_file:·1 |
| 62 | ······var_auditd_action_mail_acct:·admin | 62 | ······var_auditd_action_mail_acct:·admin |
| 63 | ······var_auditd_space_left_action:·suspend | ||
| 64 | ······var_auditd_admin_space_left_action:·suspend | 63 | ······var_auditd_admin_space_left_action:·suspend |
| 64 | ······var_auditd_space_left_action:·suspend | ||
| 65 | ······var_auditd_max_log_file_action:·keep_logs | 65 | ······var_auditd_max_log_file_action:·keep_logs |
| 66 | ···tasks: | 66 | ···tasks: |
| 67 | ····-·name:·Disable·service·vsftpd | ||
| 68 | ······service: | ||
| 69 | ········name="{{item}}" | ||
| 70 | ········enabled="no" | ||
| 71 | ········state="stopped" | ||
| 72 | ······register:·service_result | ||
| 73 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 74 | ······with_items: | ||
| 75 | ········-·vsftpd | ||
| 76 | ······tags: | ||
| 77 | ········-·service_vsftpd_disabled | ||
| 78 | ········-·unknown_severity | ||
| 79 | ········-·disable_strategy | ||
| 80 | ········-·low_complexity | ||
| 81 | ········-·low_disruption | ||
| 82 | ········-·CCE-26948-0 | ||
| 83 | ········-·NIST-800-53-CM-7 | ||
| 84 | ···· | ||
| 85 | ····-·name:·Ensure·vsftpd·is·removed | ||
| 86 | ······package: | ||
| 87 | ········name="{{item}}" | ||
| 88 | ········state=absent | ||
| 89 | ······with_items: | ||
| 90 | ········-·vsftpd | ||
| 91 | ······tags: | ||
| 92 | ········-·package_vsftpd_removed | ||
| 93 | ········-·unknown_severity | ||
| 94 | ········-·disable_strategy | ||
| 95 | ········-·low_complexity | ||
| 96 | ········-·low_disruption | ||
| 97 | ········-·CCE-26687-4 | ||
| 98 | ········-·NIST-800-53-CM-7 | ||
| 99 | ···· | ||
| 67 | ···· | 100 | ···· |
| 68 | ····-·name:·Find·/etc/httpd/conf/*·file(s) | 101 | ····-·name:·Find·/etc/httpd/conf/*·file(s) |
| 69 | ······find: | 102 | ······find: |
| 70 | ········paths:·"{{·'/etc/httpd/conf/*'·|·dirname·}}" | 103 | ········paths:·"{{·'/etc/httpd/conf/*'·|·dirname·}}" |
| 71 | ········patterns:·"{{·'/etc/httpd/conf/*'·|·basename·}}" | 104 | ········patterns:·"{{·'/etc/httpd/conf/*'·|·basename·}}" |
| 72 | ······register:·files_found | 105 | ······register:·files_found |
| 73 | ······tags: | 106 | ······tags: |
| Offset 90, 98 lines modified | Offset 123, 116 lines modified | ||
| 90 | ········-·unknown_severity | 123 | ········-·unknown_severity |
| 91 | ········-·configure_strategy | 124 | ········-·configure_strategy |
| 92 | ········-·low_complexity | 125 | ········-·low_complexity |
| 93 | ········-·low_disruption | 126 | ········-·low_disruption |
| 94 | ········-·CCE-27316-9 | 127 | ········-·CCE-27316-9 |
| 95 | ········-·NIST-800-53-CM-7 | 128 | ········-·NIST-800-53-CM-7 |
| 96 | ···· | 129 | ···· |
| 97 | ····-·name:· | 130 | ····-·name:·Disable·service·named |
| 98 | ······ | 131 | ······service: |
| 99 | ········name="{{item}}" | 132 | ········name="{{item}}" |
| 100 | ········ | 133 | ········enabled="no" |
| 134 | ········state="stopped" | ||
| 135 | ······register:·service_result | ||
| 136 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 101 | ······with_items: | 137 | ······with_items: |
| 102 | ········-· | 138 | ········-·named |
| 103 | ······tags: | 139 | ······tags: |
| 104 | ········-· | 140 | ········-·service_named_disabled |
| 105 | ········-· | 141 | ········-·unknown_severity |
| 106 | ········-·disable_strategy | 142 | ········-·disable_strategy |
| 107 | ········-·low_complexity | 143 | ········-·low_complexity |
| 108 | ········-·low_disruption | 144 | ········-·low_disruption |
| 109 | ········-·CCE-2 | 145 | ········-·CCE-26873-0 |
| 110 | ········-·NIST-800-53-CM-7 | 146 | ········-·NIST-800-53-CM-7 |
| 111 | ········-·DISA-STIG-RHEL-06-000288 | ||
| 112 | ···· | 147 | ···· |
| 113 | ····-·name:·Ensure· | 148 | ····-·name:·Ensure·bind·is·removed |
| 114 | ······package: | 149 | ······package: |
| 115 | ········name="{{item}}" | 150 | ········name="{{item}}" |
| 116 | ········state=absent | 151 | ········state=absent |
| 117 | ······with_items: | 152 | ······with_items: |
| 118 | ········-· | 153 | ········-·bind |
| 119 | ······tags: | 154 | ······tags: |
| 120 | ········-·package_ | 155 | ········-·package_bind_removed |
| 121 | ········-· | 156 | ········-·unknown_severity |
| 122 | ········-·disable_strategy | 157 | ········-·disable_strategy |
| 123 | ········-·low_complexity | 158 | ········-·low_complexity |
| 124 | ········-·low_disruption | 159 | ········-·low_disruption |
| 125 | ········-·CCE-27 | 160 | ········-·CCE-27030-6 |
| 126 | ········-·NIST-800-53-CM-7 | 161 | ········-·NIST-800-53-CM-7 |
| 127 | ···· | 162 | ···· |
| 128 | ····-·name:· | 163 | ····-·name:·Enable·service·ntpd |
| 129 | ······service: | 164 | ······service: |
| 130 | ········name="{{item}}" | 165 | ········name="{{item}}" |
| 131 | ········enabled=" | 166 | ········enabled="yes" |
| 132 | ········state="st | 167 | ········state="started" |
| 133 | ······register:·service_result | ||
| 134 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 135 | ······with_items: | 168 | ······with_items: |
| 136 | ········-· | 169 | ········-·ntpd |
| 137 | ······tags: | 170 | ······tags: |
| 138 | ········-·service_ | 171 | ········-·service_ntpd_enabled |
| Max diff block lines reached; 127041/131888 bytes (96.32%) of diff not shown. | |||
| Offset 34, 87 lines modified | Offset 34, 74 lines modified | ||
| 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 35 | ·········· | 35 | ·········· |
| 36 | ···vars: | 36 | ···vars: |
| 37 | ······sshd_idle_timeout_value:·300 | 37 | ······sshd_idle_timeout_value:·300 |
| 38 | ······rsyslog_remote_loghost_address:·None | 38 | ······rsyslog_remote_loghost_address:·None |
| 39 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 39 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 40 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 40 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 41 | ······sysctl_net_ipv4_icmp_ | 41 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 42 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 42 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 43 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 43 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 44 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 44 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 45 | ······sysctl_net_ipv4_conf_ | 45 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 50 | ······sysctl_net_ipv4_icmp_ | 50 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 51 | ······sysctl_net_ipv4_conf_ | 51 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 52 | ······var_selinux_policy_name:·targeted | 52 | ······var_selinux_policy_name:·targeted |
| 53 | ······var_selinux_state:·enforcing | 53 | ······var_selinux_state:·enforcing |
| 54 | ······var_accounts_password_minlen_login_defs:·15 | 54 | ······var_accounts_password_minlen_login_defs:·15 |
| 55 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 56 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 57 | ······var_accounts_password_warn_age_login_defs:·7 | 55 | ······var_accounts_password_warn_age_login_defs:·7 |
| 56 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 57 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 58 | ······var_password_pam_unix_remember:·5 | 58 | ······var_password_pam_unix_remember:·5 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 59 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 62 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_tmout:·600 | 63 | ······var_accounts_tmout:·600 |
| 64 | ······var_removable_partition:·/dev/cdrom | ||
| 64 | ······var_auditd_max_log_file:·6 | 65 | ······var_auditd_max_log_file:·6 |
| 65 | ······var_auditd_admin_space_left_action:·single | 66 | ······var_auditd_admin_space_left_action:·single |
| 66 | ······var_auditd_max_log_file_action:·rotate | 67 | ······var_auditd_max_log_file_action:·rotate |
| 67 | ······var_removable_partition:·/dev/cdrom | ||
| 68 | ···tasks: | 68 | ···tasks: |
| 69 | ····-·name:·Disable·service·s | 69 | ····-·name:·Disable·service·vsftpd |
| 70 | ······service: | 70 | ······service: |
| 71 | ········name="{{item}}" | 71 | ········name="{{item}}" |
| 72 | ········enabled="no" | 72 | ········enabled="no" |
| 73 | ········state="stopped" | 73 | ········state="stopped" |
| 74 | ······register:·service_result | 74 | ······register:·service_result |
| 75 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 75 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 76 | ······with_items: | 76 | ······with_items: |
| 77 | ········-·s | 77 | ········-·vsftpd |
| 78 | ······tags: | 78 | ······tags: |
| 79 | ········-·service_s | 79 | ········-·service_vsftpd_disabled |
| 80 | ········-·unknown_severity | 80 | ········-·unknown_severity |
| 81 | ········-·disable_strategy | 81 | ········-·disable_strategy |
| 82 | ········-·low_complexity | 82 | ········-·low_complexity |
| 83 | ········-·low_disruption | 83 | ········-·low_disruption |
| 84 | ········-·CCE-2 | 84 | ········-·CCE-26948-0 |
| 85 | ···· | 85 | ········-·NIST-800-53-CM-7 |
| 86 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | ||
| 87 | ······stat: | ||
| 88 | ········path:·/etc/samba/smb.conf | ||
| 89 | ······register:·st_smb | ||
| 90 | ······tags: | ||
| 91 | ········-·require_smb_client_signing | ||
| 92 | ········-·unknown_severity | ||
| 93 | ········-·configure_strategy | ||
| 94 | ········-·low_complexity | ||
| 95 | ········-·medium_disruption | ||
| 96 | ········-·CCE-26328-5 | ||
| 97 | ········-·DISA-STIG-RHEL-06-000272 | ||
| 98 | ···· | 86 | ···· |
| 99 | ····-·name:· | 87 | ····-·name:·Ensure·vsftpd·is·removed |
| 100 | ······ | 88 | ······package: |
| 101 | ········ | 89 | ········name="{{item}}" |
| 102 | ········ | 90 | ········state=absent |
| 103 | ······ | 91 | ······with_items: |
| 104 | ········ | 92 | ········-·vsftpd |
| 105 | ······when:·st_smb.stat.exists | ||
| 106 | ······tags: | 93 | ······tags: |
| 107 | ········-· | 94 | ········-·package_vsftpd_removed |
| 108 | ········-·unknown_severity | 95 | ········-·unknown_severity |
| 109 | ········-· | 96 | ········-·disable_strategy |
| 110 | ········-·low_complexity | 97 | ········-·low_complexity |
| 111 | ········-· | 98 | ········-·low_disruption |
| 112 | ········-·CCE-26 | 99 | ········-·CCE-26687-4 |
| 113 | ········-· | 100 | ········-·NIST-800-53-CM-7 |
| 114 | ···· | 101 | ···· |
| 115 | ····-·name:·Disable·service·httpd | 102 | ····-·name:·Disable·service·httpd |
| 116 | ······service: | 103 | ······service: |
| 117 | ········name="{{item}}" | 104 | ········name="{{item}}" |
| 118 | ········enabled="no" | 105 | ········enabled="no" |
| 119 | ········state="stopped" | 106 | ········state="stopped" |
| 120 | ······register:·service_result | 107 | ······register:·service_result |
| Offset 141, 46 lines modified | Offset 128, 92 lines modified | ||
| 141 | ········-·unknown_severity | 128 | ········-·unknown_severity |
| 142 | ········-·disable_strategy | 129 | ········-·disable_strategy |
| 143 | ········-·low_complexity | 130 | ········-·low_complexity |
| 144 | ········-·low_disruption | 131 | ········-·low_disruption |
| 145 | ········-·CCE-27133-8 | 132 | ········-·CCE-27133-8 |
| 146 | ········-·NIST-800-53-CM-7 | 133 | ········-·NIST-800-53-CM-7 |
| 147 | ···· | 134 | ···· |
| 148 | ····-·name:· | 135 | ····-·name:·Disable·service·named |
| 136 | ······service: | ||
| 137 | ········name="{{item}}" | ||
| 138 | ········enabled="no" | ||
| 139 | ········state="stopped" | ||
| 140 | ······register:·service_result | ||
| 141 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 142 | ······with_items: | ||
| 143 | ········-·named | ||
| 144 | ······tags: | ||
| 145 | ········-·service_named_disabled | ||
| 146 | ········-·unknown_severity | ||
| 147 | ········-·disable_strategy | ||
| 148 | ········-·low_complexity | ||
| 149 | ········-·low_disruption | ||
| 150 | ········-·CCE-26873-0 | ||
| 151 | ········-·NIST-800-53-CM-7 | ||
| 152 | ···· | ||
| 153 | ····-·name:·Ensure·bind·is·removed | ||
| 149 | ······package: | 154 | ······package: |
| 150 | ········name="{{item}}" | 155 | ········name="{{item}}" |
| 151 | ········state=absent | 156 | ········state=absent |
| 152 | ······with_items: | 157 | ······with_items: |
| 153 | ········-· | 158 | ········-·bind |
| 154 | ······tags: | 159 | ······tags: |
| 155 | ········-·package_ | 160 | ········-·package_bind_removed |
| 156 | ········-· | 161 | ········-·unknown_severity |
| 157 | ········-·disable_strategy | 162 | ········-·disable_strategy |
| 158 | ········-·low_complexity | 163 | ········-·low_complexity |
| Max diff block lines reached; 126640/131720 bytes (96.14%) of diff not shown. | |||
| Offset 32, 46 lines modified | Offset 32, 46 lines modified | ||
| 32 | ·········msg:·> | 32 | ·········msg:·> |
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 36 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 37 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 37 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 38 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 38 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 39 | ······sysctl_net_ipv4_icmp_ | 39 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 40 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 40 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 41 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 41 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 42 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 42 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_ | 43 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 44 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 44 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 45 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 46 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 47 | ······sysctl_net_ipv4_icmp_ | 47 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_ | 48 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 49 | ······var_selinux_policy_name:·targeted | 49 | ······var_selinux_policy_name:·targeted |
| 50 | ······var_selinux_state:·enforcing | 50 | ······var_selinux_state:·enforcing |
| 51 | ······var_accounts_password_minlen_login_defs:·12 | 51 | ······var_accounts_password_minlen_login_defs:·12 |
| 52 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 53 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 54 | ······var_accounts_password_warn_age_login_defs:·7 | 52 | ······var_accounts_password_warn_age_login_defs:·7 |
| 53 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 54 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 55 | ······var_account_disable_post_pw_expiration:·90 | 55 | ······var_account_disable_post_pw_expiration:·90 |
| 56 | ······var_password_pam_unix_remember:·24 | 56 | ······var_password_pam_unix_remember:·24 |
| 57 | ······var_accounts_passwords_pam_faillock_deny:·3 | 57 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 58 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 58 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 59 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 | 59 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 |
| 60 | ······var_password_pam_maxrepeat:·3 | 60 | ······var_password_pam_maxrepeat:·3 |
| 61 | ······var_password_pam_retry:·3 | 61 | ······var_password_pam_retry:·3 |
| 62 | ······var_accounts_max_concurrent_login_sessions:·1 | 62 | ······var_accounts_max_concurrent_login_sessions:·1 |
| 63 | ······var_removable_partition:·/dev/cdrom | ||
| 64 | ······var_removable_partition:·/dev/cdrom | ||
| 65 | ······var_removable_partition:·/dev/cdrom | ||
| 63 | ······var_auditd_max_log_file:·1 | 66 | ······var_auditd_max_log_file:·1 |
| 64 | ······var_auditd_action_mail_acct:·admin | 67 | ······var_auditd_action_mail_acct:·admin |
| 65 | ······var_auditd_space_left_action:·suspend | ||
| 66 | ······var_auditd_admin_space_left_action:·halt | 68 | ······var_auditd_admin_space_left_action:·halt |
| 69 | ······var_auditd_space_left_action:·suspend | ||
| 67 | ······var_auditd_max_log_file_action:·ignore | 70 | ······var_auditd_max_log_file_action:·ignore |
| 68 | ······var_removable_partition:·/dev/cdrom | ||
| 69 | ······var_removable_partition:·/dev/cdrom | ||
| 70 | ······var_removable_partition:·/dev/cdrom | ||
| 71 | ···tasks: | 71 | ···tasks: |
| 72 | ····-·name:·Enable·service·ntpd | 72 | ····-·name:·Enable·service·ntpd |
| 73 | ······service: | 73 | ······service: |
| 74 | ········name="{{item}}" | 74 | ········name="{{item}}" |
| 75 | ········enabled="yes" | 75 | ········enabled="yes" |
| 76 | ········state="started" | 76 | ········state="started" |
| 77 | ······with_items: | 77 | ······with_items: |
| Offset 83, 14 lines modified | Offset 83, 50 lines modified | ||
| 83 | ········-·low_complexity | 83 | ········-·low_complexity |
| 84 | ········-·low_disruption | 84 | ········-·low_disruption |
| 85 | ········-·CCE-27093-4 | 85 | ········-·CCE-27093-4 |
| 86 | ········-·NIST-800-53-AU-8(1) | 86 | ········-·NIST-800-53-AU-8(1) |
| 87 | ········-·PCI-DSS-Req-10.4 | 87 | ········-·PCI-DSS-Req-10.4 |
| 88 | ········-·DISA-STIG-RHEL-06-000247 | 88 | ········-·DISA-STIG-RHEL-06-000247 |
| 89 | ···· | 89 | ···· |
| 90 | ····-·name:·Enable·service·crond | ||
| 91 | ······service: | ||
| 92 | ········name="{{item}}" | ||
| 93 | ········enabled="yes" | ||
| 94 | ········state="started" | ||
| 95 | ······with_items: | ||
| 96 | ········-·crond | ||
| 97 | ······tags: | ||
| 98 | ········-·service_crond_enabled | ||
| 99 | ········-·medium_severity | ||
| 100 | ········-·enable_strategy | ||
| 101 | ········-·low_complexity | ||
| 102 | ········-·low_disruption | ||
| 103 | ········-·CCE-27070-2 | ||
| 104 | ········-·NIST-800-53-CM-7 | ||
| 105 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 106 | ···· | ||
| 107 | ····-·name:·Disable·service·atd | ||
| 108 | ······service: | ||
| 109 | ········name="{{item}}" | ||
| 110 | ········enabled="no" | ||
| 111 | ········state="stopped" | ||
| 112 | ······register:·service_result | ||
| 113 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 114 | ······with_items: | ||
| 115 | ········-·atd | ||
| 116 | ······tags: | ||
| 117 | ········-·service_atd_disabled | ||
| 118 | ········-·unknown_severity | ||
| 119 | ········-·disable_strategy | ||
| 120 | ········-·low_complexity | ||
| 121 | ········-·low_disruption | ||
| 122 | ········-·CCE-27249-2 | ||
| 123 | ········-·NIST-800-53-CM-7 | ||
| 124 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 125 | ···· | ||
| 90 | ····-·name:·Ensure·rsh·is·removed | 126 | ····-·name:·Ensure·rsh·is·removed |
| 91 | ······package: | 127 | ······package: |
| 92 | ········name="{{item}}" | 128 | ········name="{{item}}" |
| 93 | ········state=absent | 129 | ········state=absent |
| 94 | ······with_items: | 130 | ······with_items: |
| 95 | ········-·rsh | 131 | ········-·rsh |
| 96 | ······tags: | 132 | ······tags: |
| Offset 243, 50 lines modified | Offset 279, 14 lines modified | ||
| 243 | ········-·disable_strategy | 279 | ········-·disable_strategy |
| 244 | ········-·low_complexity | 280 | ········-·low_complexity |
| 245 | ········-·low_disruption | 281 | ········-·low_disruption |
| 246 | ········-·CCE-27005-8 | 282 | ········-·CCE-27005-8 |
| 247 | ········-·NIST-800-53-CM-7 | 283 | ········-·NIST-800-53-CM-7 |
| 248 | ········-·DISA-STIG-RHEL-06-000204 | 284 | ········-·DISA-STIG-RHEL-06-000204 |
| 249 | ···· | 285 | ···· |
| 250 | ····-·name:·Enable·service·crond | ||
| 251 | ······service: | ||
| 252 | ········name="{{item}}" | ||
| 253 | ········enabled="yes" | ||
| 254 | ········state="started" | ||
| 255 | ······with_items: | ||
| 256 | ········-·crond | ||
| 257 | ······tags: | ||
| 258 | ········-·service_crond_enabled | ||
| 259 | ········-·medium_severity | ||
| 260 | ········-·enable_strategy | ||
| 261 | ········-·low_complexity | ||
| 262 | ········-·low_disruption | ||
| 263 | ········-·CCE-27070-2 | ||
| 264 | ········-·NIST-800-53-CM-7 | ||
| 265 | ········-·DISA-STIG-RHEL-06-000224 | ||
| Max diff block lines reached; 145514/150564 bytes (96.65%) of diff not shown. | |||
| Offset 33, 42 lines modified | Offset 33, 57 lines modified | ||
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······sshd_idle_timeout_value:·300 | 36 | ······sshd_idle_timeout_value:·300 |
| 37 | ······rsyslog_remote_loghost_address:·None | 37 | ······rsyslog_remote_loghost_address:·None |
| 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 40 | ······sysctl_net_ipv4_icmp_ | 40 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_ | 44 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 49 | ······sysctl_net_ipv4_icmp_ | 49 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_ | 50 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 51 | ······var_selinux_policy_name:·targeted | 51 | ······var_selinux_policy_name:·targeted |
| 52 | ······var_selinux_state:·enforcing | 52 | ······var_selinux_state:·enforcing |
| 53 | ······var_accounts_password_minlen_login_defs:·15 | 53 | ······var_accounts_password_minlen_login_defs:·15 |
| 54 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 55 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 56 | ······var_accounts_password_warn_age_login_defs:·7 | 54 | ······var_accounts_password_warn_age_login_defs:·7 |
| 55 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 56 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 57 | ······var_password_pam_unix_remember:·5 | 57 | ······var_password_pam_unix_remember:·5 |
| 58 | ······var_accounts_passwords_pam_faillock_deny:·3 | 58 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 59 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 59 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 60 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 60 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 61 | ······var_password_pam_retry:·3 | 61 | ······var_password_pam_retry:·3 |
| 62 | ······var_accounts_tmout:·600 | 62 | ······var_accounts_tmout:·600 |
| 63 | ······var_removable_partition:·/dev/cdrom | ||
| 63 | ······var_auditd_max_log_file:·6 | 64 | ······var_auditd_max_log_file:·6 |
| 64 | ······var_auditd_admin_space_left_action:·single | 65 | ······var_auditd_admin_space_left_action:·single |
| 65 | ······var_auditd_max_log_file_action:·rotate | 66 | ······var_auditd_max_log_file_action:·rotate |
| 66 | ······var_removable_partition:·/dev/cdrom | ||
| 67 | ···tasks: | 67 | ···tasks: |
| 68 | ····-·name:·Ensure·vsftpd·is·installed | ||
| 69 | ······package: | ||
| 70 | ········name="{{item}}" | ||
| 71 | ········state=present | ||
| 72 | ······with_items: | ||
| 73 | ········-·vsftpd | ||
| 74 | ······tags: | ||
| 75 | ········-·package_vsftpd_installed | ||
| 76 | ········-·unknown_severity | ||
| 77 | ········-·enable_strategy | ||
| 78 | ········-·low_complexity | ||
| 79 | ········-·low_disruption | ||
| 80 | ········-·CCE-27187-4 | ||
| 81 | ········-·NIST-800-53-CM-7 | ||
| 82 | ···· | ||
| 68 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | 83 | ····-·name:·Check·if·/etc/samba/smb.conf·exists |
| 69 | ······stat: | 84 | ······stat: |
| 70 | ········path:·/etc/samba/smb.conf | 85 | ········path:·/etc/samba/smb.conf |
| 71 | ······register:·st_smb | 86 | ······register:·st_smb |
| 72 | ······tags: | 87 | ······tags: |
| 73 | ········-·require_smb_client_signing | 88 | ········-·require_smb_client_signing |
| 74 | ········-·unknown_severity | 89 | ········-·unknown_severity |
| Offset 108, 14 lines modified | Offset 123, 81 lines modified | ||
| 108 | ········-·low_complexity | 123 | ········-·low_complexity |
| 109 | ········-·low_disruption | 124 | ········-·low_disruption |
| 110 | ········-·CCE-27093-4 | 125 | ········-·CCE-27093-4 |
| 111 | ········-·NIST-800-53-AU-8(1) | 126 | ········-·NIST-800-53-AU-8(1) |
| 112 | ········-·PCI-DSS-Req-10.4 | 127 | ········-·PCI-DSS-Req-10.4 |
| 113 | ········-·DISA-STIG-RHEL-06-000247 | 128 | ········-·DISA-STIG-RHEL-06-000247 |
| 114 | ···· | 129 | ···· |
| 130 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 131 | ······package: | ||
| 132 | ········name="{{item}}" | ||
| 133 | ········state=absent | ||
| 134 | ······with_items: | ||
| 135 | ········-·openldap-servers | ||
| 136 | ······tags: | ||
| 137 | ········-·package_openldap-servers_removed | ||
| 138 | ········-·unknown_severity | ||
| 139 | ········-·disable_strategy | ||
| 140 | ········-·low_complexity | ||
| 141 | ········-·low_disruption | ||
| 142 | ········-·CCE-26858-1 | ||
| 143 | ········-·NIST-800-53-CM-7 | ||
| 144 | ········-·DISA-STIG-RHEL-06-000256 | ||
| 145 | ···· | ||
| 146 | ····-·name:·Enable·service·crond | ||
| 147 | ······service: | ||
| 148 | ········name="{{item}}" | ||
| 149 | ········enabled="yes" | ||
| 150 | ········state="started" | ||
| 151 | ······with_items: | ||
| 152 | ········-·crond | ||
| 153 | ······tags: | ||
| 154 | ········-·service_crond_enabled | ||
| 155 | ········-·medium_severity | ||
| 156 | ········-·enable_strategy | ||
| 157 | ········-·low_complexity | ||
| 158 | ········-·low_disruption | ||
| 159 | ········-·CCE-27070-2 | ||
| 160 | ········-·NIST-800-53-CM-7 | ||
| 161 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 162 | ···· | ||
| 163 | ····-·name:·Disable·service·atd | ||
| 164 | ······service: | ||
| 165 | ········name="{{item}}" | ||
| 166 | ········enabled="no" | ||
| 167 | ········state="stopped" | ||
| 168 | ······register:·service_result | ||
| 169 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 170 | ······with_items: | ||
| 171 | ········-·atd | ||
| 172 | ······tags: | ||
| 173 | ········-·service_atd_disabled | ||
| 174 | ········-·unknown_severity | ||
| 175 | ········-·disable_strategy | ||
| 176 | ········-·low_complexity | ||
| 177 | ········-·low_disruption | ||
| 178 | ········-·CCE-27249-2 | ||
| 179 | ········-·NIST-800-53-CM-7 | ||
| 180 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 181 | ···· | ||
| 182 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| 183 | ······package: | ||
| 184 | ········name="{{item}}" | ||
| 185 | ········state=absent | ||
| 186 | ······with_items: | ||
| 187 | ········-·xorg-x11-server-common | ||
| 188 | ······tags: | ||
| Max diff block lines reached; 114906/119566 bytes (96.10%) of diff not shown. | |||
| Offset 38, 75 lines modified | Offset 38, 61 lines modified | ||
| 38 | ·········· | 38 | ·········· |
| 39 | ···vars: | 39 | ···vars: |
| 40 | ······sshd_idle_timeout_value:·300 | 40 | ······sshd_idle_timeout_value:·300 |
| 41 | ······rsyslog_remote_loghost_address:·None | 41 | ······rsyslog_remote_loghost_address:·None |
| 42 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 42 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 43 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 44 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 45 | ······sysctl_net_ipv4_icmp_ | 45 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 46 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 46 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 47 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 47 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 49 | ······sysctl_net_ipv4_conf_ | 49 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 50 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 50 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 51 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 51 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 52 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 53 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 53 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 54 | ······sysctl_net_ipv4_icmp_ | 54 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 55 | ······sysctl_net_ipv4_conf_ | 55 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 56 | ······var_selinux_policy_name:·targeted | 56 | ······var_selinux_policy_name:·targeted |
| 57 | ······var_selinux_state:·enforcing | 57 | ······var_selinux_state:·enforcing |
| 58 | ······var_accounts_password_minlen_login_defs:·15 | 58 | ······var_accounts_password_minlen_login_defs:·15 |
| 59 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 60 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 61 | ······var_accounts_password_warn_age_login_defs:·7 | 59 | ······var_accounts_password_warn_age_login_defs:·7 |
| 60 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 61 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 62 | ······var_account_disable_post_pw_expiration:·40 | 62 | ······var_account_disable_post_pw_expiration:·40 |
| 63 | ······var_password_pam_unix_remember:·5 | 63 | ······var_password_pam_unix_remember:·5 |
| 64 | ······var_accounts_passwords_pam_faillock_deny:·3 | 64 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 65 | ······var_accounts_passwords_pam_faillock_unlock_time:·900 | 65 | ······var_accounts_passwords_pam_faillock_unlock_time:·900 |
| 66 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 | 66 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 |
| 67 | ······var_password_pam_retry:·3 | 67 | ······var_password_pam_retry:·3 |
| 68 | ······var_accounts_tmout:·600 | 68 | ······var_accounts_tmout:·600 |
| 69 | ······var_removable_partition:·/dev/cdrom | ||
| 70 | ······var_removable_partition:·/dev/cdrom | ||
| 71 | ······var_removable_partition:·/dev/cdrom | ||
| 69 | ······var_auditd_max_log_file:·6 | 72 | ······var_auditd_max_log_file:·6 |
| 70 | ······var_auditd_action_mail_acct:·admin | 73 | ······var_auditd_action_mail_acct:·admin |
| 71 | ······var_auditd_space_left_action:·suspend | ||
| 72 | ······var_auditd_admin_space_left_action:·single | 74 | ······var_auditd_admin_space_left_action:·single |
| 75 | ······var_auditd_space_left_action:·suspend | ||
| 73 | ······var_auditd_max_log_file_action:·rotate | 76 | ······var_auditd_max_log_file_action:·rotate |
| 74 | ······var_removable_partition:·/dev/cdrom | ||
| 75 | ······var_removable_partition:·/dev/cdrom | ||
| 76 | ······var_removable_partition:·/dev/cdrom | ||
| 77 | ···tasks: | 77 | ···tasks: |
| 78 | ····-·name:· | 78 | ····-·name:·Ensure·vsftpd·is·removed |
| 79 | ······ | 79 | ······package: |
| 80 | ········ | 80 | ········name="{{item}}" |
| 81 | ······ | 81 | ········state=absent |
| 82 | ······t | 82 | ······with_items: |
| 83 | ········-· | 83 | ········-·vsftpd |
| 84 | ········-·unknown_severity | ||
| 85 | ········-·configure_strategy | ||
| 86 | ········-·low_complexity | ||
| 87 | ········-·medium_disruption | ||
| 88 | ········-·CCE-26328-5 | ||
| 89 | ········-·DISA-STIG-RHEL-06-000272 | ||
| 90 | ···· | ||
| 91 | ····-·name:·Require·Client·SMB·Packet·Signing,·if·using·smbclient | ||
| 92 | ······lineinfile: | ||
| 93 | ········dest:·/etc/samba/smb.conf | ||
| 94 | ········line:·client·signing·=·mandatory | ||
| 95 | ········state:·present | ||
| 96 | ········insertafter:·[global] | ||
| 97 | ······when:·st_smb.stat.exists | ||
| 98 | ······tags: | 84 | ······tags: |
| 99 | ········-· | 85 | ········-·package_vsftpd_removed |
| 100 | ········-·unknown_severity | 86 | ········-·unknown_severity |
| 101 | ········-· | 87 | ········-·disable_strategy |
| 102 | ········-·low_complexity | 88 | ········-·low_complexity |
| 103 | ········-· | 89 | ········-·low_disruption |
| 104 | ········-·CCE-26 | 90 | ········-·CCE-26687-4 |
| 105 | ········-· | 91 | ········-·NIST-800-53-CM-7 |
| 106 | ···· | 92 | ···· |
| 107 | ····-·name:·Disable·service·httpd | 93 | ····-·name:·Disable·service·httpd |
| 108 | ······service: | 94 | ······service: |
| 109 | ········name="{{item}}" | 95 | ········name="{{item}}" |
| 110 | ········enabled="no" | 96 | ········enabled="no" |
| 111 | ········state="stopped" | 97 | ········state="stopped" |
| 112 | ······register:·service_result | 98 | ······register:·service_result |
| Offset 133, 62 lines modified | Offset 119, 75 lines modified | ||
| 133 | ········-·unknown_severity | 119 | ········-·unknown_severity |
| 134 | ········-·disable_strategy | 120 | ········-·disable_strategy |
| 135 | ········-·low_complexity | 121 | ········-·low_complexity |
| 136 | ········-·low_disruption | 122 | ········-·low_disruption |
| 137 | ········-·CCE-27133-8 | 123 | ········-·CCE-27133-8 |
| 138 | ········-·NIST-800-53-CM-7 | 124 | ········-·NIST-800-53-CM-7 |
| 139 | ···· | 125 | ···· |
| 140 | ····-·name:· | 126 | ····-·name:·Disable·service·named |
| 141 | ······ | 127 | ······service: |
| 142 | ········name="{{item}}" | 128 | ········name="{{item}}" |
| 143 | ········ | 129 | ········enabled="no" |
| 130 | ········state="stopped" | ||
| 131 | ······register:·service_result | ||
| 132 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 144 | ······with_items: | 133 | ······with_items: |
| 145 | ········-· | 134 | ········-·named |
| 146 | ······tags: | 135 | ······tags: |
| 147 | ········-· | 136 | ········-·service_named_disabled |
| 148 | ········-· | 137 | ········-·unknown_severity |
| 149 | ········-·disable_strategy | 138 | ········-·disable_strategy |
| 150 | ········-·low_complexity | 139 | ········-·low_complexity |
| 151 | ········-·low_disruption | 140 | ········-·low_disruption |
| 152 | ········-·CCE-2 | 141 | ········-·CCE-26873-0 |
| 153 | ········-·NIST-800-53-CM-7 | 142 | ········-·NIST-800-53-CM-7 |
| 154 | ········-·DISA-STIG-RHEL-06-000288 | ||
| 155 | ···· | 143 | ···· |
| 156 | ····-·name:·Ensure· | 144 | ····-·name:·Ensure·bind·is·removed |
| 157 | ······package: | 145 | ······package: |
| 158 | ········name="{{item}}" | 146 | ········name="{{item}}" |
| 159 | ········state=absent | 147 | ········state=absent |
| 160 | ······with_items: | 148 | ······with_items: |
| 161 | ········-· | 149 | ········-·bind |
| 162 | ······tags: | 150 | ······tags: |
| 163 | ········-·package_ | 151 | ········-·package_bind_removed |
| 164 | ········-· | 152 | ········-·unknown_severity |
| 165 | ········-·disable_strategy | 153 | ········-·disable_strategy |
| 166 | ········-·low_complexity | 154 | ········-·low_complexity |
| 167 | ········-·low_disruption | 155 | ········-·low_disruption |
| 168 | ········-·CCE-27 | 156 | ········-·CCE-27030-6 |
| 169 | ········-·NIST-800-53-CM-7 | 157 | ········-·NIST-800-53-CM-7 |
| 170 | ···· | 158 | ···· |
| 171 | ····-·name:· | 159 | ····-·name:·Check·if·/etc/samba/smb.conf·exists |
| 172 | ······s | 160 | ······stat: |
| 173 | ········ | 161 | ········path:·/etc/samba/smb.conf |
| 174 | ······ | 162 | ······register:·st_smb |
| Max diff block lines reached; 169386/174902 bytes (96.85%) of diff not shown. | |||
| Offset 39, 16 lines modified | Offset 39, 16 lines modified | ||
| 39 | ······var_password_pam_unix_remember:·4 | 39 | ······var_password_pam_unix_remember:·4 |
| 40 | ······var_accounts_passwords_pam_faillock_deny:·6 | 40 | ······var_accounts_passwords_pam_faillock_deny:·6 |
| 41 | ······var_accounts_passwords_pam_faillock_unlock_time:·1800 | 41 | ······var_accounts_passwords_pam_faillock_unlock_time:·1800 |
| 42 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 42 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 43 | ······var_password_pam_minlen:·7 | 43 | ······var_password_pam_minlen:·7 |
| 44 | ······var_auditd_max_log_file:·1 | 44 | ······var_auditd_max_log_file:·1 |
| 45 | ······var_auditd_action_mail_acct:·admin | 45 | ······var_auditd_action_mail_acct:·admin |
| 46 | ······var_auditd_space_left_action:·suspend | ||
| 47 | ······var_auditd_admin_space_left_action:·suspend | 46 | ······var_auditd_admin_space_left_action:·suspend |
| 47 | ······var_auditd_space_left_action:·suspend | ||
| 48 | ······var_auditd_max_log_file_action:·ignore | 48 | ······var_auditd_max_log_file_action:·ignore |
| 49 | ···tasks: | 49 | ···tasks: |
| 50 | ····-·name:·Enable·service·ntpd | 50 | ····-·name:·Enable·service·ntpd |
| 51 | ······service: | 51 | ······service: |
| 52 | ········name="{{item}}" | 52 | ········name="{{item}}" |
| 53 | ········enabled="yes" | 53 | ········enabled="yes" |
| 54 | ········state="started" | 54 | ········state="started" |
| Offset 83, 439 lines modified | Offset 83, 14 lines modified | ||
| 83 | ········-·low_disruption | 83 | ········-·low_disruption |
| 84 | ········-·CCE-26919-1 | 84 | ········-·CCE-26919-1 |
| 85 | ········-·NIST-800-53-AC-2(5) | 85 | ········-·NIST-800-53-AC-2(5) |
| 86 | ········-·NIST-800-53-SA-8 | 86 | ········-·NIST-800-53-SA-8 |
| 87 | ········-·PCI-DSS-Req-8.1.8 | 87 | ········-·PCI-DSS-Req-8.1.8 |
| 88 | ········-·DISA-STIG-RHEL-06-000230 | 88 | ········-·DISA-STIG-RHEL-06-000230 |
| 89 | ···· | 89 | ···· |
| 90 | ····-·name:·"Read·list·of·files·with·incorrect·permissions" | ||
| 91 | ······shell:·"rpm·-Va·|·grep·'^.M'·|·cut·-d·'·'·-f5-·|·sed·-r·'s;^.*\\s+(.+);\\1;g'" | ||
| 92 | ······register:·files_with_incorrect_permissions | ||
| 93 | ······failed_when:·False | ||
| 94 | ······changed_when:·False | ||
| 95 | ······check_mode:·no | ||
| 96 | ······tags: | ||
| 97 | ········-·rpm_verify_permissions | ||
| 98 | ········-·unknown_severity | ||
| 99 | ········-·restrict_strategy | ||
| 100 | ········-·high_complexity | ||
| 101 | ········-·medium_disruption | ||
| 102 | ········-·CCE-26731-0 | ||
| 103 | ········-·NIST-800-53-AC-6 | ||
| 104 | ········-·NIST-800-53-CM-6(d) | ||
| 105 | ········-·NIST-800-53-SI-7 | ||
| 106 | ········-·PCI-DSS-Req-11.5 | ||
| 107 | ········-·DISA-STIG-RHEL-06-000518 | ||
| 108 | ···· | ||
| 109 | ····-·name:·"Correct·file·permissions·with·RPM" | ||
| 110 | ······shell:·"rpm·--setperms·$(rpm·-qf·'{{item}}')" | ||
| 111 | ······with_items:·"{{·files_with_incorrect_permissions.stdout_lines·}}" | ||
| 112 | ······when:·files_with_incorrect_permissions.stdout_lines·|·length·>·0 | ||
| 113 | ······tags: | ||
| 114 | ········-·rpm_verify_permissions | ||
| 115 | ········-·unknown_severity | ||
| 116 | ········-·restrict_strategy | ||
| 117 | ········-·high_complexity | ||
| 118 | ········-·medium_disruption | ||
| 119 | ········-·CCE-26731-0 | ||
| 120 | ········-·NIST-800-53-AC-6 | ||
| 121 | ········-·NIST-800-53-CM-6(d) | ||
| 122 | ········-·NIST-800-53-SI-7 | ||
| 123 | ········-·PCI-DSS-Req-11.5 | ||
| 124 | ········-·DISA-STIG-RHEL-06-000518 | ||
| 125 | ···· | ||
| 126 | ····-·name:·"Set·fact:·Package·manager·reinstall·command·(dnf)" | ||
| 127 | ······set_fact: | ||
| 128 | ········package_manager_reinstall_cmd:·dnf·reinstall·-y | ||
| 129 | ······when:·ansible_distribution·==·"Fedora" | ||
| 130 | ······tags: | ||
| 131 | ········-·rpm_verify_hashes | ||
| 132 | ········-·unknown_severity | ||
| 133 | ········-·unknown_strategy | ||
| 134 | ········-·high_complexity | ||
| 135 | ········-·medium_disruption | ||
| 136 | ········-·CCE-27223-7 | ||
| 137 | ········-·NIST-800-53-CM-6(d) | ||
| 138 | ········-·NIST-800-53-SI-7 | ||
| 139 | ········-·PCI-DSS-Req-11.5 | ||
| 140 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 141 | ···· | ||
| 142 | ····-·name:·"Set·fact:·Package·manager·reinstall·command·(yum)" | ||
| 143 | ······set_fact: | ||
| 144 | ········package_manager_reinstall_cmd:·yum·reinstall·-y | ||
| 145 | ······when:·ansible_distribution·==·"RedHat"·or·ansible_distribution·==·"OracleLinux" | ||
| 146 | ······tags: | ||
| 147 | ········-·rpm_verify_hashes | ||
| 148 | ········-·unknown_severity | ||
| 149 | ········-·unknown_strategy | ||
| 150 | ········-·high_complexity | ||
| 151 | ········-·medium_disruption | ||
| 152 | ········-·CCE-27223-7 | ||
| 153 | ········-·NIST-800-53-CM-6(d) | ||
| 154 | ········-·NIST-800-53-SI-7 | ||
| 155 | ········-·PCI-DSS-Req-11.5 | ||
| 156 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 157 | ···· | ||
| 158 | ····-·name:·"Read·files·with·incorrect·hash" | ||
| 159 | ······shell:·"rpm·-Va·|·grep·-E·'^..5.*·/(bin|sbin|lib|lib64|usr)/'·|·sed·-r·'s;^.*\\s+(.+);\\1;g'" | ||
| 160 | ······register:·files_with_incorrect_hash | ||
| 161 | ······changed_when:·False | ||
| 162 | ······when:·package_manager_reinstall_cmd·is·defined | ||
| 163 | ······check_mode:·no | ||
| 164 | ······tags: | ||
| 165 | ········-·rpm_verify_hashes | ||
| 166 | ········-·unknown_severity | ||
| 167 | ········-·unknown_strategy | ||
| 168 | ········-·high_complexity | ||
| 169 | ········-·medium_disruption | ||
| 170 | ········-·CCE-27223-7 | ||
| 171 | ········-·NIST-800-53-CM-6(d) | ||
| 172 | ········-·NIST-800-53-SI-7 | ||
| 173 | ········-·PCI-DSS-Req-11.5 | ||
| 174 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 175 | ···· | ||
| 176 | ····-·name:·"Reinstall·packages·of·files·with·incorrect·hash" | ||
| 177 | ······shell:·"{{package_manager_reinstall_cmd}}·$(rpm·-qf·'{{item}}')" | ||
| 178 | ······with_items:·"{{·files_with_incorrect_hash.stdout_lines·}}" | ||
| 179 | ······when:·package_manager_reinstall_cmd·is·defined·and·(files_with_incorrect_hash.stdout_lines·|·length·>·0) | ||
| 180 | ······tags: | ||
| 181 | ········-·rpm_verify_hashes | ||
| 182 | ········-·unknown_severity | ||
| 183 | ········-·unknown_strategy | ||
| 184 | ········-·high_complexity | ||
| 185 | ········-·medium_disruption | ||
| 186 | ········-·CCE-27223-7 | ||
| 187 | ········-·NIST-800-53-CM-6(d) | ||
| 188 | ········-·NIST-800-53-SI-7 | ||
| 189 | ········-·PCI-DSS-Req-11.5 | ||
| 190 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 191 | ···· | ||
| Max diff block lines reached; 77885/91457 bytes (85.16%) of diff not shown. | |||
| Offset 33, 23 lines modified | Offset 33, 42 lines modified | ||
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······sshd_idle_timeout_value:·300 | 36 | ······sshd_idle_timeout_value:·300 |
| 37 | ······var_selinux_policy_name:·targeted | 37 | ······var_selinux_policy_name:·targeted |
| 38 | ······var_selinux_state:·enforcing | 38 | ······var_selinux_state:·enforcing |
| 39 | ······var_accounts_password_minlen_login_defs:·6 | 39 | ······var_accounts_password_minlen_login_defs:·6 |
| 40 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 41 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 42 | ······var_accounts_password_warn_age_login_defs:·7 | 40 | ······var_accounts_password_warn_age_login_defs:·7 |
| 41 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 42 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 43 | ······var_password_pam_unix_remember:·5 | 43 | ······var_password_pam_unix_remember:·5 |
| 44 | ······var_accounts_passwords_pam_faillock_deny:·5 | 44 | ······var_accounts_passwords_pam_faillock_deny:·5 |
| 45 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 45 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 46 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 46 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 47 | ······var_password_pam_retry:·3 | 47 | ······var_password_pam_retry:·3 |
| 48 | ···tasks: | 48 | ···tasks: |
| 49 | ····-·name:·Disable·service·atd | ||
| 50 | ······service: | ||
| 51 | ········name="{{item}}" | ||
| 52 | ········enabled="no" | ||
| 53 | ········state="stopped" | ||
| 54 | ······register:·service_result | ||
| 55 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 56 | ······with_items: | ||
| 57 | ········-·atd | ||
| 58 | ······tags: | ||
| 59 | ········-·service_atd_disabled | ||
| 60 | ········-·unknown_severity | ||
| 61 | ········-·disable_strategy | ||
| 62 | ········-·low_complexity | ||
| 63 | ········-·low_disruption | ||
| 64 | ········-·CCE-27249-2 | ||
| 65 | ········-·NIST-800-53-CM-7 | ||
| 66 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 67 | ···· | ||
| 49 | ····-·name:·Ensure·rsh-server·is·removed | 68 | ····-·name:·Ensure·rsh-server·is·removed |
| 50 | ······package: | 69 | ······package: |
| 51 | ········name="{{item}}" | 70 | ········name="{{item}}" |
| 52 | ········state=absent | 71 | ········state=absent |
| 53 | ······with_items: | 72 | ······with_items: |
| 54 | ········-·rsh-server | 73 | ········-·rsh-server |
| 55 | ······tags: | 74 | ······tags: |
| Offset 179, 33 lines modified | Offset 198, 14 lines modified | ||
| 179 | ········-·disable_strategy | 198 | ········-·disable_strategy |
| 180 | ········-·low_complexity | 199 | ········-·low_complexity |
| 181 | ········-·low_disruption | 200 | ········-·low_disruption |
| 182 | ········-·CCE-27005-8 | 201 | ········-·CCE-27005-8 |
| 183 | ········-·NIST-800-53-CM-7 | 202 | ········-·NIST-800-53-CM-7 |
| 184 | ········-·DISA-STIG-RHEL-06-000204 | 203 | ········-·DISA-STIG-RHEL-06-000204 |
| 185 | ···· | 204 | ···· |
| 186 | ····-·name:·Disable·service·atd | ||
| 187 | ······service: | ||
| 188 | ········name="{{item}}" | ||
| 189 | ········enabled="no" | ||
| 190 | ········state="stopped" | ||
| 191 | ······register:·service_result | ||
| 192 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 193 | ······with_items: | ||
| 194 | ········-·atd | ||
| 195 | ······tags: | ||
| 196 | ········-·service_atd_disabled | ||
| 197 | ········-·unknown_severity | ||
| 198 | ········-·disable_strategy | ||
| 199 | ········-·low_complexity | ||
| 200 | ········-·low_disruption | ||
| 201 | ········-·CCE-27249-2 | ||
| 202 | ········-·NIST-800-53-CM-7 | ||
| 203 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 204 | ···· | ||
| 205 | ····-·name:·Disable·service·rdisc | 205 | ····-·name:·Disable·service·rdisc |
| 206 | ······service: | 206 | ······service: |
| 207 | ········name="{{item}}" | 207 | ········name="{{item}}" |
| 208 | ········enabled="no" | 208 | ········enabled="no" |
| 209 | ········state="stopped" | 209 | ········state="stopped" |
| 210 | ······register:·service_result | 210 | ······register:·service_result |
| 211 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 211 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| Offset 294, 14 lines modified | Offset 294, 33 lines modified | ||
| 294 | ········-·disable_strategy | 294 | ········-·disable_strategy |
| 295 | ········-·low_complexity | 295 | ········-·low_complexity |
| 296 | ········-·low_disruption | 296 | ········-·low_disruption |
| 297 | ········-·CCE-27256-7 | 297 | ········-·CCE-27256-7 |
| 298 | ········-·NIST-800-53-CM-7 | 298 | ········-·NIST-800-53-CM-7 |
| 299 | ········-·DISA-STIG-RHEL-06-000265 | 299 | ········-·DISA-STIG-RHEL-06-000265 |
| 300 | ···· | 300 | ···· |
| 301 | ····-·name:·Disable·service·avahi-daemon | ||
| 302 | ······service: | ||
| 303 | ········name="{{item}}" | ||
| 304 | ········enabled="no" | ||
| 305 | ········state="stopped" | ||
| 306 | ······register:·service_result | ||
| 307 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 308 | ······with_items: | ||
| 309 | ········-·avahi-daemon | ||
| 310 | ······tags: | ||
| 311 | ········-·service_avahi-daemon_disabled | ||
| 312 | ········-·unknown_severity | ||
| 313 | ········-·disable_strategy | ||
| 314 | ········-·low_complexity | ||
| 315 | ········-·low_disruption | ||
| 316 | ········-·CCE-27087-6 | ||
| 317 | ········-·NIST-800-53-CM-7 | ||
| 318 | ········-·DISA-STIG-RHEL-06-000246 | ||
| 319 | ···· | ||
| 301 | ····-·name:·Disable·SSH·Support·for·.rhosts·Files | 320 | ····-·name:·Disable·SSH·Support·for·.rhosts·Files |
| 302 | ······lineinfile: | 321 | ······lineinfile: |
| 303 | ········create:·yes | 322 | ········create:·yes |
| 304 | ········dest:·/etc/ssh/sshd_config | 323 | ········dest:·/etc/ssh/sshd_config |
| 305 | ········regexp:·^IgnoreRhosts | 324 | ········regexp:·^IgnoreRhosts |
| 306 | ········line:·IgnoreRhosts·yes | 325 | ········line:·IgnoreRhosts·yes |
| 307 | ········validate:·sshd·-t·-f·%s | 326 | ········validate:·sshd·-t·-f·%s |
| Offset 440, 33 lines modified | Offset 459, 14 lines modified | ||
| 440 | ········-·restrict_strategy | 459 | ········-·restrict_strategy |
| 441 | ········-·low_complexity | 460 | ········-·low_complexity |
| 442 | ········-·low_disruption | 461 | ········-·low_disruption |
| 443 | ········-·CCE-27091-8 | 462 | ········-·CCE-27091-8 |
| 444 | ········-·NIST-800-53-AC-3 | 463 | ········-·NIST-800-53-AC-3 |
| 445 | ········-·DISA-STIG-RHEL-06-000236 | 464 | ········-·DISA-STIG-RHEL-06-000236 |
| 446 | ···· | 465 | ···· |
| 447 | ···· | ||
| 448 | ····-·name:·"Allow·Only·SSH·Protocol·2" | ||
| 449 | ······lineinfile: | ||
| 450 | ········dest:·/etc/ssh/sshd_config | ||
| 451 | ········regexp:·"^Protocol·[0-9]" | ||
| 452 | ········line:·"Protocol·2" | ||
| 453 | ········validate:·sshd·-t·-f·%s | ||
| Max diff block lines reached; 22675/26927 bytes (84.21%) of diff not shown. | |||
| Offset 34, 41 lines modified | Offset 34, 41 lines modified | ||
| 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 35 | ·········· | 35 | ·········· |
| 36 | ···vars: | 36 | ···vars: |
| 37 | ······sshd_idle_timeout_value:·300 | 37 | ······sshd_idle_timeout_value:·300 |
| 38 | ······rsyslog_remote_loghost_address:·None | 38 | ······rsyslog_remote_loghost_address:·None |
| 39 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 39 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 40 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 40 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 41 | ······sysctl_net_ipv4_icmp_ | 41 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 42 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 42 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 43 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 43 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 44 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 44 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 45 | ······sysctl_net_ipv4_conf_ | 45 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 50 | ······sysctl_net_ipv4_icmp_ | 50 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 51 | ······sysctl_net_ipv4_conf_ | 51 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 52 | ······var_selinux_policy_name:·targeted | 52 | ······var_selinux_policy_name:·targeted |
| 53 | ······var_selinux_state:·enforcing | 53 | ······var_selinux_state:·enforcing |
| 54 | ······var_accounts_password_minlen_login_defs:·15 | 54 | ······var_accounts_password_minlen_login_defs:·15 |
| 55 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 56 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 57 | ······var_accounts_password_warn_age_login_defs:·7 | 55 | ······var_accounts_password_warn_age_login_defs:·7 |
| 56 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 57 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 58 | ······var_password_pam_unix_remember:·5 | 58 | ······var_password_pam_unix_remember:·5 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 59 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 62 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_tmout:·600 | 63 | ······var_accounts_tmout:·600 |
| 64 | ······var_removable_partition:·/dev/cdrom | ||
| 64 | ······var_auditd_max_log_file:·6 | 65 | ······var_auditd_max_log_file:·6 |
| 65 | ······var_auditd_admin_space_left_action:·single | 66 | ······var_auditd_admin_space_left_action:·single |
| 66 | ······var_auditd_max_log_file_action:·rotate | 67 | ······var_auditd_max_log_file_action:·rotate |
| 67 | ······var_removable_partition:·/dev/cdrom | ||
| 68 | ···tasks: | 68 | ···tasks: |
| 69 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | 69 | ····-·name:·Check·if·/etc/samba/smb.conf·exists |
| 70 | ······stat: | 70 | ······stat: |
| 71 | ········path:·/etc/samba/smb.conf | 71 | ········path:·/etc/samba/smb.conf |
| 72 | ······register:·st_smb | 72 | ······register:·st_smb |
| 73 | ······tags: | 73 | ······tags: |
| 74 | ········-·require_smb_client_signing | 74 | ········-·require_smb_client_signing |
| Offset 109, 14 lines modified | Offset 109, 81 lines modified | ||
| 109 | ········-·low_complexity | 109 | ········-·low_complexity |
| 110 | ········-·low_disruption | 110 | ········-·low_disruption |
| 111 | ········-·CCE-27093-4 | 111 | ········-·CCE-27093-4 |
| 112 | ········-·NIST-800-53-AU-8(1) | 112 | ········-·NIST-800-53-AU-8(1) |
| 113 | ········-·PCI-DSS-Req-10.4 | 113 | ········-·PCI-DSS-Req-10.4 |
| 114 | ········-·DISA-STIG-RHEL-06-000247 | 114 | ········-·DISA-STIG-RHEL-06-000247 |
| 115 | ···· | 115 | ···· |
| 116 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 117 | ······package: | ||
| 118 | ········name="{{item}}" | ||
| 119 | ········state=absent | ||
| 120 | ······with_items: | ||
| 121 | ········-·openldap-servers | ||
| 122 | ······tags: | ||
| 123 | ········-·package_openldap-servers_removed | ||
| 124 | ········-·unknown_severity | ||
| 125 | ········-·disable_strategy | ||
| 126 | ········-·low_complexity | ||
| 127 | ········-·low_disruption | ||
| 128 | ········-·CCE-26858-1 | ||
| 129 | ········-·NIST-800-53-CM-7 | ||
| 130 | ········-·DISA-STIG-RHEL-06-000256 | ||
| 131 | ···· | ||
| 132 | ····-·name:·Enable·service·crond | ||
| 133 | ······service: | ||
| 134 | ········name="{{item}}" | ||
| 135 | ········enabled="yes" | ||
| 136 | ········state="started" | ||
| 137 | ······with_items: | ||
| 138 | ········-·crond | ||
| 139 | ······tags: | ||
| 140 | ········-·service_crond_enabled | ||
| 141 | ········-·medium_severity | ||
| 142 | ········-·enable_strategy | ||
| 143 | ········-·low_complexity | ||
| 144 | ········-·low_disruption | ||
| 145 | ········-·CCE-27070-2 | ||
| 146 | ········-·NIST-800-53-CM-7 | ||
| 147 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 148 | ···· | ||
| 149 | ····-·name:·Disable·service·atd | ||
| 150 | ······service: | ||
| 151 | ········name="{{item}}" | ||
| 152 | ········enabled="no" | ||
| 153 | ········state="stopped" | ||
| 154 | ······register:·service_result | ||
| 155 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 156 | ······with_items: | ||
| 157 | ········-·atd | ||
| 158 | ······tags: | ||
| 159 | ········-·service_atd_disabled | ||
| 160 | ········-·unknown_severity | ||
| 161 | ········-·disable_strategy | ||
| 162 | ········-·low_complexity | ||
| 163 | ········-·low_disruption | ||
| 164 | ········-·CCE-27249-2 | ||
| 165 | ········-·NIST-800-53-CM-7 | ||
| 166 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 167 | ···· | ||
| 168 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| 169 | ······package: | ||
| 170 | ········name="{{item}}" | ||
| 171 | ········state=absent | ||
| 172 | ······with_items: | ||
| 173 | ········-·xorg-x11-server-common | ||
| 174 | ······tags: | ||
| 175 | ········-·package_xorg-x11-server-common_removed | ||
| 176 | ········-·unknown_severity | ||
| 177 | ········-·disable_strategy | ||
| 178 | ········-·low_complexity | ||
| 179 | ········-·low_disruption | ||
| 180 | ········-·CCE-27198-1 | ||
| 181 | ········-·DISA-STIG-RHEL-06-000291 | ||
| 182 | ···· | ||
| 116 | ····-·name:·Ensure·rsh-server·is·removed | 183 | ····-·name:·Ensure·rsh-server·is·removed |
| 117 | ······package: | 184 | ······package: |
| 118 | ········name="{{item}}" | 185 | ········name="{{item}}" |
| 119 | ········state=absent | 186 | ········state=absent |
| 120 | ······with_items: | 187 | ······with_items: |
| 121 | ········-·rsh-server | 188 | ········-·rsh-server |
| 122 | ······tags: | 189 | ······tags: |
| Offset 271, 65 lines modified | Offset 338, 14 lines modified | ||
| Max diff block lines reached; 114413/118830 bytes (96.28%) of diff not shown. | |||
| Offset 35, 41 lines modified | Offset 35, 41 lines modified | ||
| 35 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 35 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 36 | ·········· | 36 | ·········· |
| 37 | ···vars: | 37 | ···vars: |
| 38 | ······sshd_idle_timeout_value:·300 | 38 | ······sshd_idle_timeout_value:·300 |
| 39 | ······rsyslog_remote_loghost_address:·None | 39 | ······rsyslog_remote_loghost_address:·None |
| 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 42 | ······sysctl_net_ipv4_icmp_ | 42 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_ | 46 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 51 | ······sysctl_net_ipv4_icmp_ | 51 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 52 | ······sysctl_net_ipv4_conf_ | 52 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 53 | ······var_selinux_policy_name:·targeted | 53 | ······var_selinux_policy_name:·targeted |
| 54 | ······var_selinux_state:·enforcing | 54 | ······var_selinux_state:·enforcing |
| 55 | ······var_accounts_password_minlen_login_defs:·15 | 55 | ······var_accounts_password_minlen_login_defs:·15 |
| 56 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 57 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 58 | ······var_accounts_password_warn_age_login_defs:·7 | 56 | ······var_accounts_password_warn_age_login_defs:·7 |
| 57 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 58 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 59 | ······var_password_pam_unix_remember:·5 | 59 | ······var_password_pam_unix_remember:·5 |
| 60 | ······var_accounts_passwords_pam_faillock_deny:·3 | 60 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 61 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 61 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 62 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 62 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 63 | ······var_password_pam_retry:·3 | 63 | ······var_password_pam_retry:·3 |
| 64 | ······var_accounts_tmout:·600 | 64 | ······var_accounts_tmout:·600 |
| 65 | ······var_removable_partition:·/dev/cdrom | ||
| 65 | ······var_auditd_max_log_file:·6 | 66 | ······var_auditd_max_log_file:·6 |
| 66 | ······var_auditd_admin_space_left_action:·single | 67 | ······var_auditd_admin_space_left_action:·single |
| 67 | ······var_auditd_max_log_file_action:·rotate | 68 | ······var_auditd_max_log_file_action:·rotate |
| 68 | ······var_removable_partition:·/dev/cdrom | ||
| 69 | ···tasks: | 69 | ···tasks: |
| 70 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | 70 | ····-·name:·Check·if·/etc/samba/smb.conf·exists |
| 71 | ······stat: | 71 | ······stat: |
| 72 | ········path:·/etc/samba/smb.conf | 72 | ········path:·/etc/samba/smb.conf |
| 73 | ······register:·st_smb | 73 | ······register:·st_smb |
| 74 | ······tags: | 74 | ······tags: |
| 75 | ········-·require_smb_client_signing | 75 | ········-·require_smb_client_signing |
| Offset 110, 14 lines modified | Offset 110, 66 lines modified | ||
| 110 | ········-·low_complexity | 110 | ········-·low_complexity |
| 111 | ········-·low_disruption | 111 | ········-·low_disruption |
| 112 | ········-·CCE-27093-4 | 112 | ········-·CCE-27093-4 |
| 113 | ········-·NIST-800-53-AU-8(1) | 113 | ········-·NIST-800-53-AU-8(1) |
| 114 | ········-·PCI-DSS-Req-10.4 | 114 | ········-·PCI-DSS-Req-10.4 |
| 115 | ········-·DISA-STIG-RHEL-06-000247 | 115 | ········-·DISA-STIG-RHEL-06-000247 |
| 116 | ···· | 116 | ···· |
| 117 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 118 | ······package: | ||
| 119 | ········name="{{item}}" | ||
| 120 | ········state=absent | ||
| 121 | ······with_items: | ||
| 122 | ········-·openldap-servers | ||
| 123 | ······tags: | ||
| 124 | ········-·package_openldap-servers_removed | ||
| 125 | ········-·unknown_severity | ||
| 126 | ········-·disable_strategy | ||
| 127 | ········-·low_complexity | ||
| 128 | ········-·low_disruption | ||
| 129 | ········-·CCE-26858-1 | ||
| 130 | ········-·NIST-800-53-CM-7 | ||
| 131 | ········-·DISA-STIG-RHEL-06-000256 | ||
| 132 | ···· | ||
| 133 | ····-·name:·Enable·service·crond | ||
| 134 | ······service: | ||
| 135 | ········name="{{item}}" | ||
| 136 | ········enabled="yes" | ||
| 137 | ········state="started" | ||
| 138 | ······with_items: | ||
| 139 | ········-·crond | ||
| 140 | ······tags: | ||
| 141 | ········-·service_crond_enabled | ||
| 142 | ········-·medium_severity | ||
| 143 | ········-·enable_strategy | ||
| 144 | ········-·low_complexity | ||
| 145 | ········-·low_disruption | ||
| 146 | ········-·CCE-27070-2 | ||
| 147 | ········-·NIST-800-53-CM-7 | ||
| 148 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 149 | ···· | ||
| 150 | ····-·name:·Disable·service·atd | ||
| 151 | ······service: | ||
| 152 | ········name="{{item}}" | ||
| 153 | ········enabled="no" | ||
| 154 | ········state="stopped" | ||
| 155 | ······register:·service_result | ||
| 156 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 157 | ······with_items: | ||
| 158 | ········-·atd | ||
| 159 | ······tags: | ||
| 160 | ········-·service_atd_disabled | ||
| 161 | ········-·unknown_severity | ||
| 162 | ········-·disable_strategy | ||
| 163 | ········-·low_complexity | ||
| 164 | ········-·low_disruption | ||
| 165 | ········-·CCE-27249-2 | ||
| 166 | ········-·NIST-800-53-CM-7 | ||
| 167 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 168 | ···· | ||
| 117 | ····-·name:·Ensure·rsh-server·is·removed | 169 | ····-·name:·Ensure·rsh-server·is·removed |
| 118 | ······package: | 170 | ······package: |
| 119 | ········name="{{item}}" | 171 | ········name="{{item}}" |
| 120 | ········state=absent | 172 | ········state=absent |
| 121 | ······with_items: | 173 | ······with_items: |
| 122 | ········-·rsh-server | 174 | ········-·rsh-server |
| 123 | ······tags: | 175 | ······tags: |
| Offset 272, 50 lines modified | Offset 324, 14 lines modified | ||
| 272 | ········-·disable_strategy | 324 | ········-·disable_strategy |
| 273 | ········-·low_complexity | 325 | ········-·low_complexity |
| 274 | ········-·low_disruption | 326 | ········-·low_disruption |
| 275 | ········-·CCE-27005-8 | 327 | ········-·CCE-27005-8 |
| 276 | ········-·NIST-800-53-CM-7 | 328 | ········-·NIST-800-53-CM-7 |
| 277 | ········-·DISA-STIG-RHEL-06-000204 | 329 | ········-·DISA-STIG-RHEL-06-000204 |
| 278 | ···· | 330 | ···· |
| 279 | ····-·name:·Enable·service·crond | ||
| 280 | ······service: | ||
| 281 | ········name="{{item}}" | ||
| 282 | ········enabled="yes" | ||
| 283 | ········state="started" | ||
| 284 | ······with_items: | ||
| 285 | ········-·crond | ||
| 286 | ······tags: | ||
| Max diff block lines reached; 112847/118018 bytes (95.62%) of diff not shown. | |||
| Offset 40, 49 lines modified | Offset 40, 49 lines modified | ||
| 40 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 40 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 41 | ·········· | 41 | ·········· |
| 42 | ···vars: | 42 | ···vars: |
| 43 | ······sshd_idle_timeout_value:·900 | 43 | ······sshd_idle_timeout_value:·900 |
| 44 | ······rsyslog_remote_loghost_address:·None | 44 | ······rsyslog_remote_loghost_address:·None |
| 45 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 45 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 46 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 47 | ······sysctl_net_ipv4_icmp_ | 47 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 49 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 50 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 51 | ······sysctl_net_ipv4_conf_ | 51 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 52 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 52 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 53 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 53 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 54 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 54 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 55 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 55 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 56 | ······sysctl_net_ipv4_icmp_ | 56 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 57 | ······sysctl_net_ipv4_conf_ | 57 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 58 | ······var_selinux_policy_name:·targeted | 58 | ······var_selinux_policy_name:·targeted |
| 59 | ······var_selinux_state:·enforcing | 59 | ······var_selinux_state:·enforcing |
| 60 | ······var_accounts_password_minlen_login_defs:·15 | 60 | ······var_accounts_password_minlen_login_defs:·15 |
| 61 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 62 | ······var_accounts_maximum_age_login_defs:·60 | ||
| 63 | ······var_accounts_password_warn_age_login_defs:·7 | 61 | ······var_accounts_password_warn_age_login_defs:·7 |
| 62 | ······var_accounts_maximum_age_login_defs:·60 | ||
| 63 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 64 | ······var_account_disable_post_pw_expiration:·35 | 64 | ······var_account_disable_post_pw_expiration:·35 |
| 65 | ······var_password_pam_unix_remember:·5 | 65 | ······var_password_pam_unix_remember:·5 |
| 66 | ······var_accounts_passwords_pam_faillock_deny:·3 | 66 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 67 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 67 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 68 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 | 68 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 |
| 69 | ······var_password_pam_maxrepeat:·3 | 69 | ······var_password_pam_maxrepeat:·3 |
| 70 | ······var_password_pam_retry:·3 | 70 | ······var_password_pam_retry:·3 |
| 71 | ······var_accounts_user_umask:·077 | 71 | ······var_accounts_user_umask:·077 |
| 72 | ······var_accounts_tmout:·600 | 72 | ······var_accounts_tmout:·600 |
| 73 | ······var_accounts_max_concurrent_login_sessions:·10 | 73 | ······var_accounts_max_concurrent_login_sessions:·10 |
| 74 | ······var_removable_partition:·/dev/cdrom | ||
| 75 | ······var_removable_partition:·/dev/cdrom | ||
| 76 | ······var_removable_partition:·/dev/cdrom | ||
| 74 | ······var_auditd_max_log_file:·6 | 77 | ······var_auditd_max_log_file:·6 |
| 75 | ······var_auditd_action_mail_acct:·admin | 78 | ······var_auditd_action_mail_acct:·admin |
| 76 | ······var_auditd_space_left_action:·suspend | ||
| 77 | ······var_auditd_admin_space_left_action:·single | 79 | ······var_auditd_admin_space_left_action:·single |
| 80 | ······var_auditd_space_left_action:·suspend | ||
| 78 | ······var_auditd_max_log_file_action:·rotate | 81 | ······var_auditd_max_log_file_action:·rotate |
| 79 | ······var_removable_partition:·/dev/cdrom | ||
| 80 | ······var_removable_partition:·/dev/cdrom | ||
| 81 | ······var_removable_partition:·/dev/cdrom | ||
| 82 | ···tasks: | 82 | ···tasks: |
| 83 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | 83 | ····-·name:·Check·if·/etc/samba/smb.conf·exists |
| 84 | ······stat: | 84 | ······stat: |
| 85 | ········path:·/etc/samba/smb.conf | 85 | ········path:·/etc/samba/smb.conf |
| 86 | ······register:·st_smb | 86 | ······register:·st_smb |
| 87 | ······tags: | 87 | ······tags: |
| 88 | ········-·require_smb_client_signing | 88 | ········-·require_smb_client_signing |
| Offset 105, 63 lines modified | Offset 105, 98 lines modified | ||
| 105 | ········-·unknown_severity | 105 | ········-·unknown_severity |
| 106 | ········-·configure_strategy | 106 | ········-·configure_strategy |
| 107 | ········-·low_complexity | 107 | ········-·low_complexity |
| 108 | ········-·medium_disruption | 108 | ········-·medium_disruption |
| 109 | ········-·CCE-26328-5 | 109 | ········-·CCE-26328-5 |
| 110 | ········-·DISA-STIG-RHEL-06-000272 | 110 | ········-·DISA-STIG-RHEL-06-000272 |
| 111 | ···· | 111 | ···· |
| 112 | ····-·name:·En | 112 | ····-·name:·Enable·service·ntpd |
| 113 | ······service: | ||
| 114 | ········name="{{item}}" | ||
| 115 | ········enabled="yes" | ||
| 116 | ········state="started" | ||
| 117 | ······with_items: | ||
| 118 | ········-·ntpd | ||
| 119 | ······tags: | ||
| 120 | ········-·service_ntpd_enabled | ||
| 121 | ········-·medium_severity | ||
| 122 | ········-·enable_strategy | ||
| 123 | ········-·low_complexity | ||
| 124 | ········-·low_disruption | ||
| 125 | ········-·CCE-27093-4 | ||
| 126 | ········-·NIST-800-53-AU-8(1) | ||
| 127 | ········-·PCI-DSS-Req-10.4 | ||
| 128 | ········-·DISA-STIG-RHEL-06-000247 | ||
| 129 | ···· | ||
| 130 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 113 | ······package: | 131 | ······package: |
| 114 | ········name="{{item}}" | 132 | ········name="{{item}}" |
| 115 | ········state=absent | 133 | ········state=absent |
| 116 | ······with_items: | 134 | ······with_items: |
| 117 | ········-· | 135 | ········-·openldap-servers |
| 118 | ······tags: | 136 | ······tags: |
| 119 | ········-·package_ | 137 | ········-·package_openldap-servers_removed |
| 120 | ········-· | 138 | ········-·unknown_severity |
| 121 | ········-·disable_strategy | 139 | ········-·disable_strategy |
| 122 | ········-·low_complexity | 140 | ········-·low_complexity |
| 123 | ········-·low_disruption | 141 | ········-·low_disruption |
| 124 | ········-·CCE-2 | 142 | ········-·CCE-26858-1 |
| 125 | ········-·NIST-800-53-CM-7 | 143 | ········-·NIST-800-53-CM-7 |
| 126 | ········-·DISA-STIG-RHEL-06-0002 | 144 | ········-·DISA-STIG-RHEL-06-000256 |
| 127 | ···· | 145 | ···· |
| 128 | ····-·name:·Enable·service· | 146 | ····-·name:·Enable·service·crond |
| 129 | ······service: | 147 | ······service: |
| 130 | ········name="{{item}}" | 148 | ········name="{{item}}" |
| 131 | ········enabled="yes" | 149 | ········enabled="yes" |
| 132 | ········state="started" | 150 | ········state="started" |
| 133 | ······with_items: | 151 | ······with_items: |
| 134 | ········-· | 152 | ········-·crond |
| 135 | ······tags: | 153 | ······tags: |
| 136 | ········-·service_ | 154 | ········-·service_crond_enabled |
| 137 | ········-· | 155 | ········-·medium_severity |
| 138 | ········-·enable_strategy | 156 | ········-·enable_strategy |
| 139 | ········-·low_complexity | 157 | ········-·low_complexity |
| 140 | ········-·low_disruption | 158 | ········-·low_disruption |
| 141 | ········-·CCE-2 | 159 | ········-·CCE-27070-2 |
| 142 | ········-· | 160 | ········-·NIST-800-53-CM-7 |
| 161 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 143 | ···· | 162 | ···· |
| 144 | ····-·name:· | 163 | ····-·name:·Disable·service·atd |
| 145 | ······service: | 164 | ······service: |
| 146 | ········name="{{item}}" | 165 | ········name="{{item}}" |
| 147 | ········enabled=" | 166 | ········enabled="no" |
| 148 | ········state="st | 167 | ········state="stopped" |
| 168 | ······register:·service_result | ||
| 169 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 149 | ······with_items: | 170 | ······with_items: |
| 150 | ········-· | 171 | ········-·atd |
| 151 | ······tags: | 172 | ······tags: |
| 152 | ········-·service_ | 173 | ········-·service_atd_disabled |
| 153 | ········-· | 174 | ········-·unknown_severity |
| 154 | ········-· | 175 | ········-·disable_strategy |
| Max diff block lines reached; 146690/151852 bytes (96.60%) of diff not shown. | |||
| Offset 35, 85 lines modified | Offset 35, 72 lines modified | ||
| 35 | ·········· | 35 | ·········· |
| 36 | ···vars: | 36 | ···vars: |
| 37 | ······sshd_idle_timeout_value:·300 | 37 | ······sshd_idle_timeout_value:·300 |
| 38 | ······rsyslog_remote_loghost_address:·None | 38 | ······rsyslog_remote_loghost_address:·None |
| 39 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 39 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 42 | ······sysctl_net_ipv4_icmp_ | 42 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 | ||
| 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 51 | ······sysctl_net_ipv4_icmp_ | 50 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 51 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 | ||
| 52 | ······var_selinux_policy_name:·targeted | 52 | ······var_selinux_policy_name:·targeted |
| 53 | ······var_selinux_state:·enforcing | 53 | ······var_selinux_state:·enforcing |
| 54 | ······var_accounts_password_minlen_login_defs:·12 | 54 | ······var_accounts_password_minlen_login_defs:·12 |
| 55 | ······var_accounts_maximum_age_login_defs:·60 | ||
| 56 | ······var_accounts_password_warn_age_login_defs:·14 | 55 | ······var_accounts_password_warn_age_login_defs:·14 |
| 56 | ······var_accounts_maximum_age_login_defs:·60 | ||
| 57 | ······var_account_disable_post_pw_expiration:·30 | 57 | ······var_account_disable_post_pw_expiration:·30 |
| 58 | ······var_password_pam_unix_remember:·24 | 58 | ······var_password_pam_unix_remember:·24 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·5 | 59 | ······var_accounts_passwords_pam_faillock_deny:·5 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 62 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_user_umask:·077 | 63 | ······var_accounts_user_umask:·077 |
| 64 | ······var_removable_partition:·/dev/cdrom | 64 | ······var_removable_partition:·/dev/cdrom |
| 65 | ······var_removable_partition:·/dev/cdrom | 65 | ······var_removable_partition:·/dev/cdrom |
| 66 | ······var_removable_partition:·/dev/cdrom | 66 | ······var_removable_partition:·/dev/cdrom |
| 67 | ···tasks: | 67 | ···tasks: |
| 68 | ····-·name:·Disable·service·s | 68 | ····-·name:·Disable·service·vsftpd |
| 69 | ······service: | 69 | ······service: |
| 70 | ········name="{{item}}" | 70 | ········name="{{item}}" |
| 71 | ········enabled="no" | 71 | ········enabled="no" |
| 72 | ········state="stopped" | 72 | ········state="stopped" |
| 73 | ······register:·service_result | 73 | ······register:·service_result |
| 74 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 74 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 75 | ······with_items: | 75 | ······with_items: |
| 76 | ········-·s | 76 | ········-·vsftpd |
| 77 | ······tags: | 77 | ······tags: |
| 78 | ········-·service_s | 78 | ········-·service_vsftpd_disabled |
| 79 | ········-·unknown_severity | 79 | ········-·unknown_severity |
| 80 | ········-·disable_strategy | 80 | ········-·disable_strategy |
| 81 | ········-·low_complexity | 81 | ········-·low_complexity |
| 82 | ········-·low_disruption | 82 | ········-·low_disruption |
| 83 | ········-·CCE-2 | 83 | ········-·CCE-26948-0 |
| 84 | ···· | 84 | ········-·NIST-800-53-CM-7 |
| 85 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | ||
| 86 | ······stat: | ||
| 87 | ········path:·/etc/samba/smb.conf | ||
| 88 | ······register:·st_smb | ||
| 89 | ······tags: | ||
| 90 | ········-·require_smb_client_signing | ||
| 91 | ········-·unknown_severity | ||
| 92 | ········-·configure_strategy | ||
| 93 | ········-·low_complexity | ||
| 94 | ········-·medium_disruption | ||
| 95 | ········-·CCE-26328-5 | ||
| 96 | ········-·DISA-STIG-RHEL-06-000272 | ||
| 97 | ···· | 85 | ···· |
| 98 | ····-·name:· | 86 | ····-·name:·Ensure·vsftpd·is·removed |
| 99 | ······ | 87 | ······package: |
| 100 | ········ | 88 | ········name="{{item}}" |
| 101 | ········ | 89 | ········state=absent |
| 102 | ······ | 90 | ······with_items: |
| 103 | ········ | 91 | ········-·vsftpd |
| 104 | ······when:·st_smb.stat.exists | ||
| 105 | ······tags: | 92 | ······tags: |
| 106 | ········-· | 93 | ········-·package_vsftpd_removed |
| 107 | ········-·unknown_severity | 94 | ········-·unknown_severity |
| 108 | ········-· | 95 | ········-·disable_strategy |
| 109 | ········-·low_complexity | 96 | ········-·low_complexity |
| 110 | ········-· | 97 | ········-·low_disruption |
| 111 | ········-·CCE-26 | 98 | ········-·CCE-26687-4 |
| 112 | ········-· | 99 | ········-·NIST-800-53-CM-7 |
| 113 | ···· | 100 | ···· |
| 114 | ····-·name:·Disable·service·httpd | 101 | ····-·name:·Disable·service·httpd |
| 115 | ······service: | 102 | ······service: |
| 116 | ········name="{{item}}" | 103 | ········name="{{item}}" |
| 117 | ········enabled="no" | 104 | ········enabled="no" |
| 118 | ········state="stopped" | 105 | ········state="stopped" |
| 119 | ······register:·service_result | 106 | ······register:·service_result |
| Offset 140, 62 lines modified | Offset 127, 92 lines modified | ||
| 140 | ········-·unknown_severity | 127 | ········-·unknown_severity |
| 141 | ········-·disable_strategy | 128 | ········-·disable_strategy |
| 142 | ········-·low_complexity | 129 | ········-·low_complexity |
| 143 | ········-·low_disruption | 130 | ········-·low_disruption |
| 144 | ········-·CCE-27133-8 | 131 | ········-·CCE-27133-8 |
| 145 | ········-·NIST-800-53-CM-7 | 132 | ········-·NIST-800-53-CM-7 |
| 146 | ···· | 133 | ···· |
| 147 | ····-·name:· | 134 | ····-·name:·Disable·service·named |
| 148 | ······ | 135 | ······service: |
| 149 | ········name="{{item}}" | 136 | ········name="{{item}}" |
| 150 | ········ | 137 | ········enabled="no" |
| 138 | ········state="stopped" | ||
| 139 | ······register:·service_result | ||
| 140 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 151 | ······with_items: | 141 | ······with_items: |
| 152 | ········-· | 142 | ········-·named |
| 153 | ······tags: | 143 | ······tags: |
| 154 | ········-· | 144 | ········-·service_named_disabled |
| 155 | ········-· | 145 | ········-·unknown_severity |
| 156 | ········-·disable_strategy | 146 | ········-·disable_strategy |
| 157 | ········-·low_complexity | 147 | ········-·low_complexity |
| 158 | ········-·low_disruption | 148 | ········-·low_disruption |
| 159 | ········-·CCE-2 | 149 | ········-·CCE-26873-0 |
| 160 | ········-·NIST-800-53-CM-7 | 150 | ········-·NIST-800-53-CM-7 |
| 161 | ········-·DISA-STIG-RHEL-06-000288 | ||
| 162 | ···· | 151 | ···· |
| 163 | ····-·name:·Ensure· | 152 | ····-·name:·Ensure·bind·is·removed |
| 164 | ······package: | 153 | ······package: |
| 165 | ········name="{{item}}" | 154 | ········name="{{item}}" |
| 166 | ········state=absent | 155 | ········state=absent |
| 167 | ······with_items: | 156 | ······with_items: |
| 168 | ········-· | 157 | ········-·bind |
| 169 | ······tags: | 158 | ······tags: |
| 170 | ········-·package_ | 159 | ········-·package_bind_removed |
| 171 | ········-· | 160 | ········-·unknown_severity |
| 172 | ········-·disable_strategy | 161 | ········-·disable_strategy |
| 173 | ········-·low_complexity | 162 | ········-·low_complexity |
| 174 | ········-·low_disruption | 163 | ········-·low_disruption |
| 175 | ········-·CCE-27 | 164 | ········-·CCE-27030-6 |
| Max diff block lines reached; 159145/164250 bytes (96.89%) of diff not shown. | |||
| Offset 46, 26 lines modified | Offset 46, 26 lines modified | ||
| 46 | ······sshd_idle_timeout_value:·7200 | 46 | ······sshd_idle_timeout_value:·7200 |
| 47 | ······rsyslog_remote_loghost_address:·logcollector | 47 | ······rsyslog_remote_loghost_address:·logcollector |
| 48 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 49 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 50 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 | 50 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 |
| 51 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 51 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 52 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 53 | ······sysctl_net_ipv4_icmp_ | 53 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 54 | ······sysctl_net_ipv4_conf_default_ | 54 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 55 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 55 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 56 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 56 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 57 | ······sysctl_net_ipv4_conf_ | 57 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 58 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 58 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 59 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 59 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 60 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 60 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 61 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 61 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 62 | ······sysctl_net_ipv4_icmp_ | 62 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 63 | ······sysctl_net_ipv4_conf_ | 63 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 64 | ······sysctl_net_ipv4_conf_default_ | 64 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 |
| 65 | ······var_selinux_policy_name:·targeted | 65 | ······var_selinux_policy_name:·targeted |
| 66 | ······var_selinux_state:·enforcing | 66 | ······var_selinux_state:·enforcing |
| 67 | ······var_accounts_password_warn_age_login_defs:·7 | 67 | ······var_accounts_password_warn_age_login_defs:·7 |
| 68 | ······var_accounts_minimum_age_login_defs:·7 | 68 | ······var_accounts_minimum_age_login_defs:·7 |
| 69 | ······var_accounts_maximum_age_login_defs:·90 | 69 | ······var_accounts_maximum_age_login_defs:·90 |
| 70 | ······var_account_disable_post_pw_expiration:·30 | 70 | ······var_account_disable_post_pw_expiration:·30 |
| 71 | ······var_password_pam_unix_remember:·5 | 71 | ······var_password_pam_unix_remember:·5 |
| Offset 274, 14 lines modified | Offset 274, 30 lines modified | ||
| 274 | ········-·disable_strategy | 274 | ········-·disable_strategy |
| 275 | ········-·low_complexity | 275 | ········-·low_complexity |
| 276 | ········-·low_disruption | 276 | ········-·low_disruption |
| 277 | ········-·CCE-80212-4 | 277 | ········-·CCE-80212-4 |
| 278 | ········-·NIST-800-53-AC-17(8) | 278 | ········-·NIST-800-53-AC-17(8) |
| 279 | ········-·NIST-800-53-CM-7 | 279 | ········-·NIST-800-53-CM-7 |
| 280 | ···· | 280 | ···· |
| 281 | ····-·name:·Ensure·tcp_wrappers·is·installed | ||
| 282 | ······package: | ||
| 283 | ········name="{{item}}" | ||
| 284 | ········state=present | ||
| 285 | ······with_items: | ||
| 286 | ········-·tcp_wrappers | ||
| 287 | ······tags: | ||
| 288 | ········-·package_tcp_wrappers_installed | ||
| 289 | ········-·medium_severity | ||
| 290 | ········-·enable_strategy | ||
| 291 | ········-·low_complexity | ||
| 292 | ········-·low_disruption | ||
| 293 | ········-·CCE-27361-5 | ||
| 294 | ········-·NIST-800-53-CM-6(b) | ||
| 295 | ········-·DISA-STIG-RHEL-07-TBD | ||
| 296 | ···· | ||
| 281 | ····-·name:·Disable·service·xinetd | 297 | ····-·name:·Disable·service·xinetd |
| 282 | ······service: | 298 | ······service: |
| 283 | ········name="{{item}}" | 299 | ········name="{{item}}" |
| 284 | ········enabled="no" | 300 | ········enabled="no" |
| 285 | ········state="stopped" | 301 | ········state="stopped" |
| 286 | ······register:·service_result | 302 | ······register:·service_result |
| 287 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 303 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| Offset 294, 30 lines modified | Offset 310, 14 lines modified | ||
| 294 | ········-·low_complexity | 310 | ········-·low_complexity |
| 295 | ········-·low_disruption | 311 | ········-·low_disruption |
| 296 | ········-·CCE-27443-1 | 312 | ········-·CCE-27443-1 |
| 297 | ········-·NIST-800-53-AC-17(8) | 313 | ········-·NIST-800-53-AC-17(8) |
| 298 | ········-·NIST-800-53-CM-7 | 314 | ········-·NIST-800-53-CM-7 |
| 299 | ········-·NIST-800-171-3.4.7 | 315 | ········-·NIST-800-171-3.4.7 |
| 300 | ···· | 316 | ···· |
| 301 | ····-·name:·Ensure·tcp_wrappers·is·installed | ||
| 302 | ······package: | ||
| 303 | ········name="{{item}}" | ||
| 304 | ········state=present | ||
| 305 | ······with_items: | ||
| 306 | ········-·tcp_wrappers | ||
| 307 | ······tags: | ||
| 308 | ········-·package_tcp_wrappers_installed | ||
| 309 | ········-·medium_severity | ||
| 310 | ········-·enable_strategy | ||
| 311 | ········-·low_complexity | ||
| 312 | ········-·low_disruption | ||
| 313 | ········-·CCE-27361-5 | ||
| 314 | ········-·NIST-800-53-CM-6(b) | ||
| 315 | ········-·DISA-STIG-RHEL-07-TBD | ||
| 316 | ···· | ||
| 317 | ····-·name:·Ensure·talk·is·removed | 317 | ····-·name:·Ensure·talk·is·removed |
| 318 | ······package: | 318 | ······package: |
| 319 | ········name="{{item}}" | 319 | ········name="{{item}}" |
| 320 | ········state=absent | 320 | ········state=absent |
| 321 | ······with_items: | 321 | ······with_items: |
| 322 | ········-·talk | 322 | ········-·talk |
| 323 | ······tags: | 323 | ······tags: |
| Offset 338, 14 lines modified | Offset 338, 31 lines modified | ||
| 338 | ········-·package_talk-server_removed | 338 | ········-·package_talk-server_removed |
| 339 | ········-·medium_severity | 339 | ········-·medium_severity |
| 340 | ········-·disable_strategy | 340 | ········-·disable_strategy |
| 341 | ········-·low_complexity | 341 | ········-·low_complexity |
| 342 | ········-·low_disruption | 342 | ········-·low_disruption |
| 343 | ········-·CCE-27210-4 | 343 | ········-·CCE-27210-4 |
| 344 | ···· | 344 | ···· |
| 345 | ····-·name:·Disable·service·dovecot | ||
| 346 | ······service: | ||
| 347 | ········name="{{item}}" | ||
| 348 | ········enabled="no" | ||
| 349 | ········state="stopped" | ||
| 350 | ······register:·service_result | ||
| 351 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 352 | ······with_items: | ||
| 353 | ········-·dovecot | ||
| 354 | ······tags: | ||
| 355 | ········-·service_dovecot_disabled | ||
| 356 | ········-·unknown_severity | ||
| 357 | ········-·disable_strategy | ||
| 358 | ········-·low_complexity | ||
| 359 | ········-·low_disruption | ||
| 360 | ········-·CCE-80294-2 | ||
| 361 | ···· | ||
| 345 | ····-·name:·Disable·service·vsftpd | 362 | ····-·name:·Disable·service·vsftpd |
| 346 | ······service: | 363 | ······service: |
| 347 | ········name="{{item}}" | 364 | ········name="{{item}}" |
| 348 | ········enabled="no" | 365 | ········enabled="no" |
| 349 | ········state="stopped" | 366 | ········state="stopped" |
| 350 | ······register:·service_result | 367 | ······register:·service_result |
| 351 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 368 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| Offset 496, 31 lines modified | Offset 513, 14 lines modified | ||
| 496 | ········-·medium_severity | 513 | ········-·medium_severity |
| 497 | ········-·disable_strategy | 514 | ········-·disable_strategy |
| 498 | ········-·low_complexity | 515 | ········-·low_complexity |
| 499 | ········-·low_disruption | 516 | ········-·low_disruption |
| 500 | ········-·CCE-80330-4 | 517 | ········-·CCE-80330-4 |
| 501 | ········-·NIST-800-53-CM-7 | 518 | ········-·NIST-800-53-CM-7 |
| Max diff block lines reached; 97763/102303 bytes (95.56%) of diff not shown. | |||
| Offset 37, 28 lines modified | Offset 37, 28 lines modified | ||
| 37 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 37 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 38 | ·········· | 38 | ·········· |
| 39 | ···vars: | 39 | ···vars: |
| 40 | ······sshd_idle_timeout_value:·1800 | 40 | ······sshd_idle_timeout_value:·1800 |
| 41 | ······sshd_listening_port:·22 | 41 | ······sshd_listening_port:·22 |
| 42 | ······inactivity_timeout_value:·1800 | 42 | ······inactivity_timeout_value:·1800 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 44 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 45 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | ||
| 46 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | 44 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 47 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | ||
| 48 | ······var_accounts_minimum_age_login_defs:·1 | 48 | ······var_accounts_minimum_age_login_defs:·1 |
| 49 | ······var_account_disable_post_pw_expiration:·0 | 49 | ······var_account_disable_post_pw_expiration:·0 |
| 50 | ······var_password_pam_minlen:·12 | 50 | ······var_password_pam_minlen:·12 |
| 51 | ······var_password_pam_difok:·6 | 51 | ······var_password_pam_difok:·6 |
| 52 | ······var_accounts_max_concurrent_login_sessions:·3 | 52 | ······var_accounts_max_concurrent_login_sessions:·3 |
| 53 | ······var_auditd_max_log_file:·1 | 53 | ······var_auditd_max_log_file:·1 |
| 54 | ······var_auditd_action_mail_acct:·admin | 54 | ······var_auditd_action_mail_acct:·admin |
| 55 | ······var_auditd_space_left_action:·suspend | ||
| 56 | ······var_auditd_admin_space_left_action:·suspend | 55 | ······var_auditd_admin_space_left_action:·suspend |
| 57 | ······var_auditd_max_log_file_action:·rotate | 56 | ······var_auditd_max_log_file_action:·rotate |
| 57 | ······var_auditd_space_left_action:·suspend | ||
| 58 | ···tasks: | 58 | ···tasks: |
| 59 | ····-·name:·Disable·SSH·Access·via·Empty·Passwords | 59 | ····-·name:·Disable·SSH·Access·via·Empty·Passwords |
| 60 | ······lineinfile: | 60 | ······lineinfile: |
| 61 | ········create:·yes | 61 | ········create:·yes |
| 62 | ········dest:·/etc/ssh/sshd_config | 62 | ········dest:·/etc/ssh/sshd_config |
| 63 | ········regexp:·^PermitEmptyPasswords | 63 | ········regexp:·^PermitEmptyPasswords |
| 64 | ········line:·PermitEmptyPasswords·no | 64 | ········line:·PermitEmptyPasswords·no |
| Offset 96, 14 lines modified | Offset 96, 39 lines modified | ||
| 96 | ········-·NIST-800-53-AC-2(5) | 96 | ········-·NIST-800-53-AC-2(5) |
| 97 | ········-·NIST-800-53-SA-8 | 97 | ········-·NIST-800-53-SA-8 |
| 98 | ········-·NIST-800-53-AC-12 | 98 | ········-·NIST-800-53-AC-12 |
| 99 | ········-·NIST-800-171-3.1.11 | 99 | ········-·NIST-800-171-3.1.11 |
| 100 | ········-·CJIS-5.5.6 | 100 | ········-·CJIS-5.5.6 |
| 101 | ········-·DISA-STIG-RHEL-07-040340 | 101 | ········-·DISA-STIG-RHEL-07-040340 |
| 102 | ···· | 102 | ···· |
| 103 | ···· | ||
| 104 | ···· | ||
| 105 | ····-·name:·Set·SSH·Idle·Timeout·Interval | ||
| 106 | ······lineinfile: | ||
| 107 | ········create:·yes | ||
| 108 | ········dest:·/etc/ssh/sshd_config | ||
| 109 | ········regexp:·^ClientAliveInterval | ||
| 110 | ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}" | ||
| 111 | ········validate:·sshd·-t·-f·%s | ||
| 112 | ······#notify:·restart·sshd | ||
| 113 | ······tags: | ||
| 114 | ········-·sshd_set_idle_timeout | ||
| 115 | ········-·unknown_severity | ||
| 116 | ········-·restrict_strategy | ||
| 117 | ········-·low_complexity | ||
| 118 | ········-·low_disruption | ||
| 119 | ········-·CCE-27433-2 | ||
| 120 | ········-·NIST-800-53-AC-2(5) | ||
| 121 | ········-·NIST-800-53-SA-8(i) | ||
| 122 | ········-·NIST-800-53-AC-12 | ||
| 123 | ········-·NIST-800-171-3.1.11 | ||
| 124 | ········-·PCI-DSS-Req-8.1.8 | ||
| 125 | ········-·CJIS-5.5.6 | ||
| 126 | ········-·DISA-STIG-RHEL-07-040320 | ||
| 127 | ···· | ||
| 103 | ····-·name:·Enable·SSH·Warning·Banner | 128 | ····-·name:·Enable·SSH·Warning·Banner |
| 104 | ······lineinfile: | 129 | ······lineinfile: |
| 105 | ········create:·yes | 130 | ········create:·yes |
| 106 | ········dest:·/etc/ssh/sshd_config | 131 | ········dest:·/etc/ssh/sshd_config |
| 107 | ········regexp:·^Banner | 132 | ········regexp:·^Banner |
| 108 | ········line:·Banner·/etc/issue | 133 | ········line:·Banner·/etc/issue |
| 109 | ········validate:·sshd·-t·-f·%s | 134 | ········validate:·sshd·-t·-f·%s |
| Offset 119, 33 lines modified | Offset 144, 14 lines modified | ||
| 119 | ········-·NIST-800-53-AC-8(c)(1) | 144 | ········-·NIST-800-53-AC-8(c)(1) |
| 120 | ········-·NIST-800-53-AC-8(c)(2) | 145 | ········-·NIST-800-53-AC-8(c)(2) |
| 121 | ········-·NIST-800-53-AC-8(c)(3) | 146 | ········-·NIST-800-53-AC-8(c)(3) |
| 122 | ········-·NIST-800-171-3.1.9 | 147 | ········-·NIST-800-171-3.1.9 |
| 123 | ········-·CJIS-5.5.6 | 148 | ········-·CJIS-5.5.6 |
| 124 | ········-·DISA-STIG-RHEL-07-040170 | 149 | ········-·DISA-STIG-RHEL-07-040170 |
| 125 | ···· | 150 | ···· |
| 126 | ····-·name:·Do·Not·Allow·SSH·Environment·Options | ||
| 127 | ······lineinfile: | ||
| 128 | ········create:·yes | ||
| 129 | ········dest:·/etc/ssh/sshd_config | ||
| 130 | ········regexp:·^PermitUserEnvironment | ||
| 131 | ········line:·PermitUserEnvironment·no | ||
| 132 | ········validate:·sshd·-t·-f·%s | ||
| 133 | ······tags: | ||
| 134 | ········-·sshd_do_not_permit_user_env | ||
| 135 | ········-·medium_severity | ||
| 136 | ········-·restrict_strategy | ||
| 137 | ········-·low_complexity | ||
| 138 | ········-·low_disruption | ||
| 139 | ········-·CCE-27363-1 | ||
| 140 | ········-·NIST-800-53-CM-6(b) | ||
| 141 | ········-·NIST-800-171-3.1.12 | ||
| 142 | ········-·CJIS-5.5.6 | ||
| 143 | ········-·DISA-STIG-RHEL-07-010460 | ||
| 144 | ···· | ||
| 145 | ···· | 151 | ···· |
| 146 | ····-·name:·"Allow·Only·SSH·Protocol·2" | 152 | ····-·name:·"Allow·Only·SSH·Protocol·2" |
| 147 | ······lineinfile: | 153 | ······lineinfile: |
| 148 | ········dest:·/etc/ssh/sshd_config | 154 | ········dest:·/etc/ssh/sshd_config |
| 149 | ········regexp:·"^Protocol·[0-9]" | 155 | ········regexp:·"^Protocol·[0-9]" |
| 150 | ········line:·"Protocol·2" | 156 | ········line:·"Protocol·2" |
| 151 | ········validate:·sshd·-t·-f·%s | 157 | ········validate:·sshd·-t·-f·%s |
| Offset 180, 38 lines modified | Offset 186, 32 lines modified | ||
| 180 | ········-·CCE-27377-1 | 186 | ········-·CCE-27377-1 |
| 181 | ········-·NIST-800-53-AC-3 | 187 | ········-·NIST-800-53-AC-3 |
| 182 | ········-·NIST-800-53-CM-6(a) | 188 | ········-·NIST-800-53-CM-6(a) |
| 183 | ········-·NIST-800-171-3.1.12 | 189 | ········-·NIST-800-171-3.1.12 |
| 184 | ········-·CJIS-5.5.6 | 190 | ········-·CJIS-5.5.6 |
| 185 | ········-·DISA-STIG-RHEL-07-040350 | 191 | ········-·DISA-STIG-RHEL-07-040350 |
| 186 | ···· | 192 | ···· |
| 187 | ···· | 193 | ····-·name:·Do·Not·Allow·SSH·Environment·Options |
| 188 | ···· | ||
| 189 | ····-·name:·Set·SSH·Idle·Timeout·Interval | ||
| 190 | ······lineinfile: | 194 | ······lineinfile: |
| 191 | ········create:·yes | 195 | ········create:·yes |
| 192 | ········dest:·/etc/ssh/sshd_config | 196 | ········dest:·/etc/ssh/sshd_config |
| 193 | ········regexp:·^ | 197 | ········regexp:·^PermitUserEnvironment |
| 194 | ········line:· | 198 | ········line:·PermitUserEnvironment·no |
| 195 | ········validate:·sshd·-t·-f·%s | 199 | ········validate:·sshd·-t·-f·%s |
| 196 | ······#notify:·restart·sshd | ||
| 197 | ······tags: | 200 | ······tags: |
| 198 | ········-·sshd_ | 201 | ········-·sshd_do_not_permit_user_env |
| 199 | ········-· | 202 | ········-·medium_severity |
| 200 | ········-·restrict_strategy | 203 | ········-·restrict_strategy |
| Max diff block lines reached; 66416/70623 bytes (94.04%) of diff not shown. | |||
| Offset 220, 14 lines modified | Offset 220, 28 lines modified | ||
| 220 | ········-·low_complexity | 220 | ········-·low_complexity |
| 221 | ········-·low_disruption | 221 | ········-·low_disruption |
| 222 | ········-·CCE-27165-0 | 222 | ········-·CCE-27165-0 |
| 223 | ········-·NIST-800-53-AC-17(8) | 223 | ········-·NIST-800-53-AC-17(8) |
| 224 | ········-·NIST-800-53-CM-7(a) | 224 | ········-·NIST-800-53-CM-7(a) |
| 225 | ········-·DISA-STIG-RHEL-07-021710 | 225 | ········-·DISA-STIG-RHEL-07-021710 |
| 226 | ···· | 226 | ···· |
| 227 | ····-·name:·Ensure·ypbind·is·removed | ||
| 228 | ······package: | ||
| 229 | ········name="{{item}}" | ||
| 230 | ········state=absent | ||
| 231 | ······with_items: | ||
| 232 | ········-·ypbind | ||
| 233 | ······tags: | ||
| 234 | ········-·package_ypbind_removed | ||
| 235 | ········-·unknown_severity | ||
| 236 | ········-·disable_strategy | ||
| 237 | ········-·low_complexity | ||
| 238 | ········-·low_disruption | ||
| 239 | ········-·CCE-27396-1 | ||
| 240 | ···· | ||
| 227 | ····-·name:·Disable·service·ypbind | 241 | ····-·name:·Disable·service·ypbind |
| 228 | ······service: | 242 | ······service: |
| 229 | ········name="{{item}}" | 243 | ········name="{{item}}" |
| 230 | ········enabled="no" | 244 | ········enabled="no" |
| 231 | ········state="stopped" | 245 | ········state="stopped" |
| 232 | ······register:·service_result | 246 | ······register:·service_result |
| 233 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 247 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| Offset 239, 28 lines modified | Offset 253, 14 lines modified | ||
| 239 | ········-·disable_strategy | 253 | ········-·disable_strategy |
| 240 | ········-·low_complexity | 254 | ········-·low_complexity |
| 241 | ········-·low_disruption | 255 | ········-·low_disruption |
| 242 | ········-·CCE-27385-4 | 256 | ········-·CCE-27385-4 |
| 243 | ········-·NIST-800-53-AC-17(8) | 257 | ········-·NIST-800-53-AC-17(8) |
| 244 | ········-·NIST-800-53-CM-7 | 258 | ········-·NIST-800-53-CM-7 |
| 245 | ···· | 259 | ···· |
| 246 | ····-·name:·Ensure·ypbind·is·removed | ||
| 247 | ······package: | ||
| 248 | ········name="{{item}}" | ||
| 249 | ········state=absent | ||
| 250 | ······with_items: | ||
| 251 | ········-·ypbind | ||
| 252 | ······tags: | ||
| 253 | ········-·package_ypbind_removed | ||
| 254 | ········-·unknown_severity | ||
| 255 | ········-·disable_strategy | ||
| 256 | ········-·low_complexity | ||
| 257 | ········-·low_disruption | ||
| 258 | ········-·CCE-27396-1 | ||
| 259 | ···· | ||
| 260 | ····-·name:·Ensure·ypserv·is·removed | 260 | ····-·name:·Ensure·ypserv·is·removed |
| 261 | ······package: | 261 | ······package: |
| 262 | ········name="{{item}}" | 262 | ········name="{{item}}" |
| 263 | ········state=absent | 263 | ········state=absent |
| 264 | ······with_items: | 264 | ······with_items: |
| 265 | ········-·ypserv | 265 | ········-·ypserv |
| 266 | ······tags: | 266 | ······tags: |
| Offset 389, 14 lines modified | Offset 389, 33 lines modified | ||
| 389 | ········-·low_disruption | 389 | ········-·low_disruption |
| 390 | ········-·CCE-80258-7 | 390 | ········-·CCE-80258-7 |
| 391 | ········-·NIST-800-53-AC-17(8) | 391 | ········-·NIST-800-53-AC-17(8) |
| 392 | ········-·NIST-800-53-CM-7 | 392 | ········-·NIST-800-53-CM-7 |
| 393 | ········-·NIST-800-53-CM-6(b) | 393 | ········-·NIST-800-53-CM-6(b) |
| 394 | ········-·DISA-STIG-RHEL-07-021300 | 394 | ········-·DISA-STIG-RHEL-07-021300 |
| 395 | ···· | 395 | ···· |
| 396 | ····-·name:·"Enable·Use·of·Strict·Mode·Checking" | ||
| 397 | ······lineinfile: | ||
| 398 | ········create:·yes | ||
| 399 | ········dest:·/etc/ssh/sshd_config | ||
| 400 | ········regexp:·(?i)^#?strictmodes | ||
| 401 | ········line:·StrictModes·yes | ||
| 402 | ········validate:·sshd·-t·-f·%s | ||
| 403 | ······#notify:·restart·sshd | ||
| 404 | ······tags: | ||
| 405 | ········-·sshd_enable_strictmodes | ||
| 406 | ········-·medium_severity | ||
| 407 | ········-·restrict_strategy | ||
| 408 | ········-·low_complexity | ||
| 409 | ········-·low_disruption | ||
| 410 | ········-·CCE-80222-3 | ||
| 411 | ········-·NIST-800-53-AC-6 | ||
| 412 | ········-·NIST-800-171-3.1.12 | ||
| 413 | ········-·DISA-STIG-RHEL-07-040450 | ||
| 414 | ···· | ||
| 396 | ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts" | 415 | ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts" |
| 397 | ······lineinfile: | 416 | ······lineinfile: |
| 398 | ········create:·yes | 417 | ········create:·yes |
| 399 | ········dest:·/etc/ssh/sshd_config | 418 | ········dest:·/etc/ssh/sshd_config |
| 400 | ········regexp:·^IgnoreUserKnownHosts | 419 | ········regexp:·^IgnoreUserKnownHosts |
| 401 | ········line:·IgnoreUserKnownHosts·yes | 420 | ········line:·IgnoreUserKnownHosts·yes |
| 402 | ········validate:·sshd·-t·-f·%s | 421 | ········validate:·sshd·-t·-f·%s |
| Offset 452, 32 lines modified | Offset 471, 14 lines modified | ||
| 452 | ········-·NIST-800-53-AC-2(5) | 471 | ········-·NIST-800-53-AC-2(5) |
| 453 | ········-·NIST-800-53-SA-8 | 472 | ········-·NIST-800-53-SA-8 |
| 454 | ········-·NIST-800-53-AC-12 | 473 | ········-·NIST-800-53-AC-12 |
| 455 | ········-·NIST-800-171-3.1.11 | 474 | ········-·NIST-800-171-3.1.11 |
| 456 | ········-·CJIS-5.5.6 | 475 | ········-·CJIS-5.5.6 |
| 457 | ········-·DISA-STIG-RHEL-07-040340 | 476 | ········-·DISA-STIG-RHEL-07-040340 |
| 458 | ···· | 477 | ···· |
| 459 | ····-·name:·Disable·SSH·Support·for·Rhosts·RSA·Authentication | ||
| 460 | ······lineinfile: | ||
| 461 | ········create:·yes | ||
| 462 | ········dest:·/etc/ssh/sshd_config | ||
| 463 | ········regexp:·^RhostsRSAAuthentication | ||
| 464 | ········line:·RhostsRSAAuthentication·no | ||
| 465 | ········validate:·sshd·-t·-f·%s | ||
| 466 | ······tags: | ||
| 467 | ········-·sshd_disable_rhosts_rsa | ||
| 468 | ········-·medium_severity | ||
| 469 | ········-·restrict_strategy | ||
| 470 | ········-·low_complexity | ||
| 471 | ········-·low_disruption | ||
| 472 | ········-·CCE-80373-4 | ||
| 473 | ········-·NIST-800-53-CM-6(a) | ||
| 474 | ········-·NIST-800-171-3.1.12 | ||
| 475 | ········-·DISA-STIG-RHEL-07-040330 | ||
| 476 | ···· | ||
| 477 | ····-·name:·Enable·SSH·Warning·Banner | 478 | ····-·name:·Enable·SSH·Warning·Banner |
| 478 | ······lineinfile: | 479 | ······lineinfile: |
| 479 | ········create:·yes | 480 | ········create:·yes |
| 480 | ········dest:·/etc/ssh/sshd_config | 481 | ········dest:·/etc/ssh/sshd_config |
| 481 | ········regexp:·^Banner | 482 | ········regexp:·^Banner |
| 482 | ········line:·Banner·/etc/issue | 483 | ········line:·Banner·/etc/issue |
| 483 | ········validate:·sshd·-t·-f·%s | 484 | ········validate:·sshd·-t·-f·%s |
| Offset 516, 33 lines modified | Offset 517, 14 lines modified | ||
| 516 | ········-·NIST-800-53-IA-7 | 517 | ········-·NIST-800-53-IA-7 |
| 517 | ········-·NIST-800-53-SC-13 | 518 | ········-·NIST-800-53-SC-13 |
| Max diff block lines reached; 98846/102348 bytes (96.58%) of diff not shown. | |||
| Offset 50, 93 lines modified | Offset 50, 93 lines modified | ||
| 50 | ·········· | 50 | ·········· |
| 51 | ···vars: | 51 | ···vars: |
| 52 | ······sshd_idle_timeout_value:·600 | 52 | ······sshd_idle_timeout_value:·600 |
| 53 | ······sshd_listening_port:·22 | 53 | ······sshd_listening_port:·22 |
| 54 | ······inactivity_timeout_value:·600 | 54 | ······inactivity_timeout_value:·600 |
| 55 | ······rsyslog_remote_loghost_address:·logcollector | 55 | ······rsyslog_remote_loghost_address:·logcollector |
| 56 | ······sysctl_net_ipv6_conf_default_accept_source_route_value:·0 | 56 | ······sysctl_net_ipv6_conf_default_accept_source_route_value:·0 |
| 57 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 | ||
| 58 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 | 57 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 |
| 58 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 | ||
| 59 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 | 59 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 |
| 60 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 60 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 61 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 | 61 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 |
| 62 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 62 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 63 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 63 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 64 | ······sysctl_net_ipv4_icmp_ | 64 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 65 | ······sysctl_net_ipv4_conf_default_ | 65 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 66 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 66 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 67 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 67 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 68 | ······sysctl_net_ipv4_conf_ | 68 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 69 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 69 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 70 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 70 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 71 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 71 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 72 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 72 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 73 | ······sysctl_net_ipv4_icmp_ | 73 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 74 | ······sysctl_net_ipv4_conf_ | 74 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 75 | ······sysctl_net_ipv4_conf_default_ | 75 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 |
| 76 | ······var_ssh_sysadm_login:·false | 76 | ······var_ssh_sysadm_login:·false |
| 77 | ······var_login_console_enabled:·true | ||
| 77 | ······var_auditadm_exec_content:·true | 78 | ······var_auditadm_exec_content:·true |
| 78 | ······var_selinuxuser_execstack:·true | 79 | ······var_selinuxuser_execstack:·true |
| 79 | ······var_mount_anyfile:·true | 80 | ······var_mount_anyfile:·true |
| 80 | ······var_ | 81 | ······var_cron_system_cronjob_use_shares:·false |
| 81 | ······var_cron_can_relabel:·false | 82 | ······var_cron_can_relabel:·false |
| 83 | ······var_guest_exec_content:·true | ||
| 84 | ······var_secure_mode:·false | ||
| 82 | ······var_user_exec_content:·true | 85 | ······var_user_exec_content:·true |
| 83 | ······var_deny_ptrace:·false | 86 | ······var_deny_ptrace:·false |
| 84 | ······var_guest_exec_content:·true | ||
| 85 | ······var_xserver_object_manager:·false | 87 | ······var_xserver_object_manager:·false |
| 86 | ······var_xdm_sysadm_login:·false | 88 | ······var_xdm_sysadm_login:·false |
| 89 | ······var_sysadm_exec_content:·true | ||
| 87 | ······var_selinuxuser_mysql_connect_enabled:·false | 90 | ······var_selinuxuser_mysql_connect_enabled:·false |
| 88 | ······var_ | 91 | ······var_selinuxuser_udp_server:·false |
| 89 | ······var_secure_mode:·false | ||
| 90 | ······var_ssh_keysign:·false | 92 | ······var_ssh_keysign:·false |
| 91 | ······var_staff_exec_content:·true | 93 | ······var_staff_exec_content:·true |
| 94 | ······var_gpg_web_anon_write:·false | ||
| 92 | ······var_xserver_execmem:·false | 95 | ······var_xserver_execmem:·false |
| 93 | ······var_ | 96 | ······var_cron_userdomain_transition:·true |
| 97 | ······var_xguest_mount_media:·true | ||
| 94 | ······var_selinuxuser_rw_noexattrfile:·true | 98 | ······var_selinuxuser_rw_noexattrfile:·true |
| 95 | ······var_deny_execmem:·false | 99 | ······var_deny_execmem:·false |
| 96 | ······var_ssh_chroot_rw_homedirs:·false | 100 | ······var_ssh_chroot_rw_homedirs:·false |
| 97 | ······var_logging_syslogd_can_sendmail:·false | ||
| 98 | ······var_abrt_anon_write:·false | 101 | ······var_abrt_anon_write:·false |
| 99 | ······var_ | 102 | ······var_kerberos_enabled:·true |
| 100 | ······var_logging_syslogd_use_tty:·true | 103 | ······var_logging_syslogd_use_tty:·true |
| 101 | ······var_login_console_enabled:·true | ||
| 102 | ······var_abrt_handle_event:·false | 104 | ······var_abrt_handle_event:·false |
| 105 | ······var_mock_enable_homedirs:·false | ||
| 106 | ······var_secure_mode_insmod:·false | ||
| 103 | ······var_unconfined_login:·true | 107 | ······var_unconfined_login:·true |
| 108 | ······var_logging_syslogd_can_sendmail:·false | ||
| 104 | ······var_selinuxuser_postgresql_connect_enabled:·false | 109 | ······var_selinuxuser_postgresql_connect_enabled:·false |
| 110 | ······var_daemons_use_tcp_wrapper:·false | ||
| 105 | ······var_abrt_upload_watch_anon_write:·true | 111 | ······var_abrt_upload_watch_anon_write:·true |
| 106 | ······var_daemons_use_tty:·false | 112 | ······var_daemons_use_tty:·false |
| 107 | ······var_selinuxuser_tcp_server:·false | 113 | ······var_selinuxuser_tcp_server:·false |
| 108 | ······var_selinuxuser_direct_dri_enabled:·true | 114 | ······var_selinuxuser_direct_dri_enabled:·true |
| 109 | ······var_xdm_bind_vnc_tcp_port:·false | 115 | ······var_xdm_bind_vnc_tcp_port:·false |
| 110 | ······var_xserver_clients_write_xshm:·false | 116 | ······var_xserver_clients_write_xshm:·false |
| 111 | ······var_use_ecryptfs_home_dirs:·false | 117 | ······var_use_ecryptfs_home_dirs:·false |
| 112 | ······var_mock_enable_homedirs:·false | ||
| 113 | ······var_xguest_exec_content:·true | 118 | ······var_xguest_exec_content:·true |
| 119 | ······var_xdm_write_home:·false | ||
| 120 | ······var_logadm_exec_content:·true | ||
| 114 | ······var_domain_fd_use:·true | 121 | ······var_domain_fd_use:·true |
| 115 | ······var_selinuxuser_udp_server:·false | ||
| 116 | ······var_mmap_low_allowed:·false | 122 | ······var_mmap_low_allowed:·false |
| 117 | ······var_selinuxuser_share_music:·false | 123 | ······var_selinuxuser_share_music:·false |
| 118 | ······var_selinuxuser_execmod:·true | 124 | ······var_selinuxuser_execmod:·true |
| 119 | ······var_cron_system_cronjob_use_shares:·false | ||
| 120 | ······var_logadm_exec_content:·true | ||
| 121 | ······var_xguest_connect_network:·true | 125 | ······var_xguest_connect_network:·true |
| 122 | ······var_xdm_write_home:·false | ||
| 123 | ······var_sysadm_exec_content:·true | ||
| 124 | ······var_xguest_use_bluetooth:·true | 126 | ······var_xguest_use_bluetooth:·true |
| 125 | ······var_ | 127 | ······var_selinuxuser_execheap:·false |
| 126 | ······var_secure_mode_policyload:·false | ||
| 127 | ······var_daemons_dump_core:·false | 128 | ······var_daemons_dump_core:·false |
| 128 | ······var_xdm_exec_bootloader:·false | 129 | ······var_xdm_exec_bootloader:·false |
| 129 | ······var_gpg_web_anon_write:·false | ||
| 130 | ······var_fips_mode:·true | 130 | ······var_fips_mode:·true |
| 131 | ······var_polyinstantiation_enabled:·false | 131 | ······var_polyinstantiation_enabled:·false |
| 132 | ······var_domain_kernel_load_modules:·false | 132 | ······var_domain_kernel_load_modules:·false |
| 133 | ······var_selinuxuser_use_ssh_chroot:·false | 133 | ······var_selinuxuser_use_ssh_chroot:·false |
| 134 | ······var_selinuxuser_ping:·true | 134 | ······var_selinuxuser_ping:·true |
| 135 | ······var_se | 135 | ······var_secure_mode_policyload:·false |
| 136 | ······var_secadm_exec_content:·true | 136 | ······var_secadm_exec_content:·true |
| 137 | ······var_selinux_policy_name:·targeted | 137 | ······var_selinux_policy_name:·targeted |
| 138 | ······var_selinux_state:·enforcing | 138 | ······var_selinux_state:·enforcing |
| 139 | ······var_accounts_password_minlen_login_defs:·6 | 139 | ······var_accounts_password_minlen_login_defs:·6 |
| 140 | ······var_accounts_password_warn_age_login_defs:·7 | 140 | ······var_accounts_password_warn_age_login_defs:·7 |
| 141 | ······var_accounts_minimum_age_login_defs:·7 | 141 | ······var_accounts_minimum_age_login_defs:·7 |
| 142 | ······var_accounts_maximum_age_login_defs:·60 | 142 | ······var_accounts_maximum_age_login_defs:·60 |
| Offset 156, 22 lines modified | Offset 156, 22 lines modified | ||
| 156 | ······var_password_pam_difok:·8 | 156 | ······var_password_pam_difok:·8 |
| 157 | ······var_password_pam_ocredit:·-1 | 157 | ······var_password_pam_ocredit:·-1 |
| 158 | ······var_password_pam_lcredit:·-1 | 158 | ······var_password_pam_lcredit:·-1 |
| 159 | ······var_password_pam_ucredit:·-1 | 159 | ······var_password_pam_ucredit:·-1 |
| 160 | ······var_password_pam_retry:·3 | 160 | ······var_password_pam_retry:·3 |
| 161 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. | 161 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. |
| 162 | ······var_accounts_user_umask:·077 | 162 | ······var_accounts_user_umask:·077 |
| 163 | ······var_accounts_max_concurrent_login_sessions:·10 | ||
| 163 | ······var_accounts_fail_delay:·4 | 164 | ······var_accounts_fail_delay:·4 |
| 164 | ······var_accounts_tmout:·600 | 165 | ······var_accounts_tmout:·600 |
| 165 | ······var_accounts_max_concurrent_login_sessions:·10 | ||
| 166 | ······var_auditd_max_log_file:·6 | 166 | ······var_auditd_max_log_file:·6 |
| 167 | ······var_auditd_action_mail_acct:·root | 167 | ······var_auditd_action_mail_acct:·root |
| 168 | ······var_auditd_space_left_action:·email | ||
| 169 | ······var_auditd_admin_space_left_action:·single | 168 | ······var_auditd_admin_space_left_action:·single |
| 170 | ······var_auditd_max_log_file_action:·rotate | 169 | ······var_auditd_max_log_file_action:·rotate |
| 170 | ······var_auditd_space_left_action:·email | ||
| 171 | ······var_removable_partition:·/dev/cdrom | 171 | ······var_removable_partition:·/dev/cdrom |
| 172 | ······var_removable_partition:·/dev/cdrom | 172 | ······var_removable_partition:·/dev/cdrom |
| 173 | ······var_removable_partition:·/dev/cdrom | 173 | ······var_removable_partition:·/dev/cdrom |
| Max diff block lines reached; 173777/180658 bytes (96.19%) of diff not shown. | |||
| Offset 61, 93 lines modified | Offset 61, 93 lines modified | ||
| 61 | ·········· | 61 | ·········· |
| 62 | ···vars: | 62 | ···vars: |
| 63 | ······sshd_idle_timeout_value:·600 | 63 | ······sshd_idle_timeout_value:·600 |
| 64 | ······sshd_listening_port:·22 | 64 | ······sshd_listening_port:·22 |
| 65 | ······inactivity_timeout_value:·900 | 65 | ······inactivity_timeout_value:·900 |
| 66 | ······rsyslog_remote_loghost_address:·logcollector | 66 | ······rsyslog_remote_loghost_address:·logcollector |
| 67 | ······sysctl_net_ipv6_conf_default_accept_source_route_value:·0 | 67 | ······sysctl_net_ipv6_conf_default_accept_source_route_value:·0 |
| 68 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 | ||
| 69 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 | 68 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 |
| 69 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 | ||
| 70 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 | 70 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 |
| 71 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 71 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 72 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 | 72 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 |
| 73 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 73 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 74 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 74 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 75 | ······sysctl_net_ipv4_icmp_ | 75 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 76 | ······sysctl_net_ipv4_conf_default_ | 76 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 77 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 77 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 78 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 78 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 79 | ······sysctl_net_ipv4_conf_ | 79 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 80 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 80 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 81 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 81 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 82 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 82 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 83 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 83 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 84 | ······sysctl_net_ipv4_icmp_ | 84 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 85 | ······sysctl_net_ipv4_conf_ | 85 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 86 | ······sysctl_net_ipv4_conf_default_ | 86 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 |
| 87 | ······var_ssh_sysadm_login:·false | 87 | ······var_ssh_sysadm_login:·false |
| 88 | ······var_login_console_enabled:·true | ||
| 88 | ······var_auditadm_exec_content:·true | 89 | ······var_auditadm_exec_content:·true |
| 89 | ······var_selinuxuser_execstack:·true | 90 | ······var_selinuxuser_execstack:·true |
| 90 | ······var_mount_anyfile:·true | 91 | ······var_mount_anyfile:·true |
| 91 | ······var_ | 92 | ······var_cron_system_cronjob_use_shares:·false |
| 92 | ······var_cron_can_relabel:·false | 93 | ······var_cron_can_relabel:·false |
| 94 | ······var_guest_exec_content:·true | ||
| 95 | ······var_secure_mode:·false | ||
| 93 | ······var_user_exec_content:·true | 96 | ······var_user_exec_content:·true |
| 94 | ······var_deny_ptrace:·false | 97 | ······var_deny_ptrace:·false |
| 95 | ······var_guest_exec_content:·true | ||
| 96 | ······var_xserver_object_manager:·false | 98 | ······var_xserver_object_manager:·false |
| 97 | ······var_xdm_sysadm_login:·false | 99 | ······var_xdm_sysadm_login:·false |
| 100 | ······var_sysadm_exec_content:·true | ||
| 98 | ······var_selinuxuser_mysql_connect_enabled:·false | 101 | ······var_selinuxuser_mysql_connect_enabled:·false |
| 99 | ······var_ | 102 | ······var_selinuxuser_udp_server:·false |
| 100 | ······var_secure_mode:·false | ||
| 101 | ······var_ssh_keysign:·false | 103 | ······var_ssh_keysign:·false |
| 102 | ······var_staff_exec_content:·true | 104 | ······var_staff_exec_content:·true |
| 105 | ······var_gpg_web_anon_write:·false | ||
| 103 | ······var_xserver_execmem:·false | 106 | ······var_xserver_execmem:·false |
| 104 | ······var_ | 107 | ······var_cron_userdomain_transition:·true |
| 108 | ······var_xguest_mount_media:·true | ||
| 105 | ······var_selinuxuser_rw_noexattrfile:·true | 109 | ······var_selinuxuser_rw_noexattrfile:·true |
| 106 | ······var_deny_execmem:·false | 110 | ······var_deny_execmem:·false |
| 107 | ······var_ssh_chroot_rw_homedirs:·false | 111 | ······var_ssh_chroot_rw_homedirs:·false |
| 108 | ······var_logging_syslogd_can_sendmail:·false | ||
| 109 | ······var_abrt_anon_write:·false | 112 | ······var_abrt_anon_write:·false |
| 110 | ······var_ | 113 | ······var_kerberos_enabled:·true |
| 111 | ······var_logging_syslogd_use_tty:·true | 114 | ······var_logging_syslogd_use_tty:·true |
| 112 | ······var_login_console_enabled:·true | ||
| 113 | ······var_abrt_handle_event:·false | 115 | ······var_abrt_handle_event:·false |
| 116 | ······var_mock_enable_homedirs:·false | ||
| 117 | ······var_secure_mode_insmod:·false | ||
| 114 | ······var_unconfined_login:·true | 118 | ······var_unconfined_login:·true |
| 119 | ······var_logging_syslogd_can_sendmail:·false | ||
| 115 | ······var_selinuxuser_postgresql_connect_enabled:·false | 120 | ······var_selinuxuser_postgresql_connect_enabled:·false |
| 121 | ······var_daemons_use_tcp_wrapper:·false | ||
| 116 | ······var_abrt_upload_watch_anon_write:·true | 122 | ······var_abrt_upload_watch_anon_write:·true |
| 117 | ······var_daemons_use_tty:·false | 123 | ······var_daemons_use_tty:·false |
| 118 | ······var_selinuxuser_tcp_server:·false | 124 | ······var_selinuxuser_tcp_server:·false |
| 119 | ······var_selinuxuser_direct_dri_enabled:·true | 125 | ······var_selinuxuser_direct_dri_enabled:·true |
| 120 | ······var_xdm_bind_vnc_tcp_port:·false | 126 | ······var_xdm_bind_vnc_tcp_port:·false |
| 121 | ······var_xserver_clients_write_xshm:·false | 127 | ······var_xserver_clients_write_xshm:·false |
| 122 | ······var_use_ecryptfs_home_dirs:·false | 128 | ······var_use_ecryptfs_home_dirs:·false |
| 123 | ······var_mock_enable_homedirs:·false | ||
| 124 | ······var_xguest_exec_content:·true | 129 | ······var_xguest_exec_content:·true |
| 130 | ······var_xdm_write_home:·false | ||
| 131 | ······var_logadm_exec_content:·true | ||
| 125 | ······var_domain_fd_use:·true | 132 | ······var_domain_fd_use:·true |
| 126 | ······var_selinuxuser_udp_server:·false | ||
| 127 | ······var_mmap_low_allowed:·false | 133 | ······var_mmap_low_allowed:·false |
| 128 | ······var_selinuxuser_share_music:·false | 134 | ······var_selinuxuser_share_music:·false |
| 129 | ······var_selinuxuser_execmod:·true | 135 | ······var_selinuxuser_execmod:·true |
| 130 | ······var_cron_system_cronjob_use_shares:·false | ||
| 131 | ······var_logadm_exec_content:·true | ||
| 132 | ······var_xguest_connect_network:·true | 136 | ······var_xguest_connect_network:·true |
| 133 | ······var_xdm_write_home:·false | ||
| 134 | ······var_sysadm_exec_content:·true | ||
| 135 | ······var_xguest_use_bluetooth:·true | 137 | ······var_xguest_use_bluetooth:·true |
| 136 | ······var_ | 138 | ······var_selinuxuser_execheap:·false |
| 137 | ······var_secure_mode_policyload:·false | ||
| 138 | ······var_daemons_dump_core:·false | 139 | ······var_daemons_dump_core:·false |
| 139 | ······var_xdm_exec_bootloader:·false | 140 | ······var_xdm_exec_bootloader:·false |
| 140 | ······var_gpg_web_anon_write:·false | ||
| 141 | ······var_fips_mode:·true | 141 | ······var_fips_mode:·true |
| 142 | ······var_polyinstantiation_enabled:·false | 142 | ······var_polyinstantiation_enabled:·false |
| 143 | ······var_domain_kernel_load_modules:·false | 143 | ······var_domain_kernel_load_modules:·false |
| 144 | ······var_selinuxuser_use_ssh_chroot:·false | 144 | ······var_selinuxuser_use_ssh_chroot:·false |
| 145 | ······var_selinuxuser_ping:·true | 145 | ······var_selinuxuser_ping:·true |
| 146 | ······var_se | 146 | ······var_secure_mode_policyload:·false |
| 147 | ······var_secadm_exec_content:·true | 147 | ······var_secadm_exec_content:·true |
| 148 | ······var_selinux_policy_name:·targeted | 148 | ······var_selinux_policy_name:·targeted |
| 149 | ······var_selinux_state:·enforcing | 149 | ······var_selinux_state:·enforcing |
| 150 | ······var_accounts_password_minlen_login_defs:·6 | 150 | ······var_accounts_password_minlen_login_defs:·6 |
| 151 | ······var_accounts_password_warn_age_login_defs:·7 | 151 | ······var_accounts_password_warn_age_login_defs:·7 |
| 152 | ······var_accounts_minimum_age_login_defs:·7 | 152 | ······var_accounts_minimum_age_login_defs:·7 |
| 153 | ······var_accounts_maximum_age_login_defs:·60 | 153 | ······var_accounts_maximum_age_login_defs:·60 |
| Offset 167, 22 lines modified | Offset 167, 22 lines modified | ||
| 167 | ······var_password_pam_difok:·8 | 167 | ······var_password_pam_difok:·8 |
| 168 | ······var_password_pam_ocredit:·-1 | 168 | ······var_password_pam_ocredit:·-1 |
| 169 | ······var_password_pam_lcredit:·-1 | 169 | ······var_password_pam_lcredit:·-1 |
| 170 | ······var_password_pam_ucredit:·-1 | 170 | ······var_password_pam_ucredit:·-1 |
| 171 | ······var_password_pam_retry:·3 | 171 | ······var_password_pam_retry:·3 |
| 172 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. | 172 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. |
| 173 | ······var_accounts_user_umask:·077 | 173 | ······var_accounts_user_umask:·077 |
| 174 | ······var_accounts_max_concurrent_login_sessions:·10 | ||
| 174 | ······var_accounts_fail_delay:·4 | 175 | ······var_accounts_fail_delay:·4 |
| 175 | ······var_accounts_tmout:·600 | 176 | ······var_accounts_tmout:·600 |
| 176 | ······var_accounts_max_concurrent_login_sessions:·10 | ||
| 177 | ······var_auditd_max_log_file:·6 | 177 | ······var_auditd_max_log_file:·6 |
| 178 | ······var_auditd_action_mail_acct:·root | 178 | ······var_auditd_action_mail_acct:·root |
| 179 | ······var_auditd_space_left_action:·email | ||
| 180 | ······var_auditd_admin_space_left_action:·single | 179 | ······var_auditd_admin_space_left_action:·single |
| 181 | ······var_auditd_max_log_file_action:·rotate | 180 | ······var_auditd_max_log_file_action:·rotate |
| 181 | ······var_auditd_space_left_action:·email | ||
| 182 | ······var_removable_partition:·/dev/cdrom | 182 | ······var_removable_partition:·/dev/cdrom |
| 183 | ······var_removable_partition:·/dev/cdrom | 183 | ······var_removable_partition:·/dev/cdrom |
| 184 | ······var_removable_partition:·/dev/cdrom | 184 | ······var_removable_partition:·/dev/cdrom |
| Max diff block lines reached; 173778/180659 bytes (96.19%) of diff not shown. | |||
| Offset 43, 17 lines modified | Offset 43, 17 lines modified | ||
| 43 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 43 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 44 | ······var_password_pam_minlen:·7 | 44 | ······var_password_pam_minlen:·7 |
| 45 | ······var_password_pam_dcredit:·-1 | 45 | ······var_password_pam_dcredit:·-1 |
| 46 | ······var_password_pam_lcredit:·-1 | 46 | ······var_password_pam_lcredit:·-1 |
| 47 | ······var_password_pam_ucredit:·-1 | 47 | ······var_password_pam_ucredit:·-1 |
| 48 | ······var_auditd_max_log_file:·1 | 48 | ······var_auditd_max_log_file:·1 |
| 49 | ······var_auditd_action_mail_acct:·admin | 49 | ······var_auditd_action_mail_acct:·admin |
| 50 | ······var_auditd_space_left_action:·suspend | ||
| 51 | ······var_auditd_admin_space_left_action:·suspend | 50 | ······var_auditd_admin_space_left_action:·suspend |
| 52 | ······var_auditd_max_log_file_action:·rotate | 51 | ······var_auditd_max_log_file_action:·rotate |
| 52 | ······var_auditd_space_left_action:·suspend | ||
| 53 | ···tasks: | 53 | ···tasks: |
| 54 | ···· | 54 | ···· |
| 55 | ···· | 55 | ···· |
| 56 | ····-·name:·Set·SSH·Idle·Timeout·Interval | 56 | ····-·name:·Set·SSH·Idle·Timeout·Interval |
| 57 | ······lineinfile: | 57 | ······lineinfile: |
| 58 | ········create:·yes | 58 | ········create:·yes |
| 59 | ········dest:·/etc/ssh/sshd_config | 59 | ········dest:·/etc/ssh/sshd_config |
| Offset 596, 91 lines modified | Offset 596, 91 lines modified | ||
| 596 | ········-·CCE-80111-8 | 596 | ········-·CCE-80111-8 |
| 597 | ········-·NIST-800-53-AC-11(a) | 597 | ········-·NIST-800-53-AC-11(a) |
| 598 | ········-·NIST-800-171-3.1.10 | 598 | ········-·NIST-800-171-3.1.10 |
| 599 | ········-·PCI-DSS-Req-8.1.8 | 599 | ········-·PCI-DSS-Req-8.1.8 |
| 600 | ········-·CJIS-5.5.5 | 600 | ········-·CJIS-5.5.5 |
| 601 | ········-·DISA-STIG-RHEL-07-010100 | 601 | ········-·DISA-STIG-RHEL-07-010100 |
| 602 | ···· | 602 | ···· |
| 603 | ···· | 603 | ····-·name:·"Implement·Blank·Screensaver" |
| 604 | ···· | ||
| 605 | ····-·name:·"Set·GNOME3·Screensaver·Inactivity·Timeout" | ||
| 606 | ······ini_file: | 604 | ······ini_file: |
| 607 | ········dest:·"/etc/dconf/db/local.d/00-security-settings" | 605 | ········dest:·"/etc/dconf/db/local.d/00-security-settings" |
| 608 | ········section:·"org/gnome/desktop/screensaver" | 606 | ········section:·"org/gnome/desktop/screensaver" |
| 609 | ········option:·i | 607 | ········option:·picture-uri |
| 610 | ········value:· | 608 | ········value:·string·'' |
| 611 | ········create:·yes | 609 | ········create:·yes |
| 612 | ······tags: | 610 | ······tags: |
| 613 | ········-·dconf_gnome_screensaver_ | 611 | ········-·dconf_gnome_screensaver_mode_blank |
| 614 | ········-· | 612 | ········-·unknown_severity |
| 615 | ········-·unknown_strategy | 613 | ········-·unknown_strategy |
| 616 | ········-·low_complexity | 614 | ········-·low_complexity |
| 617 | ········-·medium_disruption | 615 | ········-·medium_disruption |
| 618 | ········-·CCE-8011 | 616 | ········-·CCE-80113-4 |
| 619 | ········-·NIST-800-53-AC-11( | 617 | ········-·NIST-800-53-AC-11(b) |
| 620 | ········-·NIST-800-171-3.1.10 | 618 | ········-·NIST-800-171-3.1.10 |
| 621 | ········-·PCI-DSS-Req-8.1.8 | 619 | ········-·PCI-DSS-Req-8.1.8 |
| 622 | ········-·CJIS-5.5.5 | 620 | ········-·CJIS-5.5.5 |
| 623 | ········-·DISA-STIG-RHEL-07-010070 | ||
| 624 | ···· | 621 | ···· |
| 625 | ····-·name:·"Prevent·user·modification·of·GNOME·i | 622 | ····-·name:·"Prevent·user·modification·of·GNOME·picture-uri" |
| 626 | ······lineinfile: | 623 | ······lineinfile: |
| 627 | ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock | 624 | ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock |
| 628 | ········regexp:·'^/org/gnome/desktop/screensaver/i | 625 | ········regexp:·'^/org/gnome/desktop/screensaver/picture-uri' |
| 629 | ········line:·'/org/gnome/desktop/screensaver/i | 626 | ········line:·'/org/gnome/desktop/screensaver/picture-uri' |
| 630 | ········create:·yes | 627 | ········create:·yes |
| 631 | ······tags: | 628 | ······tags: |
| 632 | ········-·dconf_gnome_screensaver_ | 629 | ········-·dconf_gnome_screensaver_mode_blank |
| 633 | ········-· | 630 | ········-·unknown_severity |
| 634 | ········-·unknown_strategy | 631 | ········-·unknown_strategy |
| 635 | ········-·low_complexity | 632 | ········-·low_complexity |
| 636 | ········-·medium_disruption | 633 | ········-·medium_disruption |
| 637 | ········-·CCE-8011 | 634 | ········-·CCE-80113-4 |
| 638 | ········-·NIST-800-53-AC-11( | 635 | ········-·NIST-800-53-AC-11(b) |
| 639 | ········-·NIST-800-171-3.1.10 | 636 | ········-·NIST-800-171-3.1.10 |
| 640 | ········-·PCI-DSS-Req-8.1.8 | 637 | ········-·PCI-DSS-Req-8.1.8 |
| 641 | ········-·CJIS-5.5.5 | 638 | ········-·CJIS-5.5.5 |
| 642 | ········-·DISA-STIG-RHEL-07-010070 | ||
| 643 | ···· | 639 | ···· |
| 644 | ···· | 640 | ···· |
| 641 | ···· | ||
| 642 | ····-·name:·"Set·GNOME3·Screensaver·Inactivity·Timeout" | ||
| 645 | ······ini_file: | 643 | ······ini_file: |
| 646 | ········dest:·"/etc/dconf/db/local.d/00-security-settings" | 644 | ········dest:·"/etc/dconf/db/local.d/00-security-settings" |
| 647 | ········section:·"org/gnome/desktop/screensaver" | 645 | ········section:·"org/gnome/desktop/screensaver" |
| 648 | ········option:· | 646 | ········option:·idle-delay |
| 649 | ········value:· | 647 | ········value:·"{{·inactivity_timeout_value·}}" |
| 650 | ········create:·yes | 648 | ········create:·yes |
| 651 | ······tags: | 649 | ······tags: |
| 652 | ········-·dconf_gnome_screensaver_ | 650 | ········-·dconf_gnome_screensaver_idle_delay |
| 653 | ········-· | 651 | ········-·medium_severity |
| 654 | ········-·unknown_strategy | 652 | ········-·unknown_strategy |
| 655 | ········-·low_complexity | 653 | ········-·low_complexity |
| 656 | ········-·medium_disruption | 654 | ········-·medium_disruption |
| 657 | ········-·CCE-8011 | 655 | ········-·CCE-80110-0 |
| 658 | ········-·NIST-800-53-AC-11( | 656 | ········-·NIST-800-53-AC-11(a) |
| 659 | ········-·NIST-800-171-3.1.10 | 657 | ········-·NIST-800-171-3.1.10 |
| 660 | ········-·PCI-DSS-Req-8.1.8 | 658 | ········-·PCI-DSS-Req-8.1.8 |
| 661 | ········-·CJIS-5.5.5 | 659 | ········-·CJIS-5.5.5 |
| 660 | ········-·DISA-STIG-RHEL-07-010070 | ||
| 662 | ···· | 661 | ···· |
| 663 | ····-·name:·"Prevent·user·modification·of·GNOME· | 662 | ····-·name:·"Prevent·user·modification·of·GNOME·idle-delay" |
| 664 | ······lineinfile: | 663 | ······lineinfile: |
| 665 | ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock | 664 | ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock |
| 666 | ········regexp:·'^/org/gnome/desktop/screensaver/ | 665 | ········regexp:·'^/org/gnome/desktop/screensaver/idle-delay' |
| 667 | ········line:·'/org/gnome/desktop/screensaver/ | 666 | ········line:·'/org/gnome/desktop/screensaver/idle-delay' |
| 668 | ········create:·yes | 667 | ········create:·yes |
| 669 | ······tags: | 668 | ······tags: |
| 670 | ········-·dconf_gnome_screensaver_ | 669 | ········-·dconf_gnome_screensaver_idle_delay |
| 671 | ········-· | 670 | ········-·medium_severity |
| 672 | ········-·unknown_strategy | 671 | ········-·unknown_strategy |
| 673 | ········-·low_complexity | 672 | ········-·low_complexity |
| 674 | ········-·medium_disruption | 673 | ········-·medium_disruption |
| 675 | ········-·CCE-8011 | 674 | ········-·CCE-80110-0 |
| 676 | ········-·NIST-800-53-AC-11( | 675 | ········-·NIST-800-53-AC-11(a) |
| 677 | ········-·NIST-800-171-3.1.10 | 676 | ········-·NIST-800-171-3.1.10 |
| 678 | ········-·PCI-DSS-Req-8.1.8 | 677 | ········-·PCI-DSS-Req-8.1.8 |
| 679 | ········-·CJIS-5.5.5 | 678 | ········-·CJIS-5.5.5 |
| 679 | ········-·DISA-STIG-RHEL-07-010070 | ||
| 680 | ···· | 680 | ···· |
| 681 | ····-·name:·"Enable·GNOME3·Screensaver·Lock·After·Idle·Period" | 681 | ····-·name:·"Enable·GNOME3·Screensaver·Lock·After·Idle·Period" |
| 682 | ······ini_file: | 682 | ······ini_file: |
| 683 | ········dest:·"/etc/dconf/db/local.d/00-security-settings" | 683 | ········dest:·"/etc/dconf/db/local.d/00-security-settings" |
| 684 | ········section:·"org/gnome/desktop/screensaver" | 684 | ········section:·"org/gnome/desktop/screensaver" |
| 685 | ········option:·lock-enabled | 685 | ········option:·lock-enabled |
| 686 | ········value:·"true" | 686 | ········value:·"true" |
| Offset 1129, 79 lines modified | Offset 1129, 79 lines modified | ||
| 1129 | ········-·NIST-800-171-3.3.1 | 1129 | ········-·NIST-800-171-3.3.1 |
| 1130 | ········-·PCI-DSS-Req-10.7.a | 1130 | ········-·PCI-DSS-Req-10.7.a |
| 1131 | ········-·CJIS-5.4.1.1 | 1131 | ········-·CJIS-5.4.1.1 |
| 1132 | ········-·DISA-STIG-RHEL-07-030350 | 1132 | ········-·DISA-STIG-RHEL-07-030350 |
| 1133 | ···· | 1133 | ···· |
| 1134 | ···· | 1134 | ···· |
| 1135 | ···· | 1135 | ···· |
| 1136 | ····-·name:·Configure·auditd·space_left·Action·on·Low·Disk·Space | 1136 | ····-·name:·Configure·auditd·admin_space_left·Action·on·Low·Disk·Space |
| 1137 | ······lineinfile: | 1137 | ······lineinfile: |
| 1138 | ········dest:·/etc/audit/auditd.conf | 1138 | ········dest:·/etc/audit/auditd.conf |
| 1139 | ········line:·"space_left_action·=·{{·var_auditd_space_left_action·}}" | 1139 | ········line:·"admin_space_left_action·=·{{·var_auditd_admin_space_left_action·}}" |
| 1140 | ········regexp:·^space_left_action* | 1140 | ········regexp:·"^admin_space_left_action*" |
| Max diff block lines reached; 56742/62091 bytes (91.39%) of diff not shown. | |||
| Offset 164, 14 lines modified | Offset 164, 39 lines modified | ||
| 164 | ········-·NIST-800-53-AC-2(5) | 164 | ········-·NIST-800-53-AC-2(5) |
| 165 | ········-·NIST-800-53-SA-8 | 165 | ········-·NIST-800-53-SA-8 |
| 166 | ········-·NIST-800-53-AC-12 | 166 | ········-·NIST-800-53-AC-12 |
| 167 | ········-·NIST-800-171-3.1.11 | 167 | ········-·NIST-800-171-3.1.11 |
| 168 | ········-·CJIS-5.5.6 | 168 | ········-·CJIS-5.5.6 |
| 169 | ········-·DISA-STIG-RHEL-07-040340 | 169 | ········-·DISA-STIG-RHEL-07-040340 |
| 170 | ···· | 170 | ···· |
| 171 | ···· | ||
| 172 | ···· | ||
| 173 | ····-·name:·Set·SSH·Idle·Timeout·Interval | ||
| 174 | ······lineinfile: | ||
| 175 | ········create:·yes | ||
| 176 | ········dest:·/etc/ssh/sshd_config | ||
| 177 | ········regexp:·^ClientAliveInterval | ||
| 178 | ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}" | ||
| 179 | ········validate:·sshd·-t·-f·%s | ||
| 180 | ······#notify:·restart·sshd | ||
| 181 | ······tags: | ||
| 182 | ········-·sshd_set_idle_timeout | ||
| 183 | ········-·unknown_severity | ||
| 184 | ········-·restrict_strategy | ||
| 185 | ········-·low_complexity | ||
| 186 | ········-·low_disruption | ||
| 187 | ········-·CCE-27433-2 | ||
| 188 | ········-·NIST-800-53-AC-2(5) | ||
| 189 | ········-·NIST-800-53-SA-8(i) | ||
| 190 | ········-·NIST-800-53-AC-12 | ||
| 191 | ········-·NIST-800-171-3.1.11 | ||
| 192 | ········-·PCI-DSS-Req-8.1.8 | ||
| 193 | ········-·CJIS-5.5.6 | ||
| 194 | ········-·DISA-STIG-RHEL-07-040320 | ||
| 195 | ···· | ||
| 171 | ····-·name:·Enable·SSH·Warning·Banner | 196 | ····-·name:·Enable·SSH·Warning·Banner |
| 172 | ······lineinfile: | 197 | ······lineinfile: |
| 173 | ········create:·yes | 198 | ········create:·yes |
| 174 | ········dest:·/etc/ssh/sshd_config | 199 | ········dest:·/etc/ssh/sshd_config |
| 175 | ········regexp:·^Banner | 200 | ········regexp:·^Banner |
| 176 | ········line:·Banner·/etc/issue | 201 | ········line:·Banner·/etc/issue |
| 177 | ········validate:·sshd·-t·-f·%s | 202 | ········validate:·sshd·-t·-f·%s |
| Offset 187, 33 lines modified | Offset 212, 14 lines modified | ||
| 187 | ········-·NIST-800-53-AC-8(c)(1) | 212 | ········-·NIST-800-53-AC-8(c)(1) |
| 188 | ········-·NIST-800-53-AC-8(c)(2) | 213 | ········-·NIST-800-53-AC-8(c)(2) |
| 189 | ········-·NIST-800-53-AC-8(c)(3) | 214 | ········-·NIST-800-53-AC-8(c)(3) |
| 190 | ········-·NIST-800-171-3.1.9 | 215 | ········-·NIST-800-171-3.1.9 |
| 191 | ········-·CJIS-5.5.6 | 216 | ········-·CJIS-5.5.6 |
| 192 | ········-·DISA-STIG-RHEL-07-040170 | 217 | ········-·DISA-STIG-RHEL-07-040170 |
| 193 | ···· | 218 | ···· |
| 194 | ····-·name:·Do·Not·Allow·SSH·Environment·Options | ||
| 195 | ······lineinfile: | ||
| 196 | ········create:·yes | ||
| 197 | ········dest:·/etc/ssh/sshd_config | ||
| 198 | ········regexp:·^PermitUserEnvironment | ||
| 199 | ········line:·PermitUserEnvironment·no | ||
| 200 | ········validate:·sshd·-t·-f·%s | ||
| 201 | ······tags: | ||
| 202 | ········-·sshd_do_not_permit_user_env | ||
| 203 | ········-·medium_severity | ||
| 204 | ········-·restrict_strategy | ||
| 205 | ········-·low_complexity | ||
| 206 | ········-·low_disruption | ||
| 207 | ········-·CCE-27363-1 | ||
| 208 | ········-·NIST-800-53-CM-6(b) | ||
| 209 | ········-·NIST-800-171-3.1.12 | ||
| 210 | ········-·CJIS-5.5.6 | ||
| 211 | ········-·DISA-STIG-RHEL-07-010460 | ||
| 212 | ···· | ||
| 213 | ···· | 219 | ···· |
| 214 | ····-·name:·"Allow·Only·SSH·Protocol·2" | 220 | ····-·name:·"Allow·Only·SSH·Protocol·2" |
| 215 | ······lineinfile: | 221 | ······lineinfile: |
| 216 | ········dest:·/etc/ssh/sshd_config | 222 | ········dest:·/etc/ssh/sshd_config |
| 217 | ········regexp:·"^Protocol·[0-9]" | 223 | ········regexp:·"^Protocol·[0-9]" |
| 218 | ········line:·"Protocol·2" | 224 | ········line:·"Protocol·2" |
| 219 | ········validate:·sshd·-t·-f·%s | 225 | ········validate:·sshd·-t·-f·%s |
| Offset 248, 38 lines modified | Offset 254, 32 lines modified | ||
| 248 | ········-·CCE-27377-1 | 254 | ········-·CCE-27377-1 |
| 249 | ········-·NIST-800-53-AC-3 | 255 | ········-·NIST-800-53-AC-3 |
| 250 | ········-·NIST-800-53-CM-6(a) | 256 | ········-·NIST-800-53-CM-6(a) |
| 251 | ········-·NIST-800-171-3.1.12 | 257 | ········-·NIST-800-171-3.1.12 |
| 252 | ········-·CJIS-5.5.6 | 258 | ········-·CJIS-5.5.6 |
| 253 | ········-·DISA-STIG-RHEL-07-040350 | 259 | ········-·DISA-STIG-RHEL-07-040350 |
| 254 | ···· | 260 | ···· |
| 255 | ···· | 261 | ····-·name:·Do·Not·Allow·SSH·Environment·Options |
| 256 | ···· | ||
| 257 | ····-·name:·Set·SSH·Idle·Timeout·Interval | ||
| 258 | ······lineinfile: | 262 | ······lineinfile: |
| 259 | ········create:·yes | 263 | ········create:·yes |
| 260 | ········dest:·/etc/ssh/sshd_config | 264 | ········dest:·/etc/ssh/sshd_config |
| 261 | ········regexp:·^ | 265 | ········regexp:·^PermitUserEnvironment |
| 262 | ········line:· | 266 | ········line:·PermitUserEnvironment·no |
| 263 | ········validate:·sshd·-t·-f·%s | 267 | ········validate:·sshd·-t·-f·%s |
| 264 | ······#notify:·restart·sshd | ||
| 265 | ······tags: | 268 | ······tags: |
| 266 | ········-·sshd_ | 269 | ········-·sshd_do_not_permit_user_env |
| 267 | ········-· | 270 | ········-·medium_severity |
| 268 | ········-·restrict_strategy | 271 | ········-·restrict_strategy |
| 269 | ········-·low_complexity | 272 | ········-·low_complexity |
| 270 | ········-·low_disruption | 273 | ········-·low_disruption |
| 271 | ········-·CCE-27 | 274 | ········-·CCE-27363-1 |
| 272 | ········-·NIST-800-53- | 275 | ········-·NIST-800-53-CM-6(b) |
| 273 | ········-·NIST-800- | 276 | ········-·NIST-800-171-3.1.12 |
| 274 | ········-·NIST-800-53-AC-12 | ||
| 275 | ········-·NIST-800-171-3.1.11 | ||
| 276 | ········-·PCI-DSS-Req-8.1.8 | ||
| 277 | ········-·CJIS-5.5.6 | 277 | ········-·CJIS-5.5.6 |
| 278 | ········-·DISA-STIG-RHEL-07-0 | 278 | ········-·DISA-STIG-RHEL-07-010460 |
| 279 | ···· | 279 | ···· |
| 280 | ····-·name:·Use·Only·Approved·Ciphers | 280 | ····-·name:·Use·Only·Approved·Ciphers |
| 281 | ······lineinfile: | 281 | ······lineinfile: |
| 282 | ········create:·yes | 282 | ········create:·yes |
| 283 | ········dest:·/etc/ssh/sshd_config | 283 | ········dest:·/etc/ssh/sshd_config |
| 284 | ········regexp:·^Ciphers | 284 | ········regexp:·^Ciphers |
| 285 | ········line:·Ciphers·aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc | 285 | ········line:·Ciphers·aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc |
| Offset 1435, 72 lines modified | Offset 1435, 72 lines modified | ||
| 1435 | ········-·low_complexity | 1435 | ········-·low_complexity |
| 1436 | ········-·low_disruption | 1436 | ········-·low_disruption |
| 1437 | ········-·CCE-26887-0 | 1437 | ········-·CCE-26887-0 |
| 1438 | ········-·NIST-800-53-AC-6 | 1438 | ········-·NIST-800-53-AC-6 |
| 1439 | ········-·PCI-DSS-Req-8.7.c | 1439 | ········-·PCI-DSS-Req-8.7.c |
| 1440 | ········-·CJIS-5.5.2.2 | 1440 | ········-·CJIS-5.5.2.2 |
| 1441 | ···· | 1441 | ···· |
| 1442 | ····-·name:·"Read·list· | 1442 | ····-·name:·"Read·list·of·world·and·group·writable·system·executables" |
| 1443 | ······shell:·"find· | 1443 | ······shell:·"find·/bin·/usr/bin·/usr/local/bin·/sbin·/usr/sbin·/usr/local/sbin·/usr/libexec·-perm·/022·-type·f" |
| 1444 | ······register:· | 1444 | ······register:·world_writable_library_files |
| 1445 | ······changed_when:·False | 1445 | ······changed_when:·False |
| 1446 | ······failed_when:·False | 1446 | ······failed_when:·False |
| 1447 | ······check_mode:·no | 1447 | ······check_mode:·no |
| 1448 | ······tags: | 1448 | ······tags: |
| Max diff block lines reached; 2725/7023 bytes (38.80%) of diff not shown. | |||
| Offset 832, 1269 lines modified | Offset 832, 1269 lines modified | ||
| 832 | ········-·CJIS-5.4.1.1 | 832 | ········-·CJIS-5.4.1.1 |
| 833 | ········-·DISA-STIG-RHEL-07-030440 | 833 | ········-·DISA-STIG-RHEL-07-030440 |
| 834 | ···· | 834 | ···· |
| 835 | ···· | 835 | ···· |
| 836 | ····# | 836 | ····# |
| 837 | ····#·What·architecture·are·we·on? | 837 | ····#·What·architecture·are·we·on? |
| 838 | ····# | 838 | ····# |
| 839 | ····-·name:·Set·architecture·for·audit· | 839 | ····-·name:·Set·architecture·for·audit·chown·tasks |
| 840 | ······set_fact: | 840 | ······set_fact: |
| 841 | ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}" | 841 | ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}" |
| 842 | ···· | 842 | ···· |
| 843 | ····# | 843 | ····# |
| 844 | ····#·Inserts/replaces·the·rule·in·/etc/audit/rules.d | 844 | ····#·Inserts/replaces·the·rule·in·/etc/audit/rules.d |
| 845 | ····# | 845 | ····# |
| 846 | ····-·name:·Search·/etc/audit/rules.d·for·other·DAC·audit·rules | 846 | ····-·name:·Search·/etc/audit/rules.d·for·other·DAC·audit·rules |
| 847 | ······find: | 847 | ······find: |
| 848 | ········paths:·"/etc/audit/rules.d" | 848 | ········paths:·"/etc/audit/rules.d" |
| 849 | ········recurse:·no | 849 | ········recurse:·no |
| 850 | ········contains:·"-F·key=perm_mod$" | 850 | ········contains:·"-F·key=perm_mod$" |
| 851 | ········patterns:·"*.rules" | 851 | ········patterns:·"*.rules" |
| 852 | ······register:·find_ | 852 | ······register:·find_chown |
| 853 | ···· | 853 | ···· |
| 854 | ····-·name:·If·existing·DAC·ruleset·not·found,·use·/etc/audit/rules.d/privileged.rules·as·the·recipient·for·the·rule | 854 | ····-·name:·If·existing·DAC·ruleset·not·found,·use·/etc/audit/rules.d/privileged.rules·as·the·recipient·for·the·rule |
| 855 | ······set_fact: | 855 | ······set_fact: |
| 856 | ········all_files:· | 856 | ········all_files:· |
| 857 | ··········-·/etc/audit/rules.d/privileged.rules | 857 | ··········-·/etc/audit/rules.d/privileged.rules |
| 858 | ······when:·find_ | 858 | ······when:·find_chown.matched·==·0 |
| 859 | ···· | 859 | ···· |
| 860 | ····-·name:·Use·matched·file·as·the·recipient·for·the·rule | 860 | ····-·name:·Use·matched·file·as·the·recipient·for·the·rule |
| 861 | ······set_fact: | 861 | ······set_fact: |
| 862 | ········all_files: | 862 | ········all_files: |
| 863 | ··········-·"{{·find_ | 863 | ··········-·"{{·find_chown.files·|·map(attribute='path')·|·list·|·first·}}" |
| 864 | ······when:·find_ | 864 | ······when:·find_chown.matched·>·0 |
| 865 | ···· | 865 | ···· |
| 866 | ····-·name:·Inserts/replaces·the· | 866 | ····-·name:·Inserts/replaces·the·chown·rule·in·rules.d·when·on·x86 |
| 867 | ······lineinfile: | 867 | ······lineinfile: |
| 868 | ········path:·"{{·all_files[0]·}}" | 868 | ········path:·"{{·all_files[0]·}}" |
| 869 | ········line:·"-a·always,exit·-F·arch=b32·-S· | 869 | ········line:·"-a·always,exit·-F·arch=b32·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod" |
| 870 | ········create:·yes | 870 | ········create:·yes |
| 871 | ······tags: | 871 | ······tags: |
| 872 | ········-·audit_rules_dac_modification_ | 872 | ········-·audit_rules_dac_modification_chown |
| 873 | ········-·unknown_severity | 873 | ········-·unknown_severity |
| 874 | ········-·restrict_strategy | 874 | ········-·restrict_strategy |
| 875 | ········-·low_complexity | 875 | ········-·low_complexity |
| 876 | ········-·low_disruption | 876 | ········-·low_disruption |
| 877 | ········-·CCE-273 | 877 | ········-·CCE-27364-9 |
| 878 | ········-·NIST-800-53-AC-17(7) | 878 | ········-·NIST-800-53-AC-17(7) |
| 879 | ········-·NIST-800-53-AU-1(b) | 879 | ········-·NIST-800-53-AU-1(b) |
| 880 | ········-·NIST-800-53-AU-2(a) | 880 | ········-·NIST-800-53-AU-2(a) |
| 881 | ········-·NIST-800-53-AU-2(c) | 881 | ········-·NIST-800-53-AU-2(c) |
| 882 | ········-·NIST-800-53-AU-2(d) | 882 | ········-·NIST-800-53-AU-2(d) |
| 883 | ········-·NIST-800-53-AU-12(a) | 883 | ········-·NIST-800-53-AU-12(a) |
| 884 | ········-·NIST-800-53-AU-12(c) | 884 | ········-·NIST-800-53-AU-12(c) |
| 885 | ········-·NIST-800-53-IR-5 | 885 | ········-·NIST-800-53-IR-5 |
| 886 | ········-·NIST-800-171-3.1.7 | 886 | ········-·NIST-800-171-3.1.7 |
| 887 | ········-·PCI-DSS-Req-10.5.5 | 887 | ········-·PCI-DSS-Req-10.5.5 |
| 888 | ········-·CJIS-5.4.1.1 | 888 | ········-·CJIS-5.4.1.1 |
| 889 | ········-·DISA-STIG-RHEL-07-030 | 889 | ········-·DISA-STIG-RHEL-07-030370 |
| 890 | ···· | 890 | ···· |
| 891 | ····-·name:·Inserts/replaces·the· | 891 | ····-·name:·Inserts/replaces·the·chown·rule·in·rules.d·when·on·x86_64 |
| 892 | ······lineinfile: | 892 | ······lineinfile: |
| 893 | ········path:·"{{·all_files[0]·}}" | 893 | ········path:·"{{·all_files[0]·}}" |
| 894 | ········line:·"-a·always,exit·-F·arch=b64·-S· | 894 | ········line:·"-a·always,exit·-F·arch=b64·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod" |
| 895 | ········create:·yes | 895 | ········create:·yes |
| 896 | ······when:·audit_arch·==·'b64' | 896 | ······when:·audit_arch·==·'b64' |
| 897 | ······tags: | 897 | ······tags: |
| 898 | ········-·audit_rules_dac_modification_ | 898 | ········-·audit_rules_dac_modification_chown |
| 899 | ········-·unknown_severity | 899 | ········-·unknown_severity |
| 900 | ········-·restrict_strategy | 900 | ········-·restrict_strategy |
| 901 | ········-·low_complexity | 901 | ········-·low_complexity |
| 902 | ········-·low_disruption | 902 | ········-·low_disruption |
| 903 | ········-·CCE-273 | 903 | ········-·CCE-27364-9 |
| 904 | ········-·NIST-800-53-AC-17(7) | 904 | ········-·NIST-800-53-AC-17(7) |
| 905 | ········-·NIST-800-53-AU-1(b) | 905 | ········-·NIST-800-53-AU-1(b) |
| 906 | ········-·NIST-800-53-AU-2(a) | 906 | ········-·NIST-800-53-AU-2(a) |
| 907 | ········-·NIST-800-53-AU-2(c) | 907 | ········-·NIST-800-53-AU-2(c) |
| 908 | ········-·NIST-800-53-AU-2(d) | 908 | ········-·NIST-800-53-AU-2(d) |
| 909 | ········-·NIST-800-53-AU-12(a) | 909 | ········-·NIST-800-53-AU-12(a) |
| 910 | ········-·NIST-800-53-AU-12(c) | 910 | ········-·NIST-800-53-AU-12(c) |
| 911 | ········-·NIST-800-53-IR-5 | 911 | ········-·NIST-800-53-IR-5 |
| 912 | ········-·NIST-800-171-3.1.7 | 912 | ········-·NIST-800-171-3.1.7 |
| 913 | ········-·PCI-DSS-Req-10.5.5 | 913 | ········-·PCI-DSS-Req-10.5.5 |
| 914 | ········-·CJIS-5.4.1.1 | 914 | ········-·CJIS-5.4.1.1 |
| 915 | ········-·DISA-STIG-RHEL-07-030 | 915 | ········-·DISA-STIG-RHEL-07-030370 |
| 916 | ····#···· | 916 | ····#···· |
| 917 | ····#·Inserts/replaces·the·rule·in·/etc/audit/audit.rules | 917 | ····#·Inserts/replaces·the·rule·in·/etc/audit/audit.rules |
| 918 | ····# | 918 | ····# |
| 919 | ····-·name:·Inserts/replaces·the· | 919 | ····-·name:·Inserts/replaces·the·chown·rule·in·/etc/audit/audit.rules·when·on·x86 |
| 920 | ······lineinfile: | 920 | ······lineinfile: |
| 921 | ········line:·"{{·item·}}" | 921 | ········line:·"{{·item·}}" |
| 922 | ········state:·present | 922 | ········state:·present |
| 923 | ········dest:·/etc/audit/audit.rules | 923 | ········dest:·/etc/audit/audit.rules |
| 924 | ······with_items: | 924 | ······with_items: |
| 925 | ········-·"-a·always,exit·-F·arch=b32·-S· | 925 | ········-·"-a·always,exit·-F·arch=b32·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod" |
| 926 | ······tags: | 926 | ······tags: |
| 927 | ········-·audit_rules_dac_modification_ | 927 | ········-·audit_rules_dac_modification_chown |
| 928 | ········-·unknown_severity | 928 | ········-·unknown_severity |
| 929 | ········-·restrict_strategy | 929 | ········-·restrict_strategy |
| 930 | ········-·low_complexity | 930 | ········-·low_complexity |
| 931 | ········-·low_disruption | 931 | ········-·low_disruption |
| 932 | ········-·CCE-273 | 932 | ········-·CCE-27364-9 |
| 933 | ········-·NIST-800-53-AC-17(7) | 933 | ········-·NIST-800-53-AC-17(7) |
| 934 | ········-·NIST-800-53-AU-1(b) | 934 | ········-·NIST-800-53-AU-1(b) |
| 935 | ········-·NIST-800-53-AU-2(a) | 935 | ········-·NIST-800-53-AU-2(a) |
| 936 | ········-·NIST-800-53-AU-2(c) | 936 | ········-·NIST-800-53-AU-2(c) |
| 937 | ········-·NIST-800-53-AU-2(d) | 937 | ········-·NIST-800-53-AU-2(d) |
| 938 | ········-·NIST-800-53-AU-12(a) | 938 | ········-·NIST-800-53-AU-12(a) |
| 939 | ········-·NIST-800-53-AU-12(c) | 939 | ········-·NIST-800-53-AU-12(c) |
| 940 | ········-·NIST-800-53-IR-5 | 940 | ········-·NIST-800-53-IR-5 |
| 941 | ········-·NIST-800-171-3.1.7 | 941 | ········-·NIST-800-171-3.1.7 |
| 942 | ········-·PCI-DSS-Req-10.5.5 | 942 | ········-·PCI-DSS-Req-10.5.5 |
| 943 | ········-·CJIS-5.4.1.1 | 943 | ········-·CJIS-5.4.1.1 |
| 944 | ········-·DISA-STIG-RHEL-07-030 | 944 | ········-·DISA-STIG-RHEL-07-030370 |
| 945 | ···· | 945 | ···· |
| 946 | ····-·name:·Inserts/replaces·the· | 946 | ····-·name:·Inserts/replaces·the·chown·rule·in·audit.rules·when·on·x86_64 |
| 947 | ······lineinfile: | 947 | ······lineinfile: |
| 948 | ········line:·"{{·item·}}" | 948 | ········line:·"{{·item·}}" |
| 949 | ········state:·present | 949 | ········state:·present |
| 950 | ········dest:·/etc/audit/audit.rules | 950 | ········dest:·/etc/audit/audit.rules |
| 951 | ········create:·yes | 951 | ········create:·yes |
| 952 | ······with_items: | 952 | ······with_items: |
| 953 | ········-·"-a·always,exit·-F·arch=b64·-S· | 953 | ········-·"-a·always,exit·-F·arch=b64·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod" |
| 954 | ······when:·audit_arch·==·'b64' | 954 | ······when:·audit_arch·==·'b64' |
| 955 | ······tags: | 955 | ······tags: |
| 956 | ········-·audit_rules_dac_modification_ | 956 | ········-·audit_rules_dac_modification_chown |
| 957 | ········-·unknown_severity | 957 | ········-·unknown_severity |
| 958 | ········-·restrict_strategy | 958 | ········-·restrict_strategy |
| Max diff block lines reached; 48574/54119 bytes (89.75%) of diff not shown. | |||
| Offset 44, 18 lines modified | Offset 44, 18 lines modified | ||
| 44 | ·········· | 44 | ·········· |
| 45 | ···vars: | 45 | ···vars: |
| 46 | ······sshd_idle_timeout_value:·600 | 46 | ······sshd_idle_timeout_value:·600 |
| 47 | ······inactivity_timeout_value:·900 | 47 | ······inactivity_timeout_value:·900 |
| 48 | ······rsyslog_remote_loghost_address:·logcollector | 48 | ······rsyslog_remote_loghost_address:·logcollector |
| 49 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 | 49 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 |
| 50 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 50 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 51 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | ||
| 52 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | 51 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 53 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 | ||
| 54 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 52 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 53 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 | ||
| 54 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | ||
| 55 | ······var_selinux_policy_name:·targeted | 55 | ······var_selinux_policy_name:·targeted |
| 56 | ······var_selinux_state:·enforcing | 56 | ······var_selinux_state:·enforcing |
| 57 | ······var_accounts_minimum_age_login_defs:·1 | 57 | ······var_accounts_minimum_age_login_defs:·1 |
| 58 | ······var_accounts_maximum_age_login_defs:·60 | 58 | ······var_accounts_maximum_age_login_defs:·60 |
| 59 | ······var_account_disable_post_pw_expiration:·0 | 59 | ······var_account_disable_post_pw_expiration:·0 |
| 60 | ······var_accounts_passwords_pam_faillock_deny:·3 | 60 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 61 | ······var_accounts_passwords_pam_faillock_unlock_time:·never | 61 | ······var_accounts_passwords_pam_faillock_unlock_time:·never |
| Offset 72, 17 lines modified | Offset 72, 17 lines modified | ||
| 72 | ······var_password_pam_difok:·8 | 72 | ······var_password_pam_difok:·8 |
| 73 | ······var_password_pam_ocredit:·-1 | 73 | ······var_password_pam_ocredit:·-1 |
| 74 | ······var_password_pam_lcredit:·-1 | 74 | ······var_password_pam_lcredit:·-1 |
| 75 | ······var_password_pam_ucredit:·-1 | 75 | ······var_password_pam_ucredit:·-1 |
| 76 | ······var_password_pam_retry:·3 | 76 | ······var_password_pam_retry:·3 |
| 77 | ······login_banner_text:·^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$) | 77 | ······login_banner_text:·^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$) |
| 78 | ······var_accounts_user_umask:·077 | 78 | ······var_accounts_user_umask:·077 |
| 79 | ······var_accounts_max_concurrent_login_sessions:·10 | ||
| 79 | ······var_accounts_fail_delay:·4 | 80 | ······var_accounts_fail_delay:·4 |
| 80 | ······var_accounts_tmout:·600 | 81 | ······var_accounts_tmout:·600 |
| 81 | ······var_accounts_max_concurrent_login_sessions:·10 | ||
| 82 | ······var_auditd_action_mail_acct:·root | 82 | ······var_auditd_action_mail_acct:·root |
| 83 | ······var_auditd_space_left_action:·email | 83 | ······var_auditd_space_left_action:·email |
| 84 | ······var_removable_partition:·/dev/cdrom | 84 | ······var_removable_partition:·/dev/cdrom |
| 85 | ···tasks: | 85 | ···tasks: |
| 86 | ····-·name:·Ensure·rsh-server·is·removed | 86 | ····-·name:·Ensure·rsh-server·is·removed |
| 87 | ······package: | 87 | ······package: |
| 88 | ········name="{{item}}" | 88 | ········name="{{item}}" |
| Offset 250, 14 lines modified | Offset 250, 33 lines modified | ||
| 250 | ········-·low_disruption | 250 | ········-·low_disruption |
| 251 | ········-·CCE-80258-7 | 251 | ········-·CCE-80258-7 |
| 252 | ········-·NIST-800-53-AC-17(8) | 252 | ········-·NIST-800-53-AC-17(8) |
| 253 | ········-·NIST-800-53-CM-7 | 253 | ········-·NIST-800-53-CM-7 |
| 254 | ········-·NIST-800-53-CM-6(b) | 254 | ········-·NIST-800-53-CM-6(b) |
| 255 | ········-·DISA-STIG-RHEL-07-021300 | 255 | ········-·DISA-STIG-RHEL-07-021300 |
| 256 | ···· | 256 | ···· |
| 257 | ····-·name:·"Enable·Use·of·Strict·Mode·Checking" | ||
| 258 | ······lineinfile: | ||
| 259 | ········create:·yes | ||
| 260 | ········dest:·/etc/ssh/sshd_config | ||
| 261 | ········regexp:·(?i)^#?strictmodes | ||
| 262 | ········line:·StrictModes·yes | ||
| 263 | ········validate:·sshd·-t·-f·%s | ||
| 264 | ······#notify:·restart·sshd | ||
| 265 | ······tags: | ||
| 266 | ········-·sshd_enable_strictmodes | ||
| 267 | ········-·medium_severity | ||
| 268 | ········-·restrict_strategy | ||
| 269 | ········-·low_complexity | ||
| 270 | ········-·low_disruption | ||
| 271 | ········-·CCE-80222-3 | ||
| 272 | ········-·NIST-800-53-AC-6 | ||
| 273 | ········-·NIST-800-171-3.1.12 | ||
| 274 | ········-·DISA-STIG-RHEL-07-040450 | ||
| 275 | ···· | ||
| 257 | ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts" | 276 | ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts" |
| 258 | ······lineinfile: | 277 | ······lineinfile: |
| 259 | ········create:·yes | 278 | ········create:·yes |
| 260 | ········dest:·/etc/ssh/sshd_config | 279 | ········dest:·/etc/ssh/sshd_config |
| 261 | ········regexp:·^IgnoreUserKnownHosts | 280 | ········regexp:·^IgnoreUserKnownHosts |
| 262 | ········line:·IgnoreUserKnownHosts·yes | 281 | ········line:·IgnoreUserKnownHosts·yes |
| 263 | ········validate:·sshd·-t·-f·%s | 282 | ········validate:·sshd·-t·-f·%s |
| Offset 313, 31 lines modified | Offset 332, 38 lines modified | ||
| 313 | ········-·NIST-800-53-AC-2(5) | 332 | ········-·NIST-800-53-AC-2(5) |
| 314 | ········-·NIST-800-53-SA-8 | 333 | ········-·NIST-800-53-SA-8 |
| 315 | ········-·NIST-800-53-AC-12 | 334 | ········-·NIST-800-53-AC-12 |
| 316 | ········-·NIST-800-171-3.1.11 | 335 | ········-·NIST-800-171-3.1.11 |
| 317 | ········-·CJIS-5.5.6 | 336 | ········-·CJIS-5.5.6 |
| 318 | ········-·DISA-STIG-RHEL-07-040340 | 337 | ········-·DISA-STIG-RHEL-07-040340 |
| 319 | ···· | 338 | ···· |
| 320 | ···· | 339 | ···· |
| 340 | ···· | ||
| 341 | ····-·name:·Set·SSH·Idle·Timeout·Interval | ||
| 321 | ······lineinfile: | 342 | ······lineinfile: |
| 322 | ········create:·yes | 343 | ········create:·yes |
| 323 | ········dest:·/etc/ssh/sshd_config | 344 | ········dest:·/etc/ssh/sshd_config |
| 324 | ········regexp:·^ | 345 | ········regexp:·^ClientAliveInterval |
| 325 | ········line:· | 346 | ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}" |
| 326 | ········validate:·sshd·-t·-f·%s | 347 | ········validate:·sshd·-t·-f·%s |
| 348 | ······#notify:·restart·sshd | ||
| 327 | ······tags: | 349 | ······tags: |
| 328 | ········-·sshd_ | 350 | ········-·sshd_set_idle_timeout |
| 329 | ········-· | 351 | ········-·unknown_severity |
| 330 | ········-·restrict_strategy | 352 | ········-·restrict_strategy |
| 331 | ········-·low_complexity | 353 | ········-·low_complexity |
| 332 | ········-·low_disruption | 354 | ········-·low_disruption |
| 333 | ········-·CCE- | 355 | ········-·CCE-27433-2 |
| 334 | ········-·NIST-800-53- | 356 | ········-·NIST-800-53-AC-2(5) |
| 335 | ········-·NIST-800- | 357 | ········-·NIST-800-53-SA-8(i) |
| 336 | ········-· | 358 | ········-·NIST-800-53-AC-12 |
| 359 | ········-·NIST-800-171-3.1.11 | ||
| 360 | ········-·PCI-DSS-Req-8.1.8 | ||
| 361 | ········-·CJIS-5.5.6 | ||
| 362 | ········-·DISA-STIG-RHEL-07-040320 | ||
| 337 | ···· | 363 | ···· |
| 338 | ····-·name:·Enable·SSH·Warning·Banner | 364 | ····-·name:·Enable·SSH·Warning·Banner |
| 339 | ······lineinfile: | 365 | ······lineinfile: |
| 340 | ········create:·yes | 366 | ········create:·yes |
| 341 | ········dest:·/etc/ssh/sshd_config | 367 | ········dest:·/etc/ssh/sshd_config |
| 342 | ········regexp:·^Banner | 368 | ········regexp:·^Banner |
| 343 | ········line:·Banner·/etc/issue | 369 | ········line:·Banner·/etc/issue |
| Offset 377, 33 lines modified | Offset 403, 14 lines modified | ||
| 377 | ········-·NIST-800-53-IA-7 | 403 | ········-·NIST-800-53-IA-7 |
| 378 | ········-·NIST-800-53-SC-13 | 404 | ········-·NIST-800-53-SC-13 |
| 379 | ········-·NIST-800-171-3.1.13 | 405 | ········-·NIST-800-171-3.1.13 |
| 380 | ········-·NIST-800-171-3.13.11 | 406 | ········-·NIST-800-171-3.13.11 |
| 381 | ········-·NIST-800-171-3.13.8 | 407 | ········-·NIST-800-171-3.13.8 |
| 382 | ········-·DISA-STIG-RHEL-07-040400 | 408 | ········-·DISA-STIG-RHEL-07-040400 |
| 383 | ···· | 409 | ···· |
| 384 | ····-·name:·Do·Not·Allow·SSH·Environment·Options | ||
| 385 | ······lineinfile: | ||
| 386 | ········create:·yes | ||
| 387 | ········dest:·/etc/ssh/sshd_config | ||
| 388 | ········regexp:·^PermitUserEnvironment | ||
| 389 | ········line:·PermitUserEnvironment·no | ||
| 390 | ········validate:·sshd·-t·-f·%s | ||
| Max diff block lines reached; 106151/113585 bytes (93.46%) of diff not shown. | |||
| Offset 43, 57 lines modified | Offset 43, 58 lines modified | ||
| 43 | ·········· | 43 | ·········· |
| 44 | ···vars: | 44 | ···vars: |
| 45 | ······sshd_idle_timeout_value:·300 | 45 | ······sshd_idle_timeout_value:·300 |
| 46 | ······rsyslog_remote_loghost_address:·None | 46 | ······rsyslog_remote_loghost_address:·None |
| 47 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 47 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 48 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 49 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 50 | ······sysctl_net_ipv4_icmp_ | 50 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 51 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 51 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 52 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 53 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 53 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 54 | ······sysctl_net_ipv4_conf_ | 54 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 55 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 55 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 56 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 56 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 57 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 57 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 58 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 58 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 59 | ······sysctl_net_ipv4_icmp_ | 59 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 60 | ······sysctl_net_ipv4_conf_ | 60 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 61 | ······var_selinux_policy_name:·targeted | 61 | ······var_selinux_policy_name:·targeted |
| 62 | ······var_selinux_state:·enforcing | 62 | ······var_selinux_state:·enforcing |
| 63 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 64 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 65 | ······var_accounts_password_warn_age_login_defs:·7 | 63 | ······var_accounts_password_warn_age_login_defs:·7 |
| 64 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 65 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 66 | ······var_account_disable_post_pw_expiration:·35 | 66 | ······var_account_disable_post_pw_expiration:·35 |
| 67 | ······var_password_pam_unix_remember:·0 | 67 | ······var_password_pam_unix_remember:·0 |
| 68 | ······var_accounts_passwords_pam_faillock_deny:·3 | 68 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 69 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 69 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 70 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 70 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 71 | ······var_removable_partition:·/dev/cdrom | ||
| 72 | ······var_removable_partition:·/dev/cdrom | ||
| 73 | ······var_removable_partition:·/dev/cdrom | ||
| 71 | ······var_auditd_max_log_file:·1 | 74 | ······var_auditd_max_log_file:·1 |
| 72 | ······var_auditd_action_mail_acct:·admin | 75 | ······var_auditd_action_mail_acct:·admin |
| 73 | ······var_auditd_space_left_action:·suspend | ||
| 74 | ······var_auditd_admin_space_left_action:·suspend | 76 | ······var_auditd_admin_space_left_action:·suspend |
| 77 | ······var_auditd_space_left_action:·suspend | ||
| 75 | ······var_auditd_max_log_file_action:·ignore | 78 | ······var_auditd_max_log_file_action:·ignore |
| 76 | ······var_removable_partition:·/dev/cdrom | ||
| 77 | ······var_removable_partition:·/dev/cdrom | ||
| 78 | ······var_removable_partition:·/dev/cdrom | ||
| 79 | ···tasks: | 79 | ···tasks: |
| 80 | ····-·name:·Ensure·s | 80 | ····-·name:·Ensure·vsftpd·is·removed |
| 81 | ······package: | 81 | ······package: |
| 82 | ········name="{{item}}" | 82 | ········name="{{item}}" |
| 83 | ········state=absent | 83 | ········state=absent |
| 84 | ······with_items: | 84 | ······with_items: |
| 85 | ········-·s | 85 | ········-·vsftpd |
| 86 | ······tags: | 86 | ······tags: |
| 87 | ········-·package_s | 87 | ········-·package_vsftpd_removed |
| 88 | ········-·unknown_severity | 88 | ········-·unknown_severity |
| 89 | ········-·disable_strategy | 89 | ········-·disable_strategy |
| 90 | ········-·low_complexity | 90 | ········-·low_complexity |
| 91 | ········-·low_disruption | 91 | ········-·low_disruption |
| 92 | ········-·CCE-2 | 92 | ········-·CCE-26687-4 |
| 93 | ········-·NIST-800-53-CM-7 | ||
| 93 | ···· | 94 | ···· |
| 94 | ····-·name:·Ensure·httpd·is·removed | 95 | ····-·name:·Ensure·httpd·is·removed |
| 95 | ······package: | 96 | ······package: |
| 96 | ········name="{{item}}" | 97 | ········name="{{item}}" |
| 97 | ········state=absent | 98 | ········state=absent |
| 98 | ······with_items: | 99 | ······with_items: |
| 99 | ········-·httpd | 100 | ········-·httpd |
| Offset 102, 29 lines modified | Offset 103, 43 lines modified | ||
| 102 | ········-·unknown_severity | 103 | ········-·unknown_severity |
| 103 | ········-·disable_strategy | 104 | ········-·disable_strategy |
| 104 | ········-·low_complexity | 105 | ········-·low_complexity |
| 105 | ········-·low_disruption | 106 | ········-·low_disruption |
| 106 | ········-·CCE-27133-8 | 107 | ········-·CCE-27133-8 |
| 107 | ········-·NIST-800-53-CM-7 | 108 | ········-·NIST-800-53-CM-7 |
| 108 | ···· | 109 | ···· |
| 109 | ····-·name:·Ensure· | 110 | ····-·name:·Ensure·bind·is·removed |
| 110 | ······package: | 111 | ······package: |
| 111 | ········name="{{item}}" | 112 | ········name="{{item}}" |
| 112 | ········state=absent | 113 | ········state=absent |
| 113 | ······with_items: | 114 | ······with_items: |
| 114 | ········-· | 115 | ········-·bind |
| 115 | ······tags: | 116 | ······tags: |
| 116 | ········-·package_ | 117 | ········-·package_bind_removed |
| 117 | ········-· | 118 | ········-·unknown_severity |
| 118 | ········-·disable_strategy | 119 | ········-·disable_strategy |
| 119 | ········-·low_complexity | 120 | ········-·low_complexity |
| 120 | ········-·low_disruption | 121 | ········-·low_disruption |
| 121 | ········-·CCE-27 | 122 | ········-·CCE-27030-6 |
| 122 | ········-·NIST-800-53-CM-7 | 123 | ········-·NIST-800-53-CM-7 |
| 123 | ···· | 124 | ···· |
| 125 | ····-·name:·Ensure·samba·is·removed | ||
| 126 | ······package: | ||
| 127 | ········name="{{item}}" | ||
| 128 | ········state=absent | ||
| 129 | ······with_items: | ||
| 130 | ········-·samba | ||
| 131 | ······tags: | ||
| 132 | ········-·package_samba_removed | ||
| 133 | ········-·unknown_severity | ||
| 134 | ········-·disable_strategy | ||
| 135 | ········-·low_complexity | ||
| 136 | ········-·low_disruption | ||
| 137 | ········-·CCE-27102-3 | ||
| 138 | ···· | ||
| 124 | ····-·name:·Enable·service·ntpd | 139 | ····-·name:·Enable·service·ntpd |
| 125 | ······service: | 140 | ······service: |
| 126 | ········name="{{item}}" | 141 | ········name="{{item}}" |
| 127 | ········enabled="yes" | 142 | ········enabled="yes" |
| 128 | ········state="started" | 143 | ········state="started" |
| 129 | ······with_items: | 144 | ······with_items: |
| 130 | ········-·ntpd | 145 | ········-·ntpd |
| Offset 135, 45 lines modified | Offset 150, 94 lines modified | ||
| 135 | ········-·low_complexity | 150 | ········-·low_complexity |
| 136 | ········-·low_disruption | 151 | ········-·low_disruption |
| 137 | ········-·CCE-27093-4 | 152 | ········-·CCE-27093-4 |
| 138 | ········-·NIST-800-53-AU-8(1) | 153 | ········-·NIST-800-53-AU-8(1) |
| 139 | ········-·PCI-DSS-Req-10.4 | 154 | ········-·PCI-DSS-Req-10.4 |
| 140 | ········-·DISA-STIG-RHEL-06-000247 | 155 | ········-·DISA-STIG-RHEL-06-000247 |
| 141 | ···· | 156 | ···· |
| 142 | ····-·name:· | 157 | ····-·name:·Ensure·openldap-servers·is·removed |
| 158 | ······package: | ||
| 159 | ········name="{{item}}" | ||
| 160 | ········state=absent | ||
| 161 | ······with_items: | ||
| 162 | ········-·openldap-servers | ||
| 163 | ······tags: | ||
| 164 | ········-·package_openldap-servers_removed | ||
| 165 | ········-·unknown_severity | ||
| 166 | ········-·disable_strategy | ||
| 167 | ········-·low_complexity | ||
| Max diff block lines reached; 83773/89246 bytes (93.87%) of diff not shown. | |||
| Offset 33, 88 lines modified | Offset 33, 75 lines modified | ||
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······rsyslog_remote_loghost_address:·None | 36 | ······rsyslog_remote_loghost_address:·None |
| 37 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 37 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 40 | ······sysctl_net_ipv4_icmp_ | 40 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 44 | ······sysctl_net_ipv4_conf_ | 44 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 49 | ······sysctl_net_ipv4_icmp_ | 49 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_ | 50 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 51 | ······var_selinux_policy_name:·targeted | 51 | ······var_selinux_policy_name:·targeted |
| 52 | ······var_selinux_state:·enforcing | 52 | ······var_selinux_state:·enforcing |
| 53 | ······var_accounts_password_minlen_login_defs:·14 | 53 | ······var_accounts_password_minlen_login_defs:·14 |
| 54 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 55 | ······var_accounts_maximum_age_login_defs:·180 | ||
| 56 | ······var_accounts_password_warn_age_login_defs:·7 | 54 | ······var_accounts_password_warn_age_login_defs:·7 |
| 55 | ······var_accounts_maximum_age_login_defs:·180 | ||
| 56 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 57 | ······var_account_disable_post_pw_expiration:·35 | 57 | ······var_account_disable_post_pw_expiration:·35 |
| 58 | ······var_password_pam_unix_remember:·10 | 58 | ······var_password_pam_unix_remember:·10 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 59 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 62 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_user_umask:·077 | 63 | ······var_accounts_user_umask:·077 |
| 64 | ······var_accounts_max_concurrent_login_sessions:·3 | 64 | ······var_accounts_max_concurrent_login_sessions:·3 |
| 65 | ······var_removable_partition:·/dev/cdrom | 65 | ······var_removable_partition:·/dev/cdrom |
| 66 | ······var_removable_partition:·/dev/cdrom | 66 | ······var_removable_partition:·/dev/cdrom |
| 67 | ······var_removable_partition:·/dev/cdrom | 67 | ······var_removable_partition:·/dev/cdrom |
| 68 | ···tasks: | 68 | ···tasks: |
| 69 | ····-·name:·Disable·service·s | 69 | ····-·name:·Disable·service·vsftpd |
| 70 | ······service: | 70 | ······service: |
| 71 | ········name="{{item}}" | 71 | ········name="{{item}}" |
| 72 | ········enabled="no" | 72 | ········enabled="no" |
| 73 | ········state="stopped" | 73 | ········state="stopped" |
| 74 | ······register:·service_result | 74 | ······register:·service_result |
| 75 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 75 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 76 | ······with_items: | 76 | ······with_items: |
| 77 | ········-·s | 77 | ········-·vsftpd |
| 78 | ······tags: | 78 | ······tags: |
| 79 | ········-·service_s | 79 | ········-·service_vsftpd_disabled |
| 80 | ········-·unknown_severity | 80 | ········-·unknown_severity |
| 81 | ········-·disable_strategy | 81 | ········-·disable_strategy |
| 82 | ········-·low_complexity | 82 | ········-·low_complexity |
| 83 | ········-·low_disruption | 83 | ········-·low_disruption |
| 84 | ········-·CCE-2 | 84 | ········-·CCE-26948-0 |
| 85 | ···· | 85 | ········-·NIST-800-53-CM-7 |
| 86 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | ||
| 87 | ······stat: | ||
| 88 | ········path:·/etc/samba/smb.conf | ||
| 89 | ······register:·st_smb | ||
| 90 | ······tags: | ||
| 91 | ········-·require_smb_client_signing | ||
| 92 | ········-·unknown_severity | ||
| 93 | ········-·configure_strategy | ||
| 94 | ········-·low_complexity | ||
| 95 | ········-·medium_disruption | ||
| 96 | ········-·CCE-26328-5 | ||
| 97 | ········-·DISA-STIG-RHEL-06-000272 | ||
| 98 | ···· | 86 | ···· |
| 99 | ····-·name:· | 87 | ····-·name:·Ensure·vsftpd·is·removed |
| 100 | ······ | 88 | ······package: |
| 101 | ········ | 89 | ········name="{{item}}" |
| 102 | ········ | 90 | ········state=absent |
| 103 | ······ | 91 | ······with_items: |
| 104 | ········ | 92 | ········-·vsftpd |
| 105 | ······when:·st_smb.stat.exists | ||
| 106 | ······tags: | 93 | ······tags: |
| 107 | ········-· | 94 | ········-·package_vsftpd_removed |
| 108 | ········-·unknown_severity | 95 | ········-·unknown_severity |
| 109 | ········-· | 96 | ········-·disable_strategy |
| 110 | ········-·low_complexity | 97 | ········-·low_complexity |
| 111 | ········-· | 98 | ········-·low_disruption |
| 112 | ········-·CCE-26 | 99 | ········-·CCE-26687-4 |
| 113 | ········-· | 100 | ········-·NIST-800-53-CM-7 |
| 114 | ···· | 101 | ···· |
| 115 | ····-·name:·Ensure·httpd·is·removed | 102 | ····-·name:·Ensure·httpd·is·removed |
| 116 | ······package: | 103 | ······package: |
| 117 | ········name="{{item}}" | 104 | ········name="{{item}}" |
| 118 | ········state=absent | 105 | ········state=absent |
| 119 | ······with_items: | 106 | ······with_items: |
| 120 | ········-·httpd | 107 | ········-·httpd |
| Offset 153, 45 lines modified | Offset 140, 92 lines modified | ||
| 153 | ········-·unknown_severity | 140 | ········-·unknown_severity |
| 154 | ········-·configure_strategy | 141 | ········-·configure_strategy |
| 155 | ········-·low_complexity | 142 | ········-·low_complexity |
| 156 | ········-·low_disruption | 143 | ········-·low_disruption |
| 157 | ········-·CCE-27316-9 | 144 | ········-·CCE-27316-9 |
| 158 | ········-·NIST-800-53-CM-7 | 145 | ········-·NIST-800-53-CM-7 |
| 159 | ···· | 146 | ···· |
| 160 | ····-·name:· | 147 | ····-·name:·Disable·service·named |
| 148 | ······service: | ||
| 149 | ········name="{{item}}" | ||
| 150 | ········enabled="no" | ||
| 151 | ········state="stopped" | ||
| 152 | ······register:·service_result | ||
| 153 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 154 | ······with_items: | ||
| 155 | ········-·named | ||
| 156 | ······tags: | ||
| 157 | ········-·service_named_disabled | ||
| 158 | ········-·unknown_severity | ||
| 159 | ········-·disable_strategy | ||
| 160 | ········-·low_complexity | ||
| 161 | ········-·low_disruption | ||
| 162 | ········-·CCE-26873-0 | ||
| 163 | ········-·NIST-800-53-CM-7 | ||
| 164 | ···· | ||
| 165 | ····-·name:·Ensure·bind·is·removed | ||
| 161 | ······package: | 166 | ······package: |
| 162 | ········name="{{item}}" | 167 | ········name="{{item}}" |
| 163 | ········state=absent | 168 | ········state=absent |
| 164 | ······with_items: | 169 | ······with_items: |
| 165 | ········-· | 170 | ········-·bind |
| 166 | ······tags: | 171 | ······tags: |
| 167 | ········-·package_ | 172 | ········-·package_bind_removed |
| 168 | ········-· | 173 | ········-·unknown_severity |
| 169 | ········-·disable_strategy | 174 | ········-·disable_strategy |
| 170 | ········-·low_complexity | 175 | ········-·low_complexity |
| Max diff block lines reached; 175955/181073 bytes (97.17%) of diff not shown. | |||
| Offset 35, 39 lines modified | Offset 35, 72 lines modified | ||
| 35 | ·······assert: | 35 | ·······assert: |
| 36 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" | 36 | ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')" |
| 37 | ·········msg:·> | 37 | ·········msg:·> |
| 38 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 38 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 39 | ·········· | 39 | ·········· |
| 40 | ···vars: | 40 | ···vars: |
| 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 42 | ······sysctl_net_ipv4_icmp_ | 42 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 46 | ······sysctl_net_ipv4_conf_ | 46 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 51 | ······sysctl_net_ipv4_icmp_ | 51 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 52 | ······sysctl_net_ipv4_conf_ | 52 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 53 | ······var_selinux_policy_name:·mls | 53 | ······var_selinux_policy_name:·mls |
| 54 | ······var_selinux_state:·enforcing | 54 | ······var_selinux_state:·enforcing |
| 55 | ······var_accounts_password_minlen_login_defs:·12 | 55 | ······var_accounts_password_minlen_login_defs:·12 |
| 56 | ······var_accounts_maximum_age_login_defs:·180 | ||
| 57 | ······var_accounts_password_warn_age_login_defs:·7 | 56 | ······var_accounts_password_warn_age_login_defs:·7 |
| 57 | ······var_accounts_maximum_age_login_defs:·180 | ||
| 58 | ······var_account_disable_post_pw_expiration:·35 | 58 | ······var_account_disable_post_pw_expiration:·35 |
| 59 | ······var_password_pam_unix_remember:·0 | 59 | ······var_password_pam_unix_remember:·0 |
| 60 | ······var_password_pam_retry:·3 | 60 | ······var_password_pam_retry:·3 |
| 61 | ······var_auditd_max_log_file:·1 | 61 | ······var_auditd_max_log_file:·1 |
| 62 | ······var_auditd_action_mail_acct:·admin | 62 | ······var_auditd_action_mail_acct:·admin |
| 63 | ······var_auditd_space_left_action:·suspend | ||
| 64 | ······var_auditd_admin_space_left_action:·suspend | 63 | ······var_auditd_admin_space_left_action:·suspend |
| 64 | ······var_auditd_space_left_action:·suspend | ||
| 65 | ······var_auditd_max_log_file_action:·keep_logs | 65 | ······var_auditd_max_log_file_action:·keep_logs |
| 66 | ···tasks: | 66 | ···tasks: |
| 67 | ····-·name:·Disable·service·vsftpd | ||
| 68 | ······service: | ||
| 69 | ········name="{{item}}" | ||
| 70 | ········enabled="no" | ||
| 71 | ········state="stopped" | ||
| 72 | ······register:·service_result | ||
| 73 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 74 | ······with_items: | ||
| 75 | ········-·vsftpd | ||
| 76 | ······tags: | ||
| 77 | ········-·service_vsftpd_disabled | ||
| 78 | ········-·unknown_severity | ||
| 79 | ········-·disable_strategy | ||
| 80 | ········-·low_complexity | ||
| 81 | ········-·low_disruption | ||
| 82 | ········-·CCE-26948-0 | ||
| 83 | ········-·NIST-800-53-CM-7 | ||
| 84 | ···· | ||
| 85 | ····-·name:·Ensure·vsftpd·is·removed | ||
| 86 | ······package: | ||
| 87 | ········name="{{item}}" | ||
| 88 | ········state=absent | ||
| 89 | ······with_items: | ||
| 90 | ········-·vsftpd | ||
| 91 | ······tags: | ||
| 92 | ········-·package_vsftpd_removed | ||
| 93 | ········-·unknown_severity | ||
| 94 | ········-·disable_strategy | ||
| 95 | ········-·low_complexity | ||
| 96 | ········-·low_disruption | ||
| 97 | ········-·CCE-26687-4 | ||
| 98 | ········-·NIST-800-53-CM-7 | ||
| 99 | ···· | ||
| 67 | ···· | 100 | ···· |
| 68 | ····-·name:·Find·/etc/httpd/conf/*·file(s) | 101 | ····-·name:·Find·/etc/httpd/conf/*·file(s) |
| 69 | ······find: | 102 | ······find: |
| 70 | ········paths:·"{{·'/etc/httpd/conf/*'·|·dirname·}}" | 103 | ········paths:·"{{·'/etc/httpd/conf/*'·|·dirname·}}" |
| 71 | ········patterns:·"{{·'/etc/httpd/conf/*'·|·basename·}}" | 104 | ········patterns:·"{{·'/etc/httpd/conf/*'·|·basename·}}" |
| 72 | ······register:·files_found | 105 | ······register:·files_found |
| 73 | ······tags: | 106 | ······tags: |
| Offset 90, 98 lines modified | Offset 123, 116 lines modified | ||
| 90 | ········-·unknown_severity | 123 | ········-·unknown_severity |
| 91 | ········-·configure_strategy | 124 | ········-·configure_strategy |
| 92 | ········-·low_complexity | 125 | ········-·low_complexity |
| 93 | ········-·low_disruption | 126 | ········-·low_disruption |
| 94 | ········-·CCE-27316-9 | 127 | ········-·CCE-27316-9 |
| 95 | ········-·NIST-800-53-CM-7 | 128 | ········-·NIST-800-53-CM-7 |
| 96 | ···· | 129 | ···· |
| 97 | ····-·name:· | 130 | ····-·name:·Disable·service·named |
| 98 | ······ | 131 | ······service: |
| 99 | ········name="{{item}}" | 132 | ········name="{{item}}" |
| 100 | ········ | 133 | ········enabled="no" |
| 134 | ········state="stopped" | ||
| 135 | ······register:·service_result | ||
| 136 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 101 | ······with_items: | 137 | ······with_items: |
| 102 | ········-· | 138 | ········-·named |
| 103 | ······tags: | 139 | ······tags: |
| 104 | ········-· | 140 | ········-·service_named_disabled |
| 105 | ········-· | 141 | ········-·unknown_severity |
| 106 | ········-·disable_strategy | 142 | ········-·disable_strategy |
| 107 | ········-·low_complexity | 143 | ········-·low_complexity |
| 108 | ········-·low_disruption | 144 | ········-·low_disruption |
| 109 | ········-·CCE-2 | 145 | ········-·CCE-26873-0 |
| 110 | ········-·NIST-800-53-CM-7 | 146 | ········-·NIST-800-53-CM-7 |
| 111 | ········-·DISA-STIG-RHEL-06-000288 | ||
| 112 | ···· | 147 | ···· |
| 113 | ····-·name:·Ensure· | 148 | ····-·name:·Ensure·bind·is·removed |
| 114 | ······package: | 149 | ······package: |
| 115 | ········name="{{item}}" | 150 | ········name="{{item}}" |
| 116 | ········state=absent | 151 | ········state=absent |
| 117 | ······with_items: | 152 | ······with_items: |
| 118 | ········-· | 153 | ········-·bind |
| 119 | ······tags: | 154 | ······tags: |
| 120 | ········-·package_ | 155 | ········-·package_bind_removed |
| 121 | ········-· | 156 | ········-·unknown_severity |
| 122 | ········-·disable_strategy | 157 | ········-·disable_strategy |
| 123 | ········-·low_complexity | 158 | ········-·low_complexity |
| 124 | ········-·low_disruption | 159 | ········-·low_disruption |
| 125 | ········-·CCE-27 | 160 | ········-·CCE-27030-6 |
| 126 | ········-·NIST-800-53-CM-7 | 161 | ········-·NIST-800-53-CM-7 |
| 127 | ···· | 162 | ···· |
| 128 | ····-·name:· | 163 | ····-·name:·Enable·service·ntpd |
| 129 | ······service: | 164 | ······service: |
| 130 | ········name="{{item}}" | 165 | ········name="{{item}}" |
| 131 | ········enabled=" | 166 | ········enabled="yes" |
| 132 | ········state="st | 167 | ········state="started" |
| 133 | ······register:·service_result | ||
| 134 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 135 | ······with_items: | 168 | ······with_items: |
| 136 | ········-· | 169 | ········-·ntpd |
| 137 | ······tags: | 170 | ······tags: |
| 138 | ········-·service_ | 171 | ········-·service_ntpd_enabled |
| Max diff block lines reached; 127041/131888 bytes (96.32%) of diff not shown. | |||
| Offset 34, 87 lines modified | Offset 34, 74 lines modified | ||
| 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 35 | ·········· | 35 | ·········· |
| 36 | ···vars: | 36 | ···vars: |
| 37 | ······sshd_idle_timeout_value:·300 | 37 | ······sshd_idle_timeout_value:·300 |
| 38 | ······rsyslog_remote_loghost_address:·None | 38 | ······rsyslog_remote_loghost_address:·None |
| 39 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 39 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 40 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 40 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 41 | ······sysctl_net_ipv4_icmp_ | 41 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 42 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 42 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 43 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 43 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 44 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 44 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 45 | ······sysctl_net_ipv4_conf_ | 45 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 50 | ······sysctl_net_ipv4_icmp_ | 50 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 51 | ······sysctl_net_ipv4_conf_ | 51 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 52 | ······var_selinux_policy_name:·targeted | 52 | ······var_selinux_policy_name:·targeted |
| 53 | ······var_selinux_state:·enforcing | 53 | ······var_selinux_state:·enforcing |
| 54 | ······var_accounts_password_minlen_login_defs:·15 | 54 | ······var_accounts_password_minlen_login_defs:·15 |
| 55 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 56 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 57 | ······var_accounts_password_warn_age_login_defs:·7 | 55 | ······var_accounts_password_warn_age_login_defs:·7 |
| 56 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 57 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 58 | ······var_password_pam_unix_remember:·5 | 58 | ······var_password_pam_unix_remember:·5 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 59 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 62 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_tmout:·600 | 63 | ······var_accounts_tmout:·600 |
| 64 | ······var_removable_partition:·/dev/cdrom | ||
| 64 | ······var_auditd_max_log_file:·6 | 65 | ······var_auditd_max_log_file:·6 |
| 65 | ······var_auditd_admin_space_left_action:·single | 66 | ······var_auditd_admin_space_left_action:·single |
| 66 | ······var_auditd_max_log_file_action:·rotate | 67 | ······var_auditd_max_log_file_action:·rotate |
| 67 | ······var_removable_partition:·/dev/cdrom | ||
| 68 | ···tasks: | 68 | ···tasks: |
| 69 | ····-·name:·Disable·service·s | 69 | ····-·name:·Disable·service·vsftpd |
| 70 | ······service: | 70 | ······service: |
| 71 | ········name="{{item}}" | 71 | ········name="{{item}}" |
| 72 | ········enabled="no" | 72 | ········enabled="no" |
| 73 | ········state="stopped" | 73 | ········state="stopped" |
| 74 | ······register:·service_result | 74 | ······register:·service_result |
| 75 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 75 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 76 | ······with_items: | 76 | ······with_items: |
| 77 | ········-·s | 77 | ········-·vsftpd |
| 78 | ······tags: | 78 | ······tags: |
| 79 | ········-·service_s | 79 | ········-·service_vsftpd_disabled |
| 80 | ········-·unknown_severity | 80 | ········-·unknown_severity |
| 81 | ········-·disable_strategy | 81 | ········-·disable_strategy |
| 82 | ········-·low_complexity | 82 | ········-·low_complexity |
| 83 | ········-·low_disruption | 83 | ········-·low_disruption |
| 84 | ········-·CCE-2 | 84 | ········-·CCE-26948-0 |
| 85 | ···· | 85 | ········-·NIST-800-53-CM-7 |
| 86 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | ||
| 87 | ······stat: | ||
| 88 | ········path:·/etc/samba/smb.conf | ||
| 89 | ······register:·st_smb | ||
| 90 | ······tags: | ||
| 91 | ········-·require_smb_client_signing | ||
| 92 | ········-·unknown_severity | ||
| 93 | ········-·configure_strategy | ||
| 94 | ········-·low_complexity | ||
| 95 | ········-·medium_disruption | ||
| 96 | ········-·CCE-26328-5 | ||
| 97 | ········-·DISA-STIG-RHEL-06-000272 | ||
| 98 | ···· | 86 | ···· |
| 99 | ····-·name:· | 87 | ····-·name:·Ensure·vsftpd·is·removed |
| 100 | ······ | 88 | ······package: |
| 101 | ········ | 89 | ········name="{{item}}" |
| 102 | ········ | 90 | ········state=absent |
| 103 | ······ | 91 | ······with_items: |
| 104 | ········ | 92 | ········-·vsftpd |
| 105 | ······when:·st_smb.stat.exists | ||
| 106 | ······tags: | 93 | ······tags: |
| 107 | ········-· | 94 | ········-·package_vsftpd_removed |
| 108 | ········-·unknown_severity | 95 | ········-·unknown_severity |
| 109 | ········-· | 96 | ········-·disable_strategy |
| 110 | ········-·low_complexity | 97 | ········-·low_complexity |
| 111 | ········-· | 98 | ········-·low_disruption |
| 112 | ········-·CCE-26 | 99 | ········-·CCE-26687-4 |
| 113 | ········-· | 100 | ········-·NIST-800-53-CM-7 |
| 114 | ···· | 101 | ···· |
| 115 | ····-·name:·Disable·service·httpd | 102 | ····-·name:·Disable·service·httpd |
| 116 | ······service: | 103 | ······service: |
| 117 | ········name="{{item}}" | 104 | ········name="{{item}}" |
| 118 | ········enabled="no" | 105 | ········enabled="no" |
| 119 | ········state="stopped" | 106 | ········state="stopped" |
| 120 | ······register:·service_result | 107 | ······register:·service_result |
| Offset 141, 46 lines modified | Offset 128, 92 lines modified | ||
| 141 | ········-·unknown_severity | 128 | ········-·unknown_severity |
| 142 | ········-·disable_strategy | 129 | ········-·disable_strategy |
| 143 | ········-·low_complexity | 130 | ········-·low_complexity |
| 144 | ········-·low_disruption | 131 | ········-·low_disruption |
| 145 | ········-·CCE-27133-8 | 132 | ········-·CCE-27133-8 |
| 146 | ········-·NIST-800-53-CM-7 | 133 | ········-·NIST-800-53-CM-7 |
| 147 | ···· | 134 | ···· |
| 148 | ····-·name:· | 135 | ····-·name:·Disable·service·named |
| 136 | ······service: | ||
| 137 | ········name="{{item}}" | ||
| 138 | ········enabled="no" | ||
| 139 | ········state="stopped" | ||
| 140 | ······register:·service_result | ||
| 141 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 142 | ······with_items: | ||
| 143 | ········-·named | ||
| 144 | ······tags: | ||
| 145 | ········-·service_named_disabled | ||
| 146 | ········-·unknown_severity | ||
| 147 | ········-·disable_strategy | ||
| 148 | ········-·low_complexity | ||
| 149 | ········-·low_disruption | ||
| 150 | ········-·CCE-26873-0 | ||
| 151 | ········-·NIST-800-53-CM-7 | ||
| 152 | ···· | ||
| 153 | ····-·name:·Ensure·bind·is·removed | ||
| 149 | ······package: | 154 | ······package: |
| 150 | ········name="{{item}}" | 155 | ········name="{{item}}" |
| 151 | ········state=absent | 156 | ········state=absent |
| 152 | ······with_items: | 157 | ······with_items: |
| 153 | ········-· | 158 | ········-·bind |
| 154 | ······tags: | 159 | ······tags: |
| 155 | ········-·package_ | 160 | ········-·package_bind_removed |
| 156 | ········-· | 161 | ········-·unknown_severity |
| 157 | ········-·disable_strategy | 162 | ········-·disable_strategy |
| 158 | ········-·low_complexity | 163 | ········-·low_complexity |
| Max diff block lines reached; 126640/131720 bytes (96.14%) of diff not shown. | |||
| Offset 32, 46 lines modified | Offset 32, 46 lines modified | ||
| 32 | ·········msg:·> | 32 | ·········msg:·> |
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 36 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 37 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 37 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 38 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 38 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 39 | ······sysctl_net_ipv4_icmp_ | 39 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 40 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 40 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 41 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 41 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 42 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 42 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_ | 43 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 44 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 44 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 | 45 | ······sysctl_net_ipv4_conf_all_log_martians_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 46 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 47 | ······sysctl_net_ipv4_icmp_ | 47 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_ | 48 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 49 | ······var_selinux_policy_name:·targeted | 49 | ······var_selinux_policy_name:·targeted |
| 50 | ······var_selinux_state:·enforcing | 50 | ······var_selinux_state:·enforcing |
| 51 | ······var_accounts_password_minlen_login_defs:·12 | 51 | ······var_accounts_password_minlen_login_defs:·12 |
| 52 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 53 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 54 | ······var_accounts_password_warn_age_login_defs:·7 | 52 | ······var_accounts_password_warn_age_login_defs:·7 |
| 53 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 54 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 55 | ······var_account_disable_post_pw_expiration:·90 | 55 | ······var_account_disable_post_pw_expiration:·90 |
| 56 | ······var_password_pam_unix_remember:·24 | 56 | ······var_password_pam_unix_remember:·24 |
| 57 | ······var_accounts_passwords_pam_faillock_deny:·3 | 57 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 58 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 58 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 59 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 | 59 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 |
| 60 | ······var_password_pam_maxrepeat:·3 | 60 | ······var_password_pam_maxrepeat:·3 |
| 61 | ······var_password_pam_retry:·3 | 61 | ······var_password_pam_retry:·3 |
| 62 | ······var_accounts_max_concurrent_login_sessions:·1 | 62 | ······var_accounts_max_concurrent_login_sessions:·1 |
| 63 | ······var_removable_partition:·/dev/cdrom | ||
| 64 | ······var_removable_partition:·/dev/cdrom | ||
| 65 | ······var_removable_partition:·/dev/cdrom | ||
| 63 | ······var_auditd_max_log_file:·1 | 66 | ······var_auditd_max_log_file:·1 |
| 64 | ······var_auditd_action_mail_acct:·admin | 67 | ······var_auditd_action_mail_acct:·admin |
| 65 | ······var_auditd_space_left_action:·suspend | ||
| 66 | ······var_auditd_admin_space_left_action:·halt | 68 | ······var_auditd_admin_space_left_action:·halt |
| 69 | ······var_auditd_space_left_action:·suspend | ||
| 67 | ······var_auditd_max_log_file_action:·ignore | 70 | ······var_auditd_max_log_file_action:·ignore |
| 68 | ······var_removable_partition:·/dev/cdrom | ||
| 69 | ······var_removable_partition:·/dev/cdrom | ||
| 70 | ······var_removable_partition:·/dev/cdrom | ||
| 71 | ···tasks: | 71 | ···tasks: |
| 72 | ····-·name:·Enable·service·ntpd | 72 | ····-·name:·Enable·service·ntpd |
| 73 | ······service: | 73 | ······service: |
| 74 | ········name="{{item}}" | 74 | ········name="{{item}}" |
| 75 | ········enabled="yes" | 75 | ········enabled="yes" |
| 76 | ········state="started" | 76 | ········state="started" |
| 77 | ······with_items: | 77 | ······with_items: |
| Offset 83, 14 lines modified | Offset 83, 50 lines modified | ||
| 83 | ········-·low_complexity | 83 | ········-·low_complexity |
| 84 | ········-·low_disruption | 84 | ········-·low_disruption |
| 85 | ········-·CCE-27093-4 | 85 | ········-·CCE-27093-4 |
| 86 | ········-·NIST-800-53-AU-8(1) | 86 | ········-·NIST-800-53-AU-8(1) |
| 87 | ········-·PCI-DSS-Req-10.4 | 87 | ········-·PCI-DSS-Req-10.4 |
| 88 | ········-·DISA-STIG-RHEL-06-000247 | 88 | ········-·DISA-STIG-RHEL-06-000247 |
| 89 | ···· | 89 | ···· |
| 90 | ····-·name:·Enable·service·crond | ||
| 91 | ······service: | ||
| 92 | ········name="{{item}}" | ||
| 93 | ········enabled="yes" | ||
| 94 | ········state="started" | ||
| 95 | ······with_items: | ||
| 96 | ········-·crond | ||
| 97 | ······tags: | ||
| 98 | ········-·service_crond_enabled | ||
| 99 | ········-·medium_severity | ||
| 100 | ········-·enable_strategy | ||
| 101 | ········-·low_complexity | ||
| 102 | ········-·low_disruption | ||
| 103 | ········-·CCE-27070-2 | ||
| 104 | ········-·NIST-800-53-CM-7 | ||
| 105 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 106 | ···· | ||
| 107 | ····-·name:·Disable·service·atd | ||
| 108 | ······service: | ||
| 109 | ········name="{{item}}" | ||
| 110 | ········enabled="no" | ||
| 111 | ········state="stopped" | ||
| 112 | ······register:·service_result | ||
| 113 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 114 | ······with_items: | ||
| 115 | ········-·atd | ||
| 116 | ······tags: | ||
| 117 | ········-·service_atd_disabled | ||
| 118 | ········-·unknown_severity | ||
| 119 | ········-·disable_strategy | ||
| 120 | ········-·low_complexity | ||
| 121 | ········-·low_disruption | ||
| 122 | ········-·CCE-27249-2 | ||
| 123 | ········-·NIST-800-53-CM-7 | ||
| 124 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 125 | ···· | ||
| 90 | ····-·name:·Ensure·rsh·is·removed | 126 | ····-·name:·Ensure·rsh·is·removed |
| 91 | ······package: | 127 | ······package: |
| 92 | ········name="{{item}}" | 128 | ········name="{{item}}" |
| 93 | ········state=absent | 129 | ········state=absent |
| 94 | ······with_items: | 130 | ······with_items: |
| 95 | ········-·rsh | 131 | ········-·rsh |
| 96 | ······tags: | 132 | ······tags: |
| Offset 243, 50 lines modified | Offset 279, 14 lines modified | ||
| 243 | ········-·disable_strategy | 279 | ········-·disable_strategy |
| 244 | ········-·low_complexity | 280 | ········-·low_complexity |
| 245 | ········-·low_disruption | 281 | ········-·low_disruption |
| 246 | ········-·CCE-27005-8 | 282 | ········-·CCE-27005-8 |
| 247 | ········-·NIST-800-53-CM-7 | 283 | ········-·NIST-800-53-CM-7 |
| 248 | ········-·DISA-STIG-RHEL-06-000204 | 284 | ········-·DISA-STIG-RHEL-06-000204 |
| 249 | ···· | 285 | ···· |
| 250 | ····-·name:·Enable·service·crond | ||
| 251 | ······service: | ||
| 252 | ········name="{{item}}" | ||
| 253 | ········enabled="yes" | ||
| 254 | ········state="started" | ||
| 255 | ······with_items: | ||
| 256 | ········-·crond | ||
| 257 | ······tags: | ||
| 258 | ········-·service_crond_enabled | ||
| 259 | ········-·medium_severity | ||
| 260 | ········-·enable_strategy | ||
| 261 | ········-·low_complexity | ||
| 262 | ········-·low_disruption | ||
| 263 | ········-·CCE-27070-2 | ||
| 264 | ········-·NIST-800-53-CM-7 | ||
| 265 | ········-·DISA-STIG-RHEL-06-000224 | ||
| Max diff block lines reached; 145514/150564 bytes (96.65%) of diff not shown. | |||
| Offset 33, 42 lines modified | Offset 33, 57 lines modified | ||
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······sshd_idle_timeout_value:·300 | 36 | ······sshd_idle_timeout_value:·300 |
| 37 | ······rsyslog_remote_loghost_address:·None | 37 | ······rsyslog_remote_loghost_address:·None |
| 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 38 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 39 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 40 | ······sysctl_net_ipv4_icmp_ | 40 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 42 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 43 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_ | 44 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 45 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 46 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 47 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 49 | ······sysctl_net_ipv4_icmp_ | 49 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_ | 50 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 51 | ······var_selinux_policy_name:·targeted | 51 | ······var_selinux_policy_name:·targeted |
| 52 | ······var_selinux_state:·enforcing | 52 | ······var_selinux_state:·enforcing |
| 53 | ······var_accounts_password_minlen_login_defs:·15 | 53 | ······var_accounts_password_minlen_login_defs:·15 |
| 54 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 55 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 56 | ······var_accounts_password_warn_age_login_defs:·7 | 54 | ······var_accounts_password_warn_age_login_defs:·7 |
| 55 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 56 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 57 | ······var_password_pam_unix_remember:·5 | 57 | ······var_password_pam_unix_remember:·5 |
| 58 | ······var_accounts_passwords_pam_faillock_deny:·3 | 58 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 59 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 59 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 60 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 60 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 61 | ······var_password_pam_retry:·3 | 61 | ······var_password_pam_retry:·3 |
| 62 | ······var_accounts_tmout:·600 | 62 | ······var_accounts_tmout:·600 |
| 63 | ······var_removable_partition:·/dev/cdrom | ||
| 63 | ······var_auditd_max_log_file:·6 | 64 | ······var_auditd_max_log_file:·6 |
| 64 | ······var_auditd_admin_space_left_action:·single | 65 | ······var_auditd_admin_space_left_action:·single |
| 65 | ······var_auditd_max_log_file_action:·rotate | 66 | ······var_auditd_max_log_file_action:·rotate |
| 66 | ······var_removable_partition:·/dev/cdrom | ||
| 67 | ···tasks: | 67 | ···tasks: |
| 68 | ····-·name:·Ensure·vsftpd·is·installed | ||
| 69 | ······package: | ||
| 70 | ········name="{{item}}" | ||
| 71 | ········state=present | ||
| 72 | ······with_items: | ||
| 73 | ········-·vsftpd | ||
| 74 | ······tags: | ||
| 75 | ········-·package_vsftpd_installed | ||
| 76 | ········-·unknown_severity | ||
| 77 | ········-·enable_strategy | ||
| 78 | ········-·low_complexity | ||
| 79 | ········-·low_disruption | ||
| 80 | ········-·CCE-27187-4 | ||
| 81 | ········-·NIST-800-53-CM-7 | ||
| 82 | ···· | ||
| 68 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | 83 | ····-·name:·Check·if·/etc/samba/smb.conf·exists |
| 69 | ······stat: | 84 | ······stat: |
| 70 | ········path:·/etc/samba/smb.conf | 85 | ········path:·/etc/samba/smb.conf |
| 71 | ······register:·st_smb | 86 | ······register:·st_smb |
| 72 | ······tags: | 87 | ······tags: |
| 73 | ········-·require_smb_client_signing | 88 | ········-·require_smb_client_signing |
| 74 | ········-·unknown_severity | 89 | ········-·unknown_severity |
| Offset 108, 14 lines modified | Offset 123, 81 lines modified | ||
| 108 | ········-·low_complexity | 123 | ········-·low_complexity |
| 109 | ········-·low_disruption | 124 | ········-·low_disruption |
| 110 | ········-·CCE-27093-4 | 125 | ········-·CCE-27093-4 |
| 111 | ········-·NIST-800-53-AU-8(1) | 126 | ········-·NIST-800-53-AU-8(1) |
| 112 | ········-·PCI-DSS-Req-10.4 | 127 | ········-·PCI-DSS-Req-10.4 |
| 113 | ········-·DISA-STIG-RHEL-06-000247 | 128 | ········-·DISA-STIG-RHEL-06-000247 |
| 114 | ···· | 129 | ···· |
| 130 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 131 | ······package: | ||
| 132 | ········name="{{item}}" | ||
| 133 | ········state=absent | ||
| 134 | ······with_items: | ||
| 135 | ········-·openldap-servers | ||
| 136 | ······tags: | ||
| 137 | ········-·package_openldap-servers_removed | ||
| 138 | ········-·unknown_severity | ||
| 139 | ········-·disable_strategy | ||
| 140 | ········-·low_complexity | ||
| 141 | ········-·low_disruption | ||
| 142 | ········-·CCE-26858-1 | ||
| 143 | ········-·NIST-800-53-CM-7 | ||
| 144 | ········-·DISA-STIG-RHEL-06-000256 | ||
| 145 | ···· | ||
| 146 | ····-·name:·Enable·service·crond | ||
| 147 | ······service: | ||
| 148 | ········name="{{item}}" | ||
| 149 | ········enabled="yes" | ||
| 150 | ········state="started" | ||
| 151 | ······with_items: | ||
| 152 | ········-·crond | ||
| 153 | ······tags: | ||
| 154 | ········-·service_crond_enabled | ||
| 155 | ········-·medium_severity | ||
| 156 | ········-·enable_strategy | ||
| 157 | ········-·low_complexity | ||
| 158 | ········-·low_disruption | ||
| 159 | ········-·CCE-27070-2 | ||
| 160 | ········-·NIST-800-53-CM-7 | ||
| 161 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 162 | ···· | ||
| 163 | ····-·name:·Disable·service·atd | ||
| 164 | ······service: | ||
| 165 | ········name="{{item}}" | ||
| 166 | ········enabled="no" | ||
| 167 | ········state="stopped" | ||
| 168 | ······register:·service_result | ||
| 169 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 170 | ······with_items: | ||
| 171 | ········-·atd | ||
| 172 | ······tags: | ||
| 173 | ········-·service_atd_disabled | ||
| 174 | ········-·unknown_severity | ||
| 175 | ········-·disable_strategy | ||
| 176 | ········-·low_complexity | ||
| 177 | ········-·low_disruption | ||
| 178 | ········-·CCE-27249-2 | ||
| 179 | ········-·NIST-800-53-CM-7 | ||
| 180 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 181 | ···· | ||
| 182 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| 183 | ······package: | ||
| 184 | ········name="{{item}}" | ||
| 185 | ········state=absent | ||
| 186 | ······with_items: | ||
| 187 | ········-·xorg-x11-server-common | ||
| 188 | ······tags: | ||
| Max diff block lines reached; 114906/119566 bytes (96.10%) of diff not shown. | |||
| Offset 38, 75 lines modified | Offset 38, 61 lines modified | ||
| 38 | ·········· | 38 | ·········· |
| 39 | ···vars: | 39 | ···vars: |
| 40 | ······sshd_idle_timeout_value:·300 | 40 | ······sshd_idle_timeout_value:·300 |
| 41 | ······rsyslog_remote_loghost_address:·None | 41 | ······rsyslog_remote_loghost_address:·None |
| 42 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 42 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 43 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 44 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 45 | ······sysctl_net_ipv4_icmp_ | 45 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 46 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 46 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 47 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 47 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1 |
| 49 | ······sysctl_net_ipv4_conf_ | 49 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 50 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 50 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 51 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 51 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 52 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 53 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 53 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 54 | ······sysctl_net_ipv4_icmp_ | 54 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 55 | ······sysctl_net_ipv4_conf_ | 55 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1 |
| 56 | ······var_selinux_policy_name:·targeted | 56 | ······var_selinux_policy_name:·targeted |
| 57 | ······var_selinux_state:·enforcing | 57 | ······var_selinux_state:·enforcing |
| 58 | ······var_accounts_password_minlen_login_defs:·15 | 58 | ······var_accounts_password_minlen_login_defs:·15 |
| 59 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 60 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 61 | ······var_accounts_password_warn_age_login_defs:·7 | 59 | ······var_accounts_password_warn_age_login_defs:·7 |
| 60 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 61 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 62 | ······var_account_disable_post_pw_expiration:·40 | 62 | ······var_account_disable_post_pw_expiration:·40 |
| 63 | ······var_password_pam_unix_remember:·5 | 63 | ······var_password_pam_unix_remember:·5 |
| 64 | ······var_accounts_passwords_pam_faillock_deny:·3 | 64 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 65 | ······var_accounts_passwords_pam_faillock_unlock_time:·900 | 65 | ······var_accounts_passwords_pam_faillock_unlock_time:·900 |
| 66 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 | 66 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 |
| 67 | ······var_password_pam_retry:·3 | 67 | ······var_password_pam_retry:·3 |
| 68 | ······var_accounts_tmout:·600 | 68 | ······var_accounts_tmout:·600 |
| 69 | ······var_removable_partition:·/dev/cdrom | ||
| 70 | ······var_removable_partition:·/dev/cdrom | ||
| 71 | ······var_removable_partition:·/dev/cdrom | ||
| 69 | ······var_auditd_max_log_file:·6 | 72 | ······var_auditd_max_log_file:·6 |
| 70 | ······var_auditd_action_mail_acct:·admin | 73 | ······var_auditd_action_mail_acct:·admin |
| 71 | ······var_auditd_space_left_action:·suspend | ||
| 72 | ······var_auditd_admin_space_left_action:·single | 74 | ······var_auditd_admin_space_left_action:·single |
| 75 | ······var_auditd_space_left_action:·suspend | ||
| 73 | ······var_auditd_max_log_file_action:·rotate | 76 | ······var_auditd_max_log_file_action:·rotate |
| 74 | ······var_removable_partition:·/dev/cdrom | ||
| 75 | ······var_removable_partition:·/dev/cdrom | ||
| 76 | ······var_removable_partition:·/dev/cdrom | ||
| 77 | ···tasks: | 77 | ···tasks: |
| 78 | ····-·name:· | 78 | ····-·name:·Ensure·vsftpd·is·removed |
| 79 | ······ | 79 | ······package: |
| 80 | ········ | 80 | ········name="{{item}}" |
| 81 | ······ | 81 | ········state=absent |
| 82 | ······t | 82 | ······with_items: |
| 83 | ········-· | 83 | ········-·vsftpd |
| 84 | ········-·unknown_severity | ||
| 85 | ········-·configure_strategy | ||
| 86 | ········-·low_complexity | ||
| 87 | ········-·medium_disruption | ||
| 88 | ········-·CCE-26328-5 | ||
| 89 | ········-·DISA-STIG-RHEL-06-000272 | ||
| 90 | ···· | ||
| 91 | ····-·name:·Require·Client·SMB·Packet·Signing,·if·using·smbclient | ||
| 92 | ······lineinfile: | ||
| 93 | ········dest:·/etc/samba/smb.conf | ||
| 94 | ········line:·client·signing·=·mandatory | ||
| 95 | ········state:·present | ||
| 96 | ········insertafter:·[global] | ||
| 97 | ······when:·st_smb.stat.exists | ||
| 98 | ······tags: | 84 | ······tags: |
| 99 | ········-· | 85 | ········-·package_vsftpd_removed |
| 100 | ········-·unknown_severity | 86 | ········-·unknown_severity |
| 101 | ········-· | 87 | ········-·disable_strategy |
| 102 | ········-·low_complexity | 88 | ········-·low_complexity |
| 103 | ········-· | 89 | ········-·low_disruption |
| 104 | ········-·CCE-26 | 90 | ········-·CCE-26687-4 |
| 105 | ········-· | 91 | ········-·NIST-800-53-CM-7 |
| 106 | ···· | 92 | ···· |
| 107 | ····-·name:·Disable·service·httpd | 93 | ····-·name:·Disable·service·httpd |
| 108 | ······service: | 94 | ······service: |
| 109 | ········name="{{item}}" | 95 | ········name="{{item}}" |
| 110 | ········enabled="no" | 96 | ········enabled="no" |
| 111 | ········state="stopped" | 97 | ········state="stopped" |
| 112 | ······register:·service_result | 98 | ······register:·service_result |
| Offset 133, 62 lines modified | Offset 119, 75 lines modified | ||
| 133 | ········-·unknown_severity | 119 | ········-·unknown_severity |
| 134 | ········-·disable_strategy | 120 | ········-·disable_strategy |
| 135 | ········-·low_complexity | 121 | ········-·low_complexity |
| 136 | ········-·low_disruption | 122 | ········-·low_disruption |
| 137 | ········-·CCE-27133-8 | 123 | ········-·CCE-27133-8 |
| 138 | ········-·NIST-800-53-CM-7 | 124 | ········-·NIST-800-53-CM-7 |
| 139 | ···· | 125 | ···· |
| 140 | ····-·name:· | 126 | ····-·name:·Disable·service·named |
| 141 | ······ | 127 | ······service: |
| 142 | ········name="{{item}}" | 128 | ········name="{{item}}" |
| 143 | ········ | 129 | ········enabled="no" |
| 130 | ········state="stopped" | ||
| 131 | ······register:·service_result | ||
| 132 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 144 | ······with_items: | 133 | ······with_items: |
| 145 | ········-· | 134 | ········-·named |
| 146 | ······tags: | 135 | ······tags: |
| 147 | ········-· | 136 | ········-·service_named_disabled |
| 148 | ········-· | 137 | ········-·unknown_severity |
| 149 | ········-·disable_strategy | 138 | ········-·disable_strategy |
| 150 | ········-·low_complexity | 139 | ········-·low_complexity |
| 151 | ········-·low_disruption | 140 | ········-·low_disruption |
| 152 | ········-·CCE-2 | 141 | ········-·CCE-26873-0 |
| 153 | ········-·NIST-800-53-CM-7 | 142 | ········-·NIST-800-53-CM-7 |
| 154 | ········-·DISA-STIG-RHEL-06-000288 | ||
| 155 | ···· | 143 | ···· |
| 156 | ····-·name:·Ensure· | 144 | ····-·name:·Ensure·bind·is·removed |
| 157 | ······package: | 145 | ······package: |
| 158 | ········name="{{item}}" | 146 | ········name="{{item}}" |
| 159 | ········state=absent | 147 | ········state=absent |
| 160 | ······with_items: | 148 | ······with_items: |
| 161 | ········-· | 149 | ········-·bind |
| 162 | ······tags: | 150 | ······tags: |
| 163 | ········-·package_ | 151 | ········-·package_bind_removed |
| 164 | ········-· | 152 | ········-·unknown_severity |
| 165 | ········-·disable_strategy | 153 | ········-·disable_strategy |
| 166 | ········-·low_complexity | 154 | ········-·low_complexity |
| 167 | ········-·low_disruption | 155 | ········-·low_disruption |
| 168 | ········-·CCE-27 | 156 | ········-·CCE-27030-6 |
| 169 | ········-·NIST-800-53-CM-7 | 157 | ········-·NIST-800-53-CM-7 |
| 170 | ···· | 158 | ···· |
| 171 | ····-·name:· | 159 | ····-·name:·Check·if·/etc/samba/smb.conf·exists |
| 172 | ······s | 160 | ······stat: |
| 173 | ········ | 161 | ········path:·/etc/samba/smb.conf |
| 174 | ······ | 162 | ······register:·st_smb |
| Max diff block lines reached; 169386/174902 bytes (96.85%) of diff not shown. | |||
| Offset 39, 16 lines modified | Offset 39, 16 lines modified | ||
| 39 | ······var_password_pam_unix_remember:·4 | 39 | ······var_password_pam_unix_remember:·4 |
| 40 | ······var_accounts_passwords_pam_faillock_deny:·6 | 40 | ······var_accounts_passwords_pam_faillock_deny:·6 |
| 41 | ······var_accounts_passwords_pam_faillock_unlock_time:·1800 | 41 | ······var_accounts_passwords_pam_faillock_unlock_time:·1800 |
| 42 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 42 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 43 | ······var_password_pam_minlen:·7 | 43 | ······var_password_pam_minlen:·7 |
| 44 | ······var_auditd_max_log_file:·1 | 44 | ······var_auditd_max_log_file:·1 |
| 45 | ······var_auditd_action_mail_acct:·admin | 45 | ······var_auditd_action_mail_acct:·admin |
| 46 | ······var_auditd_space_left_action:·suspend | ||
| 47 | ······var_auditd_admin_space_left_action:·suspend | 46 | ······var_auditd_admin_space_left_action:·suspend |
| 47 | ······var_auditd_space_left_action:·suspend | ||
| 48 | ······var_auditd_max_log_file_action:·ignore | 48 | ······var_auditd_max_log_file_action:·ignore |
| 49 | ···tasks: | 49 | ···tasks: |
| 50 | ····-·name:·Enable·service·ntpd | 50 | ····-·name:·Enable·service·ntpd |
| 51 | ······service: | 51 | ······service: |
| 52 | ········name="{{item}}" | 52 | ········name="{{item}}" |
| 53 | ········enabled="yes" | 53 | ········enabled="yes" |
| 54 | ········state="started" | 54 | ········state="started" |
| Offset 83, 439 lines modified | Offset 83, 14 lines modified | ||
| 83 | ········-·low_disruption | 83 | ········-·low_disruption |
| 84 | ········-·CCE-26919-1 | 84 | ········-·CCE-26919-1 |
| 85 | ········-·NIST-800-53-AC-2(5) | 85 | ········-·NIST-800-53-AC-2(5) |
| 86 | ········-·NIST-800-53-SA-8 | 86 | ········-·NIST-800-53-SA-8 |
| 87 | ········-·PCI-DSS-Req-8.1.8 | 87 | ········-·PCI-DSS-Req-8.1.8 |
| 88 | ········-·DISA-STIG-RHEL-06-000230 | 88 | ········-·DISA-STIG-RHEL-06-000230 |
| 89 | ···· | 89 | ···· |
| 90 | ····-·name:·"Read·list·of·files·with·incorrect·permissions" | ||
| 91 | ······shell:·"rpm·-Va·|·grep·'^.M'·|·cut·-d·'·'·-f5-·|·sed·-r·'s;^.*\\s+(.+);\\1;g'" | ||
| 92 | ······register:·files_with_incorrect_permissions | ||
| 93 | ······failed_when:·False | ||
| 94 | ······changed_when:·False | ||
| 95 | ······check_mode:·no | ||
| 96 | ······tags: | ||
| 97 | ········-·rpm_verify_permissions | ||
| 98 | ········-·unknown_severity | ||
| 99 | ········-·restrict_strategy | ||
| 100 | ········-·high_complexity | ||
| 101 | ········-·medium_disruption | ||
| 102 | ········-·CCE-26731-0 | ||
| 103 | ········-·NIST-800-53-AC-6 | ||
| 104 | ········-·NIST-800-53-CM-6(d) | ||
| 105 | ········-·NIST-800-53-SI-7 | ||
| 106 | ········-·PCI-DSS-Req-11.5 | ||
| 107 | ········-·DISA-STIG-RHEL-06-000518 | ||
| 108 | ···· | ||
| 109 | ····-·name:·"Correct·file·permissions·with·RPM" | ||
| 110 | ······shell:·"rpm·--setperms·$(rpm·-qf·'{{item}}')" | ||
| 111 | ······with_items:·"{{·files_with_incorrect_permissions.stdout_lines·}}" | ||
| 112 | ······when:·files_with_incorrect_permissions.stdout_lines·|·length·>·0 | ||
| 113 | ······tags: | ||
| 114 | ········-·rpm_verify_permissions | ||
| 115 | ········-·unknown_severity | ||
| 116 | ········-·restrict_strategy | ||
| 117 | ········-·high_complexity | ||
| 118 | ········-·medium_disruption | ||
| 119 | ········-·CCE-26731-0 | ||
| 120 | ········-·NIST-800-53-AC-6 | ||
| 121 | ········-·NIST-800-53-CM-6(d) | ||
| 122 | ········-·NIST-800-53-SI-7 | ||
| 123 | ········-·PCI-DSS-Req-11.5 | ||
| 124 | ········-·DISA-STIG-RHEL-06-000518 | ||
| 125 | ···· | ||
| 126 | ····-·name:·"Set·fact:·Package·manager·reinstall·command·(dnf)" | ||
| 127 | ······set_fact: | ||
| 128 | ········package_manager_reinstall_cmd:·dnf·reinstall·-y | ||
| 129 | ······when:·ansible_distribution·==·"Fedora" | ||
| 130 | ······tags: | ||
| 131 | ········-·rpm_verify_hashes | ||
| 132 | ········-·unknown_severity | ||
| 133 | ········-·unknown_strategy | ||
| 134 | ········-·high_complexity | ||
| 135 | ········-·medium_disruption | ||
| 136 | ········-·CCE-27223-7 | ||
| 137 | ········-·NIST-800-53-CM-6(d) | ||
| 138 | ········-·NIST-800-53-SI-7 | ||
| 139 | ········-·PCI-DSS-Req-11.5 | ||
| 140 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 141 | ···· | ||
| 142 | ····-·name:·"Set·fact:·Package·manager·reinstall·command·(yum)" | ||
| 143 | ······set_fact: | ||
| 144 | ········package_manager_reinstall_cmd:·yum·reinstall·-y | ||
| 145 | ······when:·ansible_distribution·==·"RedHat"·or·ansible_distribution·==·"OracleLinux" | ||
| 146 | ······tags: | ||
| 147 | ········-·rpm_verify_hashes | ||
| 148 | ········-·unknown_severity | ||
| 149 | ········-·unknown_strategy | ||
| 150 | ········-·high_complexity | ||
| 151 | ········-·medium_disruption | ||
| 152 | ········-·CCE-27223-7 | ||
| 153 | ········-·NIST-800-53-CM-6(d) | ||
| 154 | ········-·NIST-800-53-SI-7 | ||
| 155 | ········-·PCI-DSS-Req-11.5 | ||
| 156 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 157 | ···· | ||
| 158 | ····-·name:·"Read·files·with·incorrect·hash" | ||
| 159 | ······shell:·"rpm·-Va·|·grep·-E·'^..5.*·/(bin|sbin|lib|lib64|usr)/'·|·sed·-r·'s;^.*\\s+(.+);\\1;g'" | ||
| 160 | ······register:·files_with_incorrect_hash | ||
| 161 | ······changed_when:·False | ||
| 162 | ······when:·package_manager_reinstall_cmd·is·defined | ||
| 163 | ······check_mode:·no | ||
| 164 | ······tags: | ||
| 165 | ········-·rpm_verify_hashes | ||
| 166 | ········-·unknown_severity | ||
| 167 | ········-·unknown_strategy | ||
| 168 | ········-·high_complexity | ||
| 169 | ········-·medium_disruption | ||
| 170 | ········-·CCE-27223-7 | ||
| 171 | ········-·NIST-800-53-CM-6(d) | ||
| 172 | ········-·NIST-800-53-SI-7 | ||
| 173 | ········-·PCI-DSS-Req-11.5 | ||
| 174 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 175 | ···· | ||
| 176 | ····-·name:·"Reinstall·packages·of·files·with·incorrect·hash" | ||
| 177 | ······shell:·"{{package_manager_reinstall_cmd}}·$(rpm·-qf·'{{item}}')" | ||
| 178 | ······with_items:·"{{·files_with_incorrect_hash.stdout_lines·}}" | ||
| 179 | ······when:·package_manager_reinstall_cmd·is·defined·and·(files_with_incorrect_hash.stdout_lines·|·length·>·0) | ||
| 180 | ······tags: | ||
| 181 | ········-·rpm_verify_hashes | ||
| 182 | ········-·unknown_severity | ||
| 183 | ········-·unknown_strategy | ||
| 184 | ········-·high_complexity | ||
| 185 | ········-·medium_disruption | ||
| 186 | ········-·CCE-27223-7 | ||
| 187 | ········-·NIST-800-53-CM-6(d) | ||
| 188 | ········-·NIST-800-53-SI-7 | ||
| 189 | ········-·PCI-DSS-Req-11.5 | ||
| 190 | ········-·DISA-STIG-RHEL-06-000519 | ||
| 191 | ···· | ||
| Max diff block lines reached; 77885/91457 bytes (85.16%) of diff not shown. | |||
| Offset 33, 23 lines modified | Offset 33, 42 lines modified | ||
| 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 33 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 34 | ·········· | 34 | ·········· |
| 35 | ···vars: | 35 | ···vars: |
| 36 | ······sshd_idle_timeout_value:·300 | 36 | ······sshd_idle_timeout_value:·300 |
| 37 | ······var_selinux_policy_name:·targeted | 37 | ······var_selinux_policy_name:·targeted |
| 38 | ······var_selinux_state:·enforcing | 38 | ······var_selinux_state:·enforcing |
| 39 | ······var_accounts_password_minlen_login_defs:·6 | 39 | ······var_accounts_password_minlen_login_defs:·6 |
| 40 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 41 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 42 | ······var_accounts_password_warn_age_login_defs:·7 | 40 | ······var_accounts_password_warn_age_login_defs:·7 |
| 41 | ······var_accounts_maximum_age_login_defs:·120 | ||
| 42 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 43 | ······var_password_pam_unix_remember:·5 | 43 | ······var_password_pam_unix_remember:·5 |
| 44 | ······var_accounts_passwords_pam_faillock_deny:·5 | 44 | ······var_accounts_passwords_pam_faillock_deny:·5 |
| 45 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 45 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 46 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 46 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 47 | ······var_password_pam_retry:·3 | 47 | ······var_password_pam_retry:·3 |
| 48 | ···tasks: | 48 | ···tasks: |
| 49 | ····-·name:·Disable·service·atd | ||
| 50 | ······service: | ||
| 51 | ········name="{{item}}" | ||
| 52 | ········enabled="no" | ||
| 53 | ········state="stopped" | ||
| 54 | ······register:·service_result | ||
| 55 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 56 | ······with_items: | ||
| 57 | ········-·atd | ||
| 58 | ······tags: | ||
| 59 | ········-·service_atd_disabled | ||
| 60 | ········-·unknown_severity | ||
| 61 | ········-·disable_strategy | ||
| 62 | ········-·low_complexity | ||
| 63 | ········-·low_disruption | ||
| 64 | ········-·CCE-27249-2 | ||
| 65 | ········-·NIST-800-53-CM-7 | ||
| 66 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 67 | ···· | ||
| 49 | ····-·name:·Ensure·rsh-server·is·removed | 68 | ····-·name:·Ensure·rsh-server·is·removed |
| 50 | ······package: | 69 | ······package: |
| 51 | ········name="{{item}}" | 70 | ········name="{{item}}" |
| 52 | ········state=absent | 71 | ········state=absent |
| 53 | ······with_items: | 72 | ······with_items: |
| 54 | ········-·rsh-server | 73 | ········-·rsh-server |
| 55 | ······tags: | 74 | ······tags: |
| Offset 179, 33 lines modified | Offset 198, 14 lines modified | ||
| 179 | ········-·disable_strategy | 198 | ········-·disable_strategy |
| 180 | ········-·low_complexity | 199 | ········-·low_complexity |
| 181 | ········-·low_disruption | 200 | ········-·low_disruption |
| 182 | ········-·CCE-27005-8 | 201 | ········-·CCE-27005-8 |
| 183 | ········-·NIST-800-53-CM-7 | 202 | ········-·NIST-800-53-CM-7 |
| 184 | ········-·DISA-STIG-RHEL-06-000204 | 203 | ········-·DISA-STIG-RHEL-06-000204 |
| 185 | ···· | 204 | ···· |
| 186 | ····-·name:·Disable·service·atd | ||
| 187 | ······service: | ||
| 188 | ········name="{{item}}" | ||
| 189 | ········enabled="no" | ||
| 190 | ········state="stopped" | ||
| 191 | ······register:·service_result | ||
| 192 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 193 | ······with_items: | ||
| 194 | ········-·atd | ||
| 195 | ······tags: | ||
| 196 | ········-·service_atd_disabled | ||
| 197 | ········-·unknown_severity | ||
| 198 | ········-·disable_strategy | ||
| 199 | ········-·low_complexity | ||
| 200 | ········-·low_disruption | ||
| 201 | ········-·CCE-27249-2 | ||
| 202 | ········-·NIST-800-53-CM-7 | ||
| 203 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 204 | ···· | ||
| 205 | ····-·name:·Disable·service·rdisc | 205 | ····-·name:·Disable·service·rdisc |
| 206 | ······service: | 206 | ······service: |
| 207 | ········name="{{item}}" | 207 | ········name="{{item}}" |
| 208 | ········enabled="no" | 208 | ········enabled="no" |
| 209 | ········state="stopped" | 209 | ········state="stopped" |
| 210 | ······register:·service_result | 210 | ······register:·service_result |
| 211 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 211 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| Offset 294, 14 lines modified | Offset 294, 33 lines modified | ||
| 294 | ········-·disable_strategy | 294 | ········-·disable_strategy |
| 295 | ········-·low_complexity | 295 | ········-·low_complexity |
| 296 | ········-·low_disruption | 296 | ········-·low_disruption |
| 297 | ········-·CCE-27256-7 | 297 | ········-·CCE-27256-7 |
| 298 | ········-·NIST-800-53-CM-7 | 298 | ········-·NIST-800-53-CM-7 |
| 299 | ········-·DISA-STIG-RHEL-06-000265 | 299 | ········-·DISA-STIG-RHEL-06-000265 |
| 300 | ···· | 300 | ···· |
| 301 | ····-·name:·Disable·service·avahi-daemon | ||
| 302 | ······service: | ||
| 303 | ········name="{{item}}" | ||
| 304 | ········enabled="no" | ||
| 305 | ········state="stopped" | ||
| 306 | ······register:·service_result | ||
| 307 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 308 | ······with_items: | ||
| 309 | ········-·avahi-daemon | ||
| 310 | ······tags: | ||
| 311 | ········-·service_avahi-daemon_disabled | ||
| 312 | ········-·unknown_severity | ||
| 313 | ········-·disable_strategy | ||
| 314 | ········-·low_complexity | ||
| 315 | ········-·low_disruption | ||
| 316 | ········-·CCE-27087-6 | ||
| 317 | ········-·NIST-800-53-CM-7 | ||
| 318 | ········-·DISA-STIG-RHEL-06-000246 | ||
| 319 | ···· | ||
| 301 | ····-·name:·Disable·SSH·Support·for·.rhosts·Files | 320 | ····-·name:·Disable·SSH·Support·for·.rhosts·Files |
| 302 | ······lineinfile: | 321 | ······lineinfile: |
| 303 | ········create:·yes | 322 | ········create:·yes |
| 304 | ········dest:·/etc/ssh/sshd_config | 323 | ········dest:·/etc/ssh/sshd_config |
| 305 | ········regexp:·^IgnoreRhosts | 324 | ········regexp:·^IgnoreRhosts |
| 306 | ········line:·IgnoreRhosts·yes | 325 | ········line:·IgnoreRhosts·yes |
| 307 | ········validate:·sshd·-t·-f·%s | 326 | ········validate:·sshd·-t·-f·%s |
| Offset 440, 33 lines modified | Offset 459, 14 lines modified | ||
| 440 | ········-·restrict_strategy | 459 | ········-·restrict_strategy |
| 441 | ········-·low_complexity | 460 | ········-·low_complexity |
| 442 | ········-·low_disruption | 461 | ········-·low_disruption |
| 443 | ········-·CCE-27091-8 | 462 | ········-·CCE-27091-8 |
| 444 | ········-·NIST-800-53-AC-3 | 463 | ········-·NIST-800-53-AC-3 |
| 445 | ········-·DISA-STIG-RHEL-06-000236 | 464 | ········-·DISA-STIG-RHEL-06-000236 |
| 446 | ···· | 465 | ···· |
| 447 | ···· | ||
| 448 | ····-·name:·"Allow·Only·SSH·Protocol·2" | ||
| 449 | ······lineinfile: | ||
| 450 | ········dest:·/etc/ssh/sshd_config | ||
| 451 | ········regexp:·"^Protocol·[0-9]" | ||
| 452 | ········line:·"Protocol·2" | ||
| 453 | ········validate:·sshd·-t·-f·%s | ||
| Max diff block lines reached; 22675/26927 bytes (84.21%) of diff not shown. | |||
| Offset 34, 41 lines modified | Offset 34, 41 lines modified | ||
| 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 34 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 35 | ·········· | 35 | ·········· |
| 36 | ···vars: | 36 | ···vars: |
| 37 | ······sshd_idle_timeout_value:·300 | 37 | ······sshd_idle_timeout_value:·300 |
| 38 | ······rsyslog_remote_loghost_address:·None | 38 | ······rsyslog_remote_loghost_address:·None |
| 39 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 39 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 40 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 40 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 41 | ······sysctl_net_ipv4_icmp_ | 41 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 42 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 42 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 43 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 43 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 44 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 44 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 45 | ······sysctl_net_ipv4_conf_ | 45 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 50 | ······sysctl_net_ipv4_icmp_ | 50 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 51 | ······sysctl_net_ipv4_conf_ | 51 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 52 | ······var_selinux_policy_name:·targeted | 52 | ······var_selinux_policy_name:·targeted |
| 53 | ······var_selinux_state:·enforcing | 53 | ······var_selinux_state:·enforcing |
| 54 | ······var_accounts_password_minlen_login_defs:·15 | 54 | ······var_accounts_password_minlen_login_defs:·15 |
| 55 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 56 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 57 | ······var_accounts_password_warn_age_login_defs:·7 | 55 | ······var_accounts_password_warn_age_login_defs:·7 |
| 56 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 57 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 58 | ······var_password_pam_unix_remember:·5 | 58 | ······var_password_pam_unix_remember:·5 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·3 | 59 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 62 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_tmout:·600 | 63 | ······var_accounts_tmout:·600 |
| 64 | ······var_removable_partition:·/dev/cdrom | ||
| 64 | ······var_auditd_max_log_file:·6 | 65 | ······var_auditd_max_log_file:·6 |
| 65 | ······var_auditd_admin_space_left_action:·single | 66 | ······var_auditd_admin_space_left_action:·single |
| 66 | ······var_auditd_max_log_file_action:·rotate | 67 | ······var_auditd_max_log_file_action:·rotate |
| 67 | ······var_removable_partition:·/dev/cdrom | ||
| 68 | ···tasks: | 68 | ···tasks: |
| 69 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | 69 | ····-·name:·Check·if·/etc/samba/smb.conf·exists |
| 70 | ······stat: | 70 | ······stat: |
| 71 | ········path:·/etc/samba/smb.conf | 71 | ········path:·/etc/samba/smb.conf |
| 72 | ······register:·st_smb | 72 | ······register:·st_smb |
| 73 | ······tags: | 73 | ······tags: |
| 74 | ········-·require_smb_client_signing | 74 | ········-·require_smb_client_signing |
| Offset 109, 14 lines modified | Offset 109, 81 lines modified | ||
| 109 | ········-·low_complexity | 109 | ········-·low_complexity |
| 110 | ········-·low_disruption | 110 | ········-·low_disruption |
| 111 | ········-·CCE-27093-4 | 111 | ········-·CCE-27093-4 |
| 112 | ········-·NIST-800-53-AU-8(1) | 112 | ········-·NIST-800-53-AU-8(1) |
| 113 | ········-·PCI-DSS-Req-10.4 | 113 | ········-·PCI-DSS-Req-10.4 |
| 114 | ········-·DISA-STIG-RHEL-06-000247 | 114 | ········-·DISA-STIG-RHEL-06-000247 |
| 115 | ···· | 115 | ···· |
| 116 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 117 | ······package: | ||
| 118 | ········name="{{item}}" | ||
| 119 | ········state=absent | ||
| 120 | ······with_items: | ||
| 121 | ········-·openldap-servers | ||
| 122 | ······tags: | ||
| 123 | ········-·package_openldap-servers_removed | ||
| 124 | ········-·unknown_severity | ||
| 125 | ········-·disable_strategy | ||
| 126 | ········-·low_complexity | ||
| 127 | ········-·low_disruption | ||
| 128 | ········-·CCE-26858-1 | ||
| 129 | ········-·NIST-800-53-CM-7 | ||
| 130 | ········-·DISA-STIG-RHEL-06-000256 | ||
| 131 | ···· | ||
| 132 | ····-·name:·Enable·service·crond | ||
| 133 | ······service: | ||
| 134 | ········name="{{item}}" | ||
| 135 | ········enabled="yes" | ||
| 136 | ········state="started" | ||
| 137 | ······with_items: | ||
| 138 | ········-·crond | ||
| 139 | ······tags: | ||
| 140 | ········-·service_crond_enabled | ||
| 141 | ········-·medium_severity | ||
| 142 | ········-·enable_strategy | ||
| 143 | ········-·low_complexity | ||
| 144 | ········-·low_disruption | ||
| 145 | ········-·CCE-27070-2 | ||
| 146 | ········-·NIST-800-53-CM-7 | ||
| 147 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 148 | ···· | ||
| 149 | ····-·name:·Disable·service·atd | ||
| 150 | ······service: | ||
| 151 | ········name="{{item}}" | ||
| 152 | ········enabled="no" | ||
| 153 | ········state="stopped" | ||
| 154 | ······register:·service_result | ||
| 155 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 156 | ······with_items: | ||
| 157 | ········-·atd | ||
| 158 | ······tags: | ||
| 159 | ········-·service_atd_disabled | ||
| 160 | ········-·unknown_severity | ||
| 161 | ········-·disable_strategy | ||
| 162 | ········-·low_complexity | ||
| 163 | ········-·low_disruption | ||
| 164 | ········-·CCE-27249-2 | ||
| 165 | ········-·NIST-800-53-CM-7 | ||
| 166 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 167 | ···· | ||
| 168 | ····-·name:·Ensure·xorg-x11-server-common·is·removed | ||
| 169 | ······package: | ||
| 170 | ········name="{{item}}" | ||
| 171 | ········state=absent | ||
| 172 | ······with_items: | ||
| 173 | ········-·xorg-x11-server-common | ||
| 174 | ······tags: | ||
| 175 | ········-·package_xorg-x11-server-common_removed | ||
| 176 | ········-·unknown_severity | ||
| 177 | ········-·disable_strategy | ||
| 178 | ········-·low_complexity | ||
| 179 | ········-·low_disruption | ||
| 180 | ········-·CCE-27198-1 | ||
| 181 | ········-·DISA-STIG-RHEL-06-000291 | ||
| 182 | ···· | ||
| 116 | ····-·name:·Ensure·rsh-server·is·removed | 183 | ····-·name:·Ensure·rsh-server·is·removed |
| 117 | ······package: | 184 | ······package: |
| 118 | ········name="{{item}}" | 185 | ········name="{{item}}" |
| 119 | ········state=absent | 186 | ········state=absent |
| 120 | ······with_items: | 187 | ······with_items: |
| 121 | ········-·rsh-server | 188 | ········-·rsh-server |
| 122 | ······tags: | 189 | ······tags: |
| Offset 271, 65 lines modified | Offset 338, 14 lines modified | ||
| Max diff block lines reached; 114413/118830 bytes (96.28%) of diff not shown. | |||
| Offset 35, 41 lines modified | Offset 35, 41 lines modified | ||
| 35 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 35 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 36 | ·········· | 36 | ·········· |
| 37 | ···vars: | 37 | ···vars: |
| 38 | ······sshd_idle_timeout_value:·300 | 38 | ······sshd_idle_timeout_value:·300 |
| 39 | ······rsyslog_remote_loghost_address:·None | 39 | ······rsyslog_remote_loghost_address:·None |
| 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 42 | ······sysctl_net_ipv4_icmp_ | 42 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_ | 46 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 51 | ······sysctl_net_ipv4_icmp_ | 51 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 52 | ······sysctl_net_ipv4_conf_ | 52 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 53 | ······var_selinux_policy_name:·targeted | 53 | ······var_selinux_policy_name:·targeted |
| 54 | ······var_selinux_state:·enforcing | 54 | ······var_selinux_state:·enforcing |
| 55 | ······var_accounts_password_minlen_login_defs:·15 | 55 | ······var_accounts_password_minlen_login_defs:·15 |
| 56 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 57 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 58 | ······var_accounts_password_warn_age_login_defs:·7 | 56 | ······var_accounts_password_warn_age_login_defs:·7 |
| 57 | ······var_accounts_maximum_age_login_defs:·90 | ||
| 58 | ······var_accounts_minimum_age_login_defs:·7 | ||
| 59 | ······var_password_pam_unix_remember:·5 | 59 | ······var_password_pam_unix_remember:·5 |
| 60 | ······var_accounts_passwords_pam_faillock_deny:·3 | 60 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 61 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 61 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 62 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 62 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 63 | ······var_password_pam_retry:·3 | 63 | ······var_password_pam_retry:·3 |
| 64 | ······var_accounts_tmout:·600 | 64 | ······var_accounts_tmout:·600 |
| 65 | ······var_removable_partition:·/dev/cdrom | ||
| 65 | ······var_auditd_max_log_file:·6 | 66 | ······var_auditd_max_log_file:·6 |
| 66 | ······var_auditd_admin_space_left_action:·single | 67 | ······var_auditd_admin_space_left_action:·single |
| 67 | ······var_auditd_max_log_file_action:·rotate | 68 | ······var_auditd_max_log_file_action:·rotate |
| 68 | ······var_removable_partition:·/dev/cdrom | ||
| 69 | ···tasks: | 69 | ···tasks: |
| 70 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | 70 | ····-·name:·Check·if·/etc/samba/smb.conf·exists |
| 71 | ······stat: | 71 | ······stat: |
| 72 | ········path:·/etc/samba/smb.conf | 72 | ········path:·/etc/samba/smb.conf |
| 73 | ······register:·st_smb | 73 | ······register:·st_smb |
| 74 | ······tags: | 74 | ······tags: |
| 75 | ········-·require_smb_client_signing | 75 | ········-·require_smb_client_signing |
| Offset 110, 14 lines modified | Offset 110, 66 lines modified | ||
| 110 | ········-·low_complexity | 110 | ········-·low_complexity |
| 111 | ········-·low_disruption | 111 | ········-·low_disruption |
| 112 | ········-·CCE-27093-4 | 112 | ········-·CCE-27093-4 |
| 113 | ········-·NIST-800-53-AU-8(1) | 113 | ········-·NIST-800-53-AU-8(1) |
| 114 | ········-·PCI-DSS-Req-10.4 | 114 | ········-·PCI-DSS-Req-10.4 |
| 115 | ········-·DISA-STIG-RHEL-06-000247 | 115 | ········-·DISA-STIG-RHEL-06-000247 |
| 116 | ···· | 116 | ···· |
| 117 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 118 | ······package: | ||
| 119 | ········name="{{item}}" | ||
| 120 | ········state=absent | ||
| 121 | ······with_items: | ||
| 122 | ········-·openldap-servers | ||
| 123 | ······tags: | ||
| 124 | ········-·package_openldap-servers_removed | ||
| 125 | ········-·unknown_severity | ||
| 126 | ········-·disable_strategy | ||
| 127 | ········-·low_complexity | ||
| 128 | ········-·low_disruption | ||
| 129 | ········-·CCE-26858-1 | ||
| 130 | ········-·NIST-800-53-CM-7 | ||
| 131 | ········-·DISA-STIG-RHEL-06-000256 | ||
| 132 | ···· | ||
| 133 | ····-·name:·Enable·service·crond | ||
| 134 | ······service: | ||
| 135 | ········name="{{item}}" | ||
| 136 | ········enabled="yes" | ||
| 137 | ········state="started" | ||
| 138 | ······with_items: | ||
| 139 | ········-·crond | ||
| 140 | ······tags: | ||
| 141 | ········-·service_crond_enabled | ||
| 142 | ········-·medium_severity | ||
| 143 | ········-·enable_strategy | ||
| 144 | ········-·low_complexity | ||
| 145 | ········-·low_disruption | ||
| 146 | ········-·CCE-27070-2 | ||
| 147 | ········-·NIST-800-53-CM-7 | ||
| 148 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 149 | ···· | ||
| 150 | ····-·name:·Disable·service·atd | ||
| 151 | ······service: | ||
| 152 | ········name="{{item}}" | ||
| 153 | ········enabled="no" | ||
| 154 | ········state="stopped" | ||
| 155 | ······register:·service_result | ||
| 156 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 157 | ······with_items: | ||
| 158 | ········-·atd | ||
| 159 | ······tags: | ||
| 160 | ········-·service_atd_disabled | ||
| 161 | ········-·unknown_severity | ||
| 162 | ········-·disable_strategy | ||
| 163 | ········-·low_complexity | ||
| 164 | ········-·low_disruption | ||
| 165 | ········-·CCE-27249-2 | ||
| 166 | ········-·NIST-800-53-CM-7 | ||
| 167 | ········-·DISA-STIG-RHEL-06-000262 | ||
| 168 | ···· | ||
| 117 | ····-·name:·Ensure·rsh-server·is·removed | 169 | ····-·name:·Ensure·rsh-server·is·removed |
| 118 | ······package: | 170 | ······package: |
| 119 | ········name="{{item}}" | 171 | ········name="{{item}}" |
| 120 | ········state=absent | 172 | ········state=absent |
| 121 | ······with_items: | 173 | ······with_items: |
| 122 | ········-·rsh-server | 174 | ········-·rsh-server |
| 123 | ······tags: | 175 | ······tags: |
| Offset 272, 50 lines modified | Offset 324, 14 lines modified | ||
| 272 | ········-·disable_strategy | 324 | ········-·disable_strategy |
| 273 | ········-·low_complexity | 325 | ········-·low_complexity |
| 274 | ········-·low_disruption | 326 | ········-·low_disruption |
| 275 | ········-·CCE-27005-8 | 327 | ········-·CCE-27005-8 |
| 276 | ········-·NIST-800-53-CM-7 | 328 | ········-·NIST-800-53-CM-7 |
| 277 | ········-·DISA-STIG-RHEL-06-000204 | 329 | ········-·DISA-STIG-RHEL-06-000204 |
| 278 | ···· | 330 | ···· |
| 279 | ····-·name:·Enable·service·crond | ||
| 280 | ······service: | ||
| 281 | ········name="{{item}}" | ||
| 282 | ········enabled="yes" | ||
| 283 | ········state="started" | ||
| 284 | ······with_items: | ||
| 285 | ········-·crond | ||
| 286 | ······tags: | ||
| Max diff block lines reached; 112847/118018 bytes (95.62%) of diff not shown. | |||
| Offset 40, 49 lines modified | Offset 40, 49 lines modified | ||
| 40 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 40 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 41 | ·········· | 41 | ·········· |
| 42 | ···vars: | 42 | ···vars: |
| 43 | ······sshd_idle_timeout_value:·900 | 43 | ······sshd_idle_timeout_value:·900 |
| 44 | ······rsyslog_remote_loghost_address:·None | 44 | ······rsyslog_remote_loghost_address:·None |
| 45 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 45 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 46 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 47 | ······sysctl_net_ipv4_icmp_ | 47 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 49 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 50 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 51 | ······sysctl_net_ipv4_conf_ | 51 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 52 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 52 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 53 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 53 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 54 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 54 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 55 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 55 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 56 | ······sysctl_net_ipv4_icmp_ | 56 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 57 | ······sysctl_net_ipv4_conf_ | 57 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 58 | ······var_selinux_policy_name:·targeted | 58 | ······var_selinux_policy_name:·targeted |
| 59 | ······var_selinux_state:·enforcing | 59 | ······var_selinux_state:·enforcing |
| 60 | ······var_accounts_password_minlen_login_defs:·15 | 60 | ······var_accounts_password_minlen_login_defs:·15 |
| 61 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 62 | ······var_accounts_maximum_age_login_defs:·60 | ||
| 63 | ······var_accounts_password_warn_age_login_defs:·7 | 61 | ······var_accounts_password_warn_age_login_defs:·7 |
| 62 | ······var_accounts_maximum_age_login_defs:·60 | ||
| 63 | ······var_accounts_minimum_age_login_defs:·1 | ||
| 64 | ······var_account_disable_post_pw_expiration:·35 | 64 | ······var_account_disable_post_pw_expiration:·35 |
| 65 | ······var_password_pam_unix_remember:·5 | 65 | ······var_password_pam_unix_remember:·5 |
| 66 | ······var_accounts_passwords_pam_faillock_deny:·3 | 66 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 67 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 67 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 68 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 | 68 | ······var_accounts_passwords_pam_faillock_fail_interval:·900 |
| 69 | ······var_password_pam_maxrepeat:·3 | 69 | ······var_password_pam_maxrepeat:·3 |
| 70 | ······var_password_pam_retry:·3 | 70 | ······var_password_pam_retry:·3 |
| 71 | ······var_accounts_user_umask:·077 | 71 | ······var_accounts_user_umask:·077 |
| 72 | ······var_accounts_tmout:·600 | 72 | ······var_accounts_tmout:·600 |
| 73 | ······var_accounts_max_concurrent_login_sessions:·10 | 73 | ······var_accounts_max_concurrent_login_sessions:·10 |
| 74 | ······var_removable_partition:·/dev/cdrom | ||
| 75 | ······var_removable_partition:·/dev/cdrom | ||
| 76 | ······var_removable_partition:·/dev/cdrom | ||
| 74 | ······var_auditd_max_log_file:·6 | 77 | ······var_auditd_max_log_file:·6 |
| 75 | ······var_auditd_action_mail_acct:·admin | 78 | ······var_auditd_action_mail_acct:·admin |
| 76 | ······var_auditd_space_left_action:·suspend | ||
| 77 | ······var_auditd_admin_space_left_action:·single | 79 | ······var_auditd_admin_space_left_action:·single |
| 80 | ······var_auditd_space_left_action:·suspend | ||
| 78 | ······var_auditd_max_log_file_action:·rotate | 81 | ······var_auditd_max_log_file_action:·rotate |
| 79 | ······var_removable_partition:·/dev/cdrom | ||
| 80 | ······var_removable_partition:·/dev/cdrom | ||
| 81 | ······var_removable_partition:·/dev/cdrom | ||
| 82 | ···tasks: | 82 | ···tasks: |
| 83 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | 83 | ····-·name:·Check·if·/etc/samba/smb.conf·exists |
| 84 | ······stat: | 84 | ······stat: |
| 85 | ········path:·/etc/samba/smb.conf | 85 | ········path:·/etc/samba/smb.conf |
| 86 | ······register:·st_smb | 86 | ······register:·st_smb |
| 87 | ······tags: | 87 | ······tags: |
| 88 | ········-·require_smb_client_signing | 88 | ········-·require_smb_client_signing |
| Offset 105, 63 lines modified | Offset 105, 98 lines modified | ||
| 105 | ········-·unknown_severity | 105 | ········-·unknown_severity |
| 106 | ········-·configure_strategy | 106 | ········-·configure_strategy |
| 107 | ········-·low_complexity | 107 | ········-·low_complexity |
| 108 | ········-·medium_disruption | 108 | ········-·medium_disruption |
| 109 | ········-·CCE-26328-5 | 109 | ········-·CCE-26328-5 |
| 110 | ········-·DISA-STIG-RHEL-06-000272 | 110 | ········-·DISA-STIG-RHEL-06-000272 |
| 111 | ···· | 111 | ···· |
| 112 | ····-·name:·En | 112 | ····-·name:·Enable·service·ntpd |
| 113 | ······service: | ||
| 114 | ········name="{{item}}" | ||
| 115 | ········enabled="yes" | ||
| 116 | ········state="started" | ||
| 117 | ······with_items: | ||
| 118 | ········-·ntpd | ||
| 119 | ······tags: | ||
| 120 | ········-·service_ntpd_enabled | ||
| 121 | ········-·medium_severity | ||
| 122 | ········-·enable_strategy | ||
| 123 | ········-·low_complexity | ||
| 124 | ········-·low_disruption | ||
| 125 | ········-·CCE-27093-4 | ||
| 126 | ········-·NIST-800-53-AU-8(1) | ||
| 127 | ········-·PCI-DSS-Req-10.4 | ||
| 128 | ········-·DISA-STIG-RHEL-06-000247 | ||
| 129 | ···· | ||
| 130 | ····-·name:·Ensure·openldap-servers·is·removed | ||
| 113 | ······package: | 131 | ······package: |
| 114 | ········name="{{item}}" | 132 | ········name="{{item}}" |
| 115 | ········state=absent | 133 | ········state=absent |
| 116 | ······with_items: | 134 | ······with_items: |
| 117 | ········-· | 135 | ········-·openldap-servers |
| 118 | ······tags: | 136 | ······tags: |
| 119 | ········-·package_ | 137 | ········-·package_openldap-servers_removed |
| 120 | ········-· | 138 | ········-·unknown_severity |
| 121 | ········-·disable_strategy | 139 | ········-·disable_strategy |
| 122 | ········-·low_complexity | 140 | ········-·low_complexity |
| 123 | ········-·low_disruption | 141 | ········-·low_disruption |
| 124 | ········-·CCE-2 | 142 | ········-·CCE-26858-1 |
| 125 | ········-·NIST-800-53-CM-7 | 143 | ········-·NIST-800-53-CM-7 |
| 126 | ········-·DISA-STIG-RHEL-06-0002 | 144 | ········-·DISA-STIG-RHEL-06-000256 |
| 127 | ···· | 145 | ···· |
| 128 | ····-·name:·Enable·service· | 146 | ····-·name:·Enable·service·crond |
| 129 | ······service: | 147 | ······service: |
| 130 | ········name="{{item}}" | 148 | ········name="{{item}}" |
| 131 | ········enabled="yes" | 149 | ········enabled="yes" |
| 132 | ········state="started" | 150 | ········state="started" |
| 133 | ······with_items: | 151 | ······with_items: |
| 134 | ········-· | 152 | ········-·crond |
| 135 | ······tags: | 153 | ······tags: |
| 136 | ········-·service_ | 154 | ········-·service_crond_enabled |
| 137 | ········-· | 155 | ········-·medium_severity |
| 138 | ········-·enable_strategy | 156 | ········-·enable_strategy |
| 139 | ········-·low_complexity | 157 | ········-·low_complexity |
| 140 | ········-·low_disruption | 158 | ········-·low_disruption |
| 141 | ········-·CCE-2 | 159 | ········-·CCE-27070-2 |
| 142 | ········-· | 160 | ········-·NIST-800-53-CM-7 |
| 161 | ········-·DISA-STIG-RHEL-06-000224 | ||
| 143 | ···· | 162 | ···· |
| 144 | ····-·name:· | 163 | ····-·name:·Disable·service·atd |
| 145 | ······service: | 164 | ······service: |
| 146 | ········name="{{item}}" | 165 | ········name="{{item}}" |
| 147 | ········enabled=" | 166 | ········enabled="no" |
| 148 | ········state="st | 167 | ········state="stopped" |
| 168 | ······register:·service_result | ||
| 169 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 149 | ······with_items: | 170 | ······with_items: |
| 150 | ········-· | 171 | ········-·atd |
| 151 | ······tags: | 172 | ······tags: |
| 152 | ········-·service_ | 173 | ········-·service_atd_disabled |
| 153 | ········-· | 174 | ········-·unknown_severity |
| 154 | ········-· | 175 | ········-·disable_strategy |
| Max diff block lines reached; 146690/151852 bytes (96.60%) of diff not shown. | |||
| Offset 35, 85 lines modified | Offset 35, 72 lines modified | ||
| 35 | ·········· | 35 | ·········· |
| 36 | ···vars: | 36 | ···vars: |
| 37 | ······sshd_idle_timeout_value:·300 | 37 | ······sshd_idle_timeout_value:·300 |
| 38 | ······rsyslog_remote_loghost_address:·None | 38 | ······rsyslog_remote_loghost_address:·None |
| 39 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 39 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 40 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 41 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 42 | ······sysctl_net_ipv4_icmp_ | 42 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 44 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 | ||
| 47 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 48 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 48 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 50 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 49 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 51 | ······sysctl_net_ipv4_icmp_ | 50 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 51 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 | ||
| 52 | ······var_selinux_policy_name:·targeted | 52 | ······var_selinux_policy_name:·targeted |
| 53 | ······var_selinux_state:·enforcing | 53 | ······var_selinux_state:·enforcing |
| 54 | ······var_accounts_password_minlen_login_defs:·12 | 54 | ······var_accounts_password_minlen_login_defs:·12 |
| 55 | ······var_accounts_maximum_age_login_defs:·60 | ||
| 56 | ······var_accounts_password_warn_age_login_defs:·14 | 55 | ······var_accounts_password_warn_age_login_defs:·14 |
| 56 | ······var_accounts_maximum_age_login_defs:·60 | ||
| 57 | ······var_account_disable_post_pw_expiration:·30 | 57 | ······var_account_disable_post_pw_expiration:·30 |
| 58 | ······var_password_pam_unix_remember:·24 | 58 | ······var_password_pam_unix_remember:·24 |
| 59 | ······var_accounts_passwords_pam_faillock_deny:·5 | 59 | ······var_accounts_passwords_pam_faillock_deny:·5 |
| 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 | 60 | ······var_accounts_passwords_pam_faillock_unlock_time:·604800 |
| 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 61 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 62 | ······var_password_pam_retry:·3 | 62 | ······var_password_pam_retry:·3 |
| 63 | ······var_accounts_user_umask:·077 | 63 | ······var_accounts_user_umask:·077 |
| 64 | ······var_removable_partition:·/dev/cdrom | 64 | ······var_removable_partition:·/dev/cdrom |
| 65 | ······var_removable_partition:·/dev/cdrom | 65 | ······var_removable_partition:·/dev/cdrom |
| 66 | ······var_removable_partition:·/dev/cdrom | 66 | ······var_removable_partition:·/dev/cdrom |
| 67 | ···tasks: | 67 | ···tasks: |
| 68 | ····-·name:·Disable·service·s | 68 | ····-·name:·Disable·service·vsftpd |
| 69 | ······service: | 69 | ······service: |
| 70 | ········name="{{item}}" | 70 | ········name="{{item}}" |
| 71 | ········enabled="no" | 71 | ········enabled="no" |
| 72 | ········state="stopped" | 72 | ········state="stopped" |
| 73 | ······register:·service_result | 73 | ······register:·service_result |
| 74 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 74 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| 75 | ······with_items: | 75 | ······with_items: |
| 76 | ········-·s | 76 | ········-·vsftpd |
| 77 | ······tags: | 77 | ······tags: |
| 78 | ········-·service_s | 78 | ········-·service_vsftpd_disabled |
| 79 | ········-·unknown_severity | 79 | ········-·unknown_severity |
| 80 | ········-·disable_strategy | 80 | ········-·disable_strategy |
| 81 | ········-·low_complexity | 81 | ········-·low_complexity |
| 82 | ········-·low_disruption | 82 | ········-·low_disruption |
| 83 | ········-·CCE-2 | 83 | ········-·CCE-26948-0 |
| 84 | ···· | 84 | ········-·NIST-800-53-CM-7 |
| 85 | ····-·name:·Check·if·/etc/samba/smb.conf·exists | ||
| 86 | ······stat: | ||
| 87 | ········path:·/etc/samba/smb.conf | ||
| 88 | ······register:·st_smb | ||
| 89 | ······tags: | ||
| 90 | ········-·require_smb_client_signing | ||
| 91 | ········-·unknown_severity | ||
| 92 | ········-·configure_strategy | ||
| 93 | ········-·low_complexity | ||
| 94 | ········-·medium_disruption | ||
| 95 | ········-·CCE-26328-5 | ||
| 96 | ········-·DISA-STIG-RHEL-06-000272 | ||
| 97 | ···· | 85 | ···· |
| 98 | ····-·name:· | 86 | ····-·name:·Ensure·vsftpd·is·removed |
| 99 | ······ | 87 | ······package: |
| 100 | ········ | 88 | ········name="{{item}}" |
| 101 | ········ | 89 | ········state=absent |
| 102 | ······ | 90 | ······with_items: |
| 103 | ········ | 91 | ········-·vsftpd |
| 104 | ······when:·st_smb.stat.exists | ||
| 105 | ······tags: | 92 | ······tags: |
| 106 | ········-· | 93 | ········-·package_vsftpd_removed |
| 107 | ········-·unknown_severity | 94 | ········-·unknown_severity |
| 108 | ········-· | 95 | ········-·disable_strategy |
| 109 | ········-·low_complexity | 96 | ········-·low_complexity |
| 110 | ········-· | 97 | ········-·low_disruption |
| 111 | ········-·CCE-26 | 98 | ········-·CCE-26687-4 |
| 112 | ········-· | 99 | ········-·NIST-800-53-CM-7 |
| 113 | ···· | 100 | ···· |
| 114 | ····-·name:·Disable·service·httpd | 101 | ····-·name:·Disable·service·httpd |
| 115 | ······service: | 102 | ······service: |
| 116 | ········name="{{item}}" | 103 | ········name="{{item}}" |
| 117 | ········enabled="no" | 104 | ········enabled="no" |
| 118 | ········state="stopped" | 105 | ········state="stopped" |
| 119 | ······register:·service_result | 106 | ······register:·service_result |
| Offset 140, 62 lines modified | Offset 127, 92 lines modified | ||
| 140 | ········-·unknown_severity | 127 | ········-·unknown_severity |
| 141 | ········-·disable_strategy | 128 | ········-·disable_strategy |
| 142 | ········-·low_complexity | 129 | ········-·low_complexity |
| 143 | ········-·low_disruption | 130 | ········-·low_disruption |
| 144 | ········-·CCE-27133-8 | 131 | ········-·CCE-27133-8 |
| 145 | ········-·NIST-800-53-CM-7 | 132 | ········-·NIST-800-53-CM-7 |
| 146 | ···· | 133 | ···· |
| 147 | ····-·name:· | 134 | ····-·name:·Disable·service·named |
| 148 | ······ | 135 | ······service: |
| 149 | ········name="{{item}}" | 136 | ········name="{{item}}" |
| 150 | ········ | 137 | ········enabled="no" |
| 138 | ········state="stopped" | ||
| 139 | ······register:·service_result | ||
| 140 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 151 | ······with_items: | 141 | ······with_items: |
| 152 | ········-· | 142 | ········-·named |
| 153 | ······tags: | 143 | ······tags: |
| 154 | ········-· | 144 | ········-·service_named_disabled |
| 155 | ········-· | 145 | ········-·unknown_severity |
| 156 | ········-·disable_strategy | 146 | ········-·disable_strategy |
| 157 | ········-·low_complexity | 147 | ········-·low_complexity |
| 158 | ········-·low_disruption | 148 | ········-·low_disruption |
| 159 | ········-·CCE-2 | 149 | ········-·CCE-26873-0 |
| 160 | ········-·NIST-800-53-CM-7 | 150 | ········-·NIST-800-53-CM-7 |
| 161 | ········-·DISA-STIG-RHEL-06-000288 | ||
| 162 | ···· | 151 | ···· |
| 163 | ····-·name:·Ensure· | 152 | ····-·name:·Ensure·bind·is·removed |
| 164 | ······package: | 153 | ······package: |
| 165 | ········name="{{item}}" | 154 | ········name="{{item}}" |
| 166 | ········state=absent | 155 | ········state=absent |
| 167 | ······with_items: | 156 | ······with_items: |
| 168 | ········-· | 157 | ········-·bind |
| 169 | ······tags: | 158 | ······tags: |
| 170 | ········-·package_ | 159 | ········-·package_bind_removed |
| 171 | ········-· | 160 | ········-·unknown_severity |
| 172 | ········-·disable_strategy | 161 | ········-·disable_strategy |
| 173 | ········-·low_complexity | 162 | ········-·low_complexity |
| 174 | ········-·low_disruption | 163 | ········-·low_disruption |
| 175 | ········-·CCE-27 | 164 | ········-·CCE-27030-6 |
| Max diff block lines reached; 159145/164250 bytes (96.89%) of diff not shown. | |||
| Offset 46, 26 lines modified | Offset 46, 26 lines modified | ||
| 46 | ······sshd_idle_timeout_value:·7200 | 46 | ······sshd_idle_timeout_value:·7200 |
| 47 | ······rsyslog_remote_loghost_address:·logcollector | 47 | ······rsyslog_remote_loghost_address:·logcollector |
| 48 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 | 48 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 |
| 49 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 49 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 50 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 | 50 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 |
| 51 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 51 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 52 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 52 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 53 | ······sysctl_net_ipv4_icmp_ | 53 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 54 | ······sysctl_net_ipv4_conf_default_ | 54 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 55 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 55 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 56 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 56 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 57 | ······sysctl_net_ipv4_conf_ | 57 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 58 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 58 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 59 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 59 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 60 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 60 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 61 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 61 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 62 | ······sysctl_net_ipv4_icmp_ | 62 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 63 | ······sysctl_net_ipv4_conf_ | 63 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 64 | ······sysctl_net_ipv4_conf_default_ | 64 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 |
| 65 | ······var_selinux_policy_name:·targeted | 65 | ······var_selinux_policy_name:·targeted |
| 66 | ······var_selinux_state:·enforcing | 66 | ······var_selinux_state:·enforcing |
| 67 | ······var_accounts_password_warn_age_login_defs:·7 | 67 | ······var_accounts_password_warn_age_login_defs:·7 |
| 68 | ······var_accounts_minimum_age_login_defs:·7 | 68 | ······var_accounts_minimum_age_login_defs:·7 |
| 69 | ······var_accounts_maximum_age_login_defs:·90 | 69 | ······var_accounts_maximum_age_login_defs:·90 |
| 70 | ······var_account_disable_post_pw_expiration:·30 | 70 | ······var_account_disable_post_pw_expiration:·30 |
| 71 | ······var_password_pam_unix_remember:·5 | 71 | ······var_password_pam_unix_remember:·5 |
| Offset 274, 14 lines modified | Offset 274, 30 lines modified | ||
| 274 | ········-·disable_strategy | 274 | ········-·disable_strategy |
| 275 | ········-·low_complexity | 275 | ········-·low_complexity |
| 276 | ········-·low_disruption | 276 | ········-·low_disruption |
| 277 | ········-·CCE-80212-4 | 277 | ········-·CCE-80212-4 |
| 278 | ········-·NIST-800-53-AC-17(8) | 278 | ········-·NIST-800-53-AC-17(8) |
| 279 | ········-·NIST-800-53-CM-7 | 279 | ········-·NIST-800-53-CM-7 |
| 280 | ···· | 280 | ···· |
| 281 | ····-·name:·Ensure·tcp_wrappers·is·installed | ||
| 282 | ······package: | ||
| 283 | ········name="{{item}}" | ||
| 284 | ········state=present | ||
| 285 | ······with_items: | ||
| 286 | ········-·tcp_wrappers | ||
| 287 | ······tags: | ||
| 288 | ········-·package_tcp_wrappers_installed | ||
| 289 | ········-·medium_severity | ||
| 290 | ········-·enable_strategy | ||
| 291 | ········-·low_complexity | ||
| 292 | ········-·low_disruption | ||
| 293 | ········-·CCE-27361-5 | ||
| 294 | ········-·NIST-800-53-CM-6(b) | ||
| 295 | ········-·DISA-STIG-RHEL-07-TBD | ||
| 296 | ···· | ||
| 281 | ····-·name:·Disable·service·xinetd | 297 | ····-·name:·Disable·service·xinetd |
| 282 | ······service: | 298 | ······service: |
| 283 | ········name="{{item}}" | 299 | ········name="{{item}}" |
| 284 | ········enabled="no" | 300 | ········enabled="no" |
| 285 | ········state="stopped" | 301 | ········state="stopped" |
| 286 | ······register:·service_result | 302 | ······register:·service_result |
| 287 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 303 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| Offset 294, 30 lines modified | Offset 310, 14 lines modified | ||
| 294 | ········-·low_complexity | 310 | ········-·low_complexity |
| 295 | ········-·low_disruption | 311 | ········-·low_disruption |
| 296 | ········-·CCE-27443-1 | 312 | ········-·CCE-27443-1 |
| 297 | ········-·NIST-800-53-AC-17(8) | 313 | ········-·NIST-800-53-AC-17(8) |
| 298 | ········-·NIST-800-53-CM-7 | 314 | ········-·NIST-800-53-CM-7 |
| 299 | ········-·NIST-800-171-3.4.7 | 315 | ········-·NIST-800-171-3.4.7 |
| 300 | ···· | 316 | ···· |
| 301 | ····-·name:·Ensure·tcp_wrappers·is·installed | ||
| 302 | ······package: | ||
| 303 | ········name="{{item}}" | ||
| 304 | ········state=present | ||
| 305 | ······with_items: | ||
| 306 | ········-·tcp_wrappers | ||
| 307 | ······tags: | ||
| 308 | ········-·package_tcp_wrappers_installed | ||
| 309 | ········-·medium_severity | ||
| 310 | ········-·enable_strategy | ||
| 311 | ········-·low_complexity | ||
| 312 | ········-·low_disruption | ||
| 313 | ········-·CCE-27361-5 | ||
| 314 | ········-·NIST-800-53-CM-6(b) | ||
| 315 | ········-·DISA-STIG-RHEL-07-TBD | ||
| 316 | ···· | ||
| 317 | ····-·name:·Ensure·talk·is·removed | 317 | ····-·name:·Ensure·talk·is·removed |
| 318 | ······package: | 318 | ······package: |
| 319 | ········name="{{item}}" | 319 | ········name="{{item}}" |
| 320 | ········state=absent | 320 | ········state=absent |
| 321 | ······with_items: | 321 | ······with_items: |
| 322 | ········-·talk | 322 | ········-·talk |
| 323 | ······tags: | 323 | ······tags: |
| Offset 338, 14 lines modified | Offset 338, 31 lines modified | ||
| 338 | ········-·package_talk-server_removed | 338 | ········-·package_talk-server_removed |
| 339 | ········-·medium_severity | 339 | ········-·medium_severity |
| 340 | ········-·disable_strategy | 340 | ········-·disable_strategy |
| 341 | ········-·low_complexity | 341 | ········-·low_complexity |
| 342 | ········-·low_disruption | 342 | ········-·low_disruption |
| 343 | ········-·CCE-27210-4 | 343 | ········-·CCE-27210-4 |
| 344 | ···· | 344 | ···· |
| 345 | ····-·name:·Disable·service·dovecot | ||
| 346 | ······service: | ||
| 347 | ········name="{{item}}" | ||
| 348 | ········enabled="no" | ||
| 349 | ········state="stopped" | ||
| 350 | ······register:·service_result | ||
| 351 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | ||
| 352 | ······with_items: | ||
| 353 | ········-·dovecot | ||
| 354 | ······tags: | ||
| 355 | ········-·service_dovecot_disabled | ||
| 356 | ········-·unknown_severity | ||
| 357 | ········-·disable_strategy | ||
| 358 | ········-·low_complexity | ||
| 359 | ········-·low_disruption | ||
| 360 | ········-·CCE-80294-2 | ||
| 361 | ···· | ||
| 345 | ····-·name:·Disable·service·vsftpd | 362 | ····-·name:·Disable·service·vsftpd |
| 346 | ······service: | 363 | ······service: |
| 347 | ········name="{{item}}" | 364 | ········name="{{item}}" |
| 348 | ········enabled="no" | 365 | ········enabled="no" |
| 349 | ········state="stopped" | 366 | ········state="stopped" |
| 350 | ······register:·service_result | 367 | ······register:·service_result |
| 351 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 368 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| Offset 496, 31 lines modified | Offset 513, 14 lines modified | ||
| 496 | ········-·medium_severity | 513 | ········-·medium_severity |
| 497 | ········-·disable_strategy | 514 | ········-·disable_strategy |
| 498 | ········-·low_complexity | 515 | ········-·low_complexity |
| 499 | ········-·low_disruption | 516 | ········-·low_disruption |
| 500 | ········-·CCE-80330-4 | 517 | ········-·CCE-80330-4 |
| 501 | ········-·NIST-800-53-CM-7 | 518 | ········-·NIST-800-53-CM-7 |
| Max diff block lines reached; 97763/102303 bytes (95.56%) of diff not shown. | |||
| Offset 37, 28 lines modified | Offset 37, 28 lines modified | ||
| 37 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." | 37 | ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role." |
| 38 | ·········· | 38 | ·········· |
| 39 | ···vars: | 39 | ···vars: |
| 40 | ······sshd_idle_timeout_value:·1800 | 40 | ······sshd_idle_timeout_value:·1800 |
| 41 | ······sshd_listening_port:·22 | 41 | ······sshd_listening_port:·22 |
| 42 | ······inactivity_timeout_value:·1800 | 42 | ······inactivity_timeout_value:·1800 |
| 43 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 43 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 44 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 45 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | ||
| 46 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | 44 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 47 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 45 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 46 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | ||
| 47 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | ||
| 48 | ······var_accounts_minimum_age_login_defs:·1 | 48 | ······var_accounts_minimum_age_login_defs:·1 |
| 49 | ······var_account_disable_post_pw_expiration:·0 | 49 | ······var_account_disable_post_pw_expiration:·0 |
| 50 | ······var_password_pam_minlen:·12 | 50 | ······var_password_pam_minlen:·12 |
| 51 | ······var_password_pam_difok:·6 | 51 | ······var_password_pam_difok:·6 |
| 52 | ······var_accounts_max_concurrent_login_sessions:·3 | 52 | ······var_accounts_max_concurrent_login_sessions:·3 |
| 53 | ······var_auditd_max_log_file:·1 | 53 | ······var_auditd_max_log_file:·1 |
| 54 | ······var_auditd_action_mail_acct:·admin | 54 | ······var_auditd_action_mail_acct:·admin |
| 55 | ······var_auditd_space_left_action:·suspend | ||
| 56 | ······var_auditd_admin_space_left_action:·suspend | 55 | ······var_auditd_admin_space_left_action:·suspend |
| 57 | ······var_auditd_max_log_file_action:·rotate | 56 | ······var_auditd_max_log_file_action:·rotate |
| 57 | ······var_auditd_space_left_action:·suspend | ||
| 58 | ···tasks: | 58 | ···tasks: |
| 59 | ····-·name:·Disable·SSH·Access·via·Empty·Passwords | 59 | ····-·name:·Disable·SSH·Access·via·Empty·Passwords |
| 60 | ······lineinfile: | 60 | ······lineinfile: |
| 61 | ········create:·yes | 61 | ········create:·yes |
| 62 | ········dest:·/etc/ssh/sshd_config | 62 | ········dest:·/etc/ssh/sshd_config |
| 63 | ········regexp:·^PermitEmptyPasswords | 63 | ········regexp:·^PermitEmptyPasswords |
| 64 | ········line:·PermitEmptyPasswords·no | 64 | ········line:·PermitEmptyPasswords·no |
| Offset 96, 14 lines modified | Offset 96, 39 lines modified | ||
| 96 | ········-·NIST-800-53-AC-2(5) | 96 | ········-·NIST-800-53-AC-2(5) |
| 97 | ········-·NIST-800-53-SA-8 | 97 | ········-·NIST-800-53-SA-8 |
| 98 | ········-·NIST-800-53-AC-12 | 98 | ········-·NIST-800-53-AC-12 |
| 99 | ········-·NIST-800-171-3.1.11 | 99 | ········-·NIST-800-171-3.1.11 |
| 100 | ········-·CJIS-5.5.6 | 100 | ········-·CJIS-5.5.6 |
| 101 | ········-·DISA-STIG-RHEL-07-040340 | 101 | ········-·DISA-STIG-RHEL-07-040340 |
| 102 | ···· | 102 | ···· |
| 103 | ···· | ||
| 104 | ···· | ||
| 105 | ····-·name:·Set·SSH·Idle·Timeout·Interval | ||
| 106 | ······lineinfile: | ||
| 107 | ········create:·yes | ||
| 108 | ········dest:·/etc/ssh/sshd_config | ||
| 109 | ········regexp:·^ClientAliveInterval | ||
| 110 | ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}" | ||
| 111 | ········validate:·sshd·-t·-f·%s | ||
| 112 | ······#notify:·restart·sshd | ||
| 113 | ······tags: | ||
| 114 | ········-·sshd_set_idle_timeout | ||
| 115 | ········-·unknown_severity | ||
| 116 | ········-·restrict_strategy | ||
| 117 | ········-·low_complexity | ||
| 118 | ········-·low_disruption | ||
| 119 | ········-·CCE-27433-2 | ||
| 120 | ········-·NIST-800-53-AC-2(5) | ||
| 121 | ········-·NIST-800-53-SA-8(i) | ||
| 122 | ········-·NIST-800-53-AC-12 | ||
| 123 | ········-·NIST-800-171-3.1.11 | ||
| 124 | ········-·PCI-DSS-Req-8.1.8 | ||
| 125 | ········-·CJIS-5.5.6 | ||
| 126 | ········-·DISA-STIG-RHEL-07-040320 | ||
| 127 | ···· | ||
| 103 | ····-·name:·Enable·SSH·Warning·Banner | 128 | ····-·name:·Enable·SSH·Warning·Banner |
| 104 | ······lineinfile: | 129 | ······lineinfile: |
| 105 | ········create:·yes | 130 | ········create:·yes |
| 106 | ········dest:·/etc/ssh/sshd_config | 131 | ········dest:·/etc/ssh/sshd_config |
| 107 | ········regexp:·^Banner | 132 | ········regexp:·^Banner |
| 108 | ········line:·Banner·/etc/issue | 133 | ········line:·Banner·/etc/issue |
| 109 | ········validate:·sshd·-t·-f·%s | 134 | ········validate:·sshd·-t·-f·%s |
| Offset 119, 33 lines modified | Offset 144, 14 lines modified | ||
| 119 | ········-·NIST-800-53-AC-8(c)(1) | 144 | ········-·NIST-800-53-AC-8(c)(1) |
| 120 | ········-·NIST-800-53-AC-8(c)(2) | 145 | ········-·NIST-800-53-AC-8(c)(2) |
| 121 | ········-·NIST-800-53-AC-8(c)(3) | 146 | ········-·NIST-800-53-AC-8(c)(3) |
| 122 | ········-·NIST-800-171-3.1.9 | 147 | ········-·NIST-800-171-3.1.9 |
| 123 | ········-·CJIS-5.5.6 | 148 | ········-·CJIS-5.5.6 |
| 124 | ········-·DISA-STIG-RHEL-07-040170 | 149 | ········-·DISA-STIG-RHEL-07-040170 |
| 125 | ···· | 150 | ···· |
| 126 | ····-·name:·Do·Not·Allow·SSH·Environment·Options | ||
| 127 | ······lineinfile: | ||
| 128 | ········create:·yes | ||
| 129 | ········dest:·/etc/ssh/sshd_config | ||
| 130 | ········regexp:·^PermitUserEnvironment | ||
| 131 | ········line:·PermitUserEnvironment·no | ||
| 132 | ········validate:·sshd·-t·-f·%s | ||
| 133 | ······tags: | ||
| 134 | ········-·sshd_do_not_permit_user_env | ||
| 135 | ········-·medium_severity | ||
| 136 | ········-·restrict_strategy | ||
| 137 | ········-·low_complexity | ||
| 138 | ········-·low_disruption | ||
| 139 | ········-·CCE-27363-1 | ||
| 140 | ········-·NIST-800-53-CM-6(b) | ||
| 141 | ········-·NIST-800-171-3.1.12 | ||
| 142 | ········-·CJIS-5.5.6 | ||
| 143 | ········-·DISA-STIG-RHEL-07-010460 | ||
| 144 | ···· | ||
| 145 | ···· | 151 | ···· |
| 146 | ····-·name:·"Allow·Only·SSH·Protocol·2" | 152 | ····-·name:·"Allow·Only·SSH·Protocol·2" |
| 147 | ······lineinfile: | 153 | ······lineinfile: |
| 148 | ········dest:·/etc/ssh/sshd_config | 154 | ········dest:·/etc/ssh/sshd_config |
| 149 | ········regexp:·"^Protocol·[0-9]" | 155 | ········regexp:·"^Protocol·[0-9]" |
| 150 | ········line:·"Protocol·2" | 156 | ········line:·"Protocol·2" |
| 151 | ········validate:·sshd·-t·-f·%s | 157 | ········validate:·sshd·-t·-f·%s |
| Offset 180, 38 lines modified | Offset 186, 32 lines modified | ||
| 180 | ········-·CCE-27377-1 | 186 | ········-·CCE-27377-1 |
| 181 | ········-·NIST-800-53-AC-3 | 187 | ········-·NIST-800-53-AC-3 |
| 182 | ········-·NIST-800-53-CM-6(a) | 188 | ········-·NIST-800-53-CM-6(a) |
| 183 | ········-·NIST-800-171-3.1.12 | 189 | ········-·NIST-800-171-3.1.12 |
| 184 | ········-·CJIS-5.5.6 | 190 | ········-·CJIS-5.5.6 |
| 185 | ········-·DISA-STIG-RHEL-07-040350 | 191 | ········-·DISA-STIG-RHEL-07-040350 |
| 186 | ···· | 192 | ···· |
| 187 | ···· | 193 | ····-·name:·Do·Not·Allow·SSH·Environment·Options |
| 188 | ···· | ||
| 189 | ····-·name:·Set·SSH·Idle·Timeout·Interval | ||
| 190 | ······lineinfile: | 194 | ······lineinfile: |
| 191 | ········create:·yes | 195 | ········create:·yes |
| 192 | ········dest:·/etc/ssh/sshd_config | 196 | ········dest:·/etc/ssh/sshd_config |
| 193 | ········regexp:·^ | 197 | ········regexp:·^PermitUserEnvironment |
| 194 | ········line:· | 198 | ········line:·PermitUserEnvironment·no |
| 195 | ········validate:·sshd·-t·-f·%s | 199 | ········validate:·sshd·-t·-f·%s |
| 196 | ······#notify:·restart·sshd | ||
| 197 | ······tags: | 200 | ······tags: |
| 198 | ········-·sshd_ | 201 | ········-·sshd_do_not_permit_user_env |
| 199 | ········-· | 202 | ········-·medium_severity |
| 200 | ········-·restrict_strategy | 203 | ········-·restrict_strategy |
| Max diff block lines reached; 66416/70623 bytes (94.04%) of diff not shown. | |||
| Offset 220, 14 lines modified | Offset 220, 28 lines modified | ||
| 220 | ········-·low_complexity | 220 | ········-·low_complexity |
| 221 | ········-·low_disruption | 221 | ········-·low_disruption |
| 222 | ········-·CCE-27165-0 | 222 | ········-·CCE-27165-0 |
| 223 | ········-·NIST-800-53-AC-17(8) | 223 | ········-·NIST-800-53-AC-17(8) |
| 224 | ········-·NIST-800-53-CM-7(a) | 224 | ········-·NIST-800-53-CM-7(a) |
| 225 | ········-·DISA-STIG-RHEL-07-021710 | 225 | ········-·DISA-STIG-RHEL-07-021710 |
| 226 | ···· | 226 | ···· |
| 227 | ····-·name:·Ensure·ypbind·is·removed | ||
| 228 | ······package: | ||
| 229 | ········name="{{item}}" | ||
| 230 | ········state=absent | ||
| 231 | ······with_items: | ||
| 232 | ········-·ypbind | ||
| 233 | ······tags: | ||
| 234 | ········-·package_ypbind_removed | ||
| 235 | ········-·unknown_severity | ||
| 236 | ········-·disable_strategy | ||
| 237 | ········-·low_complexity | ||
| 238 | ········-·low_disruption | ||
| 239 | ········-·CCE-27396-1 | ||
| 240 | ···· | ||
| 227 | ····-·name:·Disable·service·ypbind | 241 | ····-·name:·Disable·service·ypbind |
| 228 | ······service: | 242 | ······service: |
| 229 | ········name="{{item}}" | 243 | ········name="{{item}}" |
| 230 | ········enabled="no" | 244 | ········enabled="no" |
| 231 | ········state="stopped" | 245 | ········state="stopped" |
| 232 | ······register:·service_result | 246 | ······register:·service_result |
| 233 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" | 247 | ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" |
| Offset 239, 28 lines modified | Offset 253, 14 lines modified | ||
| 239 | ········-·disable_strategy | 253 | ········-·disable_strategy |
| 240 | ········-·low_complexity | 254 | ········-·low_complexity |
| 241 | ········-·low_disruption | 255 | ········-·low_disruption |
| 242 | ········-·CCE-27385-4 | 256 | ········-·CCE-27385-4 |
| 243 | ········-·NIST-800-53-AC-17(8) | 257 | ········-·NIST-800-53-AC-17(8) |
| 244 | ········-·NIST-800-53-CM-7 | 258 | ········-·NIST-800-53-CM-7 |
| 245 | ···· | 259 | ···· |
| 246 | ····-·name:·Ensure·ypbind·is·removed | ||
| 247 | ······package: | ||
| 248 | ········name="{{item}}" | ||
| 249 | ········state=absent | ||
| 250 | ······with_items: | ||
| 251 | ········-·ypbind | ||
| 252 | ······tags: | ||
| 253 | ········-·package_ypbind_removed | ||
| 254 | ········-·unknown_severity | ||
| 255 | ········-·disable_strategy | ||
| 256 | ········-·low_complexity | ||
| 257 | ········-·low_disruption | ||
| 258 | ········-·CCE-27396-1 | ||
| 259 | ···· | ||
| 260 | ····-·name:·Ensure·ypserv·is·removed | 260 | ····-·name:·Ensure·ypserv·is·removed |
| 261 | ······package: | 261 | ······package: |
| 262 | ········name="{{item}}" | 262 | ········name="{{item}}" |
| 263 | ········state=absent | 263 | ········state=absent |
| 264 | ······with_items: | 264 | ······with_items: |
| 265 | ········-·ypserv | 265 | ········-·ypserv |
| 266 | ······tags: | 266 | ······tags: |
| Offset 389, 14 lines modified | Offset 389, 33 lines modified | ||
| 389 | ········-·low_disruption | 389 | ········-·low_disruption |
| 390 | ········-·CCE-80258-7 | 390 | ········-·CCE-80258-7 |
| 391 | ········-·NIST-800-53-AC-17(8) | 391 | ········-·NIST-800-53-AC-17(8) |
| 392 | ········-·NIST-800-53-CM-7 | 392 | ········-·NIST-800-53-CM-7 |
| 393 | ········-·NIST-800-53-CM-6(b) | 393 | ········-·NIST-800-53-CM-6(b) |
| 394 | ········-·DISA-STIG-RHEL-07-021300 | 394 | ········-·DISA-STIG-RHEL-07-021300 |
| 395 | ···· | 395 | ···· |
| 396 | ····-·name:·"Enable·Use·of·Strict·Mode·Checking" | ||
| 397 | ······lineinfile: | ||
| 398 | ········create:·yes | ||
| 399 | ········dest:·/etc/ssh/sshd_config | ||
| 400 | ········regexp:·(?i)^#?strictmodes | ||
| 401 | ········line:·StrictModes·yes | ||
| 402 | ········validate:·sshd·-t·-f·%s | ||
| 403 | ······#notify:·restart·sshd | ||
| 404 | ······tags: | ||
| 405 | ········-·sshd_enable_strictmodes | ||
| 406 | ········-·medium_severity | ||
| 407 | ········-·restrict_strategy | ||
| 408 | ········-·low_complexity | ||
| 409 | ········-·low_disruption | ||
| 410 | ········-·CCE-80222-3 | ||
| 411 | ········-·NIST-800-53-AC-6 | ||
| 412 | ········-·NIST-800-171-3.1.12 | ||
| 413 | ········-·DISA-STIG-RHEL-07-040450 | ||
| 414 | ···· | ||
| 396 | ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts" | 415 | ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts" |
| 397 | ······lineinfile: | 416 | ······lineinfile: |
| 398 | ········create:·yes | 417 | ········create:·yes |
| 399 | ········dest:·/etc/ssh/sshd_config | 418 | ········dest:·/etc/ssh/sshd_config |
| 400 | ········regexp:·^IgnoreUserKnownHosts | 419 | ········regexp:·^IgnoreUserKnownHosts |
| 401 | ········line:·IgnoreUserKnownHosts·yes | 420 | ········line:·IgnoreUserKnownHosts·yes |
| 402 | ········validate:·sshd·-t·-f·%s | 421 | ········validate:·sshd·-t·-f·%s |
| Offset 452, 32 lines modified | Offset 471, 14 lines modified | ||
| 452 | ········-·NIST-800-53-AC-2(5) | 471 | ········-·NIST-800-53-AC-2(5) |
| 453 | ········-·NIST-800-53-SA-8 | 472 | ········-·NIST-800-53-SA-8 |
| 454 | ········-·NIST-800-53-AC-12 | 473 | ········-·NIST-800-53-AC-12 |
| 455 | ········-·NIST-800-171-3.1.11 | 474 | ········-·NIST-800-171-3.1.11 |
| 456 | ········-·CJIS-5.5.6 | 475 | ········-·CJIS-5.5.6 |
| 457 | ········-·DISA-STIG-RHEL-07-040340 | 476 | ········-·DISA-STIG-RHEL-07-040340 |
| 458 | ···· | 477 | ···· |
| 459 | ····-·name:·Disable·SSH·Support·for·Rhosts·RSA·Authentication | ||
| 460 | ······lineinfile: | ||
| 461 | ········create:·yes | ||
| 462 | ········dest:·/etc/ssh/sshd_config | ||
| 463 | ········regexp:·^RhostsRSAAuthentication | ||
| 464 | ········line:·RhostsRSAAuthentication·no | ||
| 465 | ········validate:·sshd·-t·-f·%s | ||
| 466 | ······tags: | ||
| 467 | ········-·sshd_disable_rhosts_rsa | ||
| 468 | ········-·medium_severity | ||
| 469 | ········-·restrict_strategy | ||
| 470 | ········-·low_complexity | ||
| 471 | ········-·low_disruption | ||
| 472 | ········-·CCE-80373-4 | ||
| 473 | ········-·NIST-800-53-CM-6(a) | ||
| 474 | ········-·NIST-800-171-3.1.12 | ||
| 475 | ········-·DISA-STIG-RHEL-07-040330 | ||
| 476 | ···· | ||
| 477 | ····-·name:·Enable·SSH·Warning·Banner | 478 | ····-·name:·Enable·SSH·Warning·Banner |
| 478 | ······lineinfile: | 479 | ······lineinfile: |
| 479 | ········create:·yes | 480 | ········create:·yes |
| 480 | ········dest:·/etc/ssh/sshd_config | 481 | ········dest:·/etc/ssh/sshd_config |
| 481 | ········regexp:·^Banner | 482 | ········regexp:·^Banner |
| 482 | ········line:·Banner·/etc/issue | 483 | ········line:·Banner·/etc/issue |
| 483 | ········validate:·sshd·-t·-f·%s | 484 | ········validate:·sshd·-t·-f·%s |
| Offset 516, 33 lines modified | Offset 517, 14 lines modified | ||
| 516 | ········-·NIST-800-53-IA-7 | 517 | ········-·NIST-800-53-IA-7 |
| 517 | ········-·NIST-800-53-SC-13 | 518 | ········-·NIST-800-53-SC-13 |
| Max diff block lines reached; 98846/102348 bytes (96.58%) of diff not shown. | |||
| Offset 50, 93 lines modified | Offset 50, 93 lines modified | ||
| 50 | ·········· | 50 | ·········· |
| 51 | ···vars: | 51 | ···vars: |
| 52 | ······sshd_idle_timeout_value:·600 | 52 | ······sshd_idle_timeout_value:·600 |
| 53 | ······sshd_listening_port:·22 | 53 | ······sshd_listening_port:·22 |
| 54 | ······inactivity_timeout_value:·600 | 54 | ······inactivity_timeout_value:·600 |
| 55 | ······rsyslog_remote_loghost_address:·logcollector | 55 | ······rsyslog_remote_loghost_address:·logcollector |
| 56 | ······sysctl_net_ipv6_conf_default_accept_source_route_value:·0 | 56 | ······sysctl_net_ipv6_conf_default_accept_source_route_value:·0 |
| 57 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 | ||
| 58 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 | 57 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 |
| 58 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 | ||
| 59 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 | 59 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 |
| 60 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 60 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 61 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 | 61 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 |
| 62 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 62 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 63 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 63 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 64 | ······sysctl_net_ipv4_icmp_ | 64 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 65 | ······sysctl_net_ipv4_conf_default_ | 65 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 66 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 66 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 67 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 67 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 68 | ······sysctl_net_ipv4_conf_ | 68 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 69 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 69 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 70 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 70 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 71 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 71 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 72 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 72 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 73 | ······sysctl_net_ipv4_icmp_ | 73 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 74 | ······sysctl_net_ipv4_conf_ | 74 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 75 | ······sysctl_net_ipv4_conf_default_ | 75 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 |
| 76 | ······var_ssh_sysadm_login:·false | 76 | ······var_ssh_sysadm_login:·false |
| 77 | ······var_login_console_enabled:·true | ||
| 77 | ······var_auditadm_exec_content:·true | 78 | ······var_auditadm_exec_content:·true |
| 78 | ······var_selinuxuser_execstack:·true | 79 | ······var_selinuxuser_execstack:·true |
| 79 | ······var_mount_anyfile:·true | 80 | ······var_mount_anyfile:·true |
| 80 | ······var_ | 81 | ······var_cron_system_cronjob_use_shares:·false |
| 81 | ······var_cron_can_relabel:·false | 82 | ······var_cron_can_relabel:·false |
| 83 | ······var_guest_exec_content:·true | ||
| 84 | ······var_secure_mode:·false | ||
| 82 | ······var_user_exec_content:·true | 85 | ······var_user_exec_content:·true |
| 83 | ······var_deny_ptrace:·false | 86 | ······var_deny_ptrace:·false |
| 84 | ······var_guest_exec_content:·true | ||
| 85 | ······var_xserver_object_manager:·false | 87 | ······var_xserver_object_manager:·false |
| 86 | ······var_xdm_sysadm_login:·false | 88 | ······var_xdm_sysadm_login:·false |
| 89 | ······var_sysadm_exec_content:·true | ||
| 87 | ······var_selinuxuser_mysql_connect_enabled:·false | 90 | ······var_selinuxuser_mysql_connect_enabled:·false |
| 88 | ······var_ | 91 | ······var_selinuxuser_udp_server:·false |
| 89 | ······var_secure_mode:·false | ||
| 90 | ······var_ssh_keysign:·false | 92 | ······var_ssh_keysign:·false |
| 91 | ······var_staff_exec_content:·true | 93 | ······var_staff_exec_content:·true |
| 94 | ······var_gpg_web_anon_write:·false | ||
| 92 | ······var_xserver_execmem:·false | 95 | ······var_xserver_execmem:·false |
| 93 | ······var_ | 96 | ······var_cron_userdomain_transition:·true |
| 97 | ······var_xguest_mount_media:·true | ||
| 94 | ······var_selinuxuser_rw_noexattrfile:·true | 98 | ······var_selinuxuser_rw_noexattrfile:·true |
| 95 | ······var_deny_execmem:·false | 99 | ······var_deny_execmem:·false |
| 96 | ······var_ssh_chroot_rw_homedirs:·false | 100 | ······var_ssh_chroot_rw_homedirs:·false |
| 97 | ······var_logging_syslogd_can_sendmail:·false | ||
| 98 | ······var_abrt_anon_write:·false | 101 | ······var_abrt_anon_write:·false |
| 99 | ······var_ | 102 | ······var_kerberos_enabled:·true |
| 100 | ······var_logging_syslogd_use_tty:·true | 103 | ······var_logging_syslogd_use_tty:·true |
| 101 | ······var_login_console_enabled:·true | ||
| 102 | ······var_abrt_handle_event:·false | 104 | ······var_abrt_handle_event:·false |
| 105 | ······var_mock_enable_homedirs:·false | ||
| 106 | ······var_secure_mode_insmod:·false | ||
| 103 | ······var_unconfined_login:·true | 107 | ······var_unconfined_login:·true |
| 108 | ······var_logging_syslogd_can_sendmail:·false | ||
| 104 | ······var_selinuxuser_postgresql_connect_enabled:·false | 109 | ······var_selinuxuser_postgresql_connect_enabled:·false |
| 110 | ······var_daemons_use_tcp_wrapper:·false | ||
| 105 | ······var_abrt_upload_watch_anon_write:·true | 111 | ······var_abrt_upload_watch_anon_write:·true |
| 106 | ······var_daemons_use_tty:·false | 112 | ······var_daemons_use_tty:·false |
| 107 | ······var_selinuxuser_tcp_server:·false | 113 | ······var_selinuxuser_tcp_server:·false |
| 108 | ······var_selinuxuser_direct_dri_enabled:·true | 114 | ······var_selinuxuser_direct_dri_enabled:·true |
| 109 | ······var_xdm_bind_vnc_tcp_port:·false | 115 | ······var_xdm_bind_vnc_tcp_port:·false |
| 110 | ······var_xserver_clients_write_xshm:·false | 116 | ······var_xserver_clients_write_xshm:·false |
| 111 | ······var_use_ecryptfs_home_dirs:·false | 117 | ······var_use_ecryptfs_home_dirs:·false |
| 112 | ······var_mock_enable_homedirs:·false | ||
| 113 | ······var_xguest_exec_content:·true | 118 | ······var_xguest_exec_content:·true |
| 119 | ······var_xdm_write_home:·false | ||
| 120 | ······var_logadm_exec_content:·true | ||
| 114 | ······var_domain_fd_use:·true | 121 | ······var_domain_fd_use:·true |
| 115 | ······var_selinuxuser_udp_server:·false | ||
| 116 | ······var_mmap_low_allowed:·false | 122 | ······var_mmap_low_allowed:·false |
| 117 | ······var_selinuxuser_share_music:·false | 123 | ······var_selinuxuser_share_music:·false |
| 118 | ······var_selinuxuser_execmod:·true | 124 | ······var_selinuxuser_execmod:·true |
| 119 | ······var_cron_system_cronjob_use_shares:·false | ||
| 120 | ······var_logadm_exec_content:·true | ||
| 121 | ······var_xguest_connect_network:·true | 125 | ······var_xguest_connect_network:·true |
| 122 | ······var_xdm_write_home:·false | ||
| 123 | ······var_sysadm_exec_content:·true | ||
| 124 | ······var_xguest_use_bluetooth:·true | 126 | ······var_xguest_use_bluetooth:·true |
| 125 | ······var_ | 127 | ······var_selinuxuser_execheap:·false |
| 126 | ······var_secure_mode_policyload:·false | ||
| 127 | ······var_daemons_dump_core:·false | 128 | ······var_daemons_dump_core:·false |
| 128 | ······var_xdm_exec_bootloader:·false | 129 | ······var_xdm_exec_bootloader:·false |
| 129 | ······var_gpg_web_anon_write:·false | ||
| 130 | ······var_fips_mode:·true | 130 | ······var_fips_mode:·true |
| 131 | ······var_polyinstantiation_enabled:·false | 131 | ······var_polyinstantiation_enabled:·false |
| 132 | ······var_domain_kernel_load_modules:·false | 132 | ······var_domain_kernel_load_modules:·false |
| 133 | ······var_selinuxuser_use_ssh_chroot:·false | 133 | ······var_selinuxuser_use_ssh_chroot:·false |
| 134 | ······var_selinuxuser_ping:·true | 134 | ······var_selinuxuser_ping:·true |
| 135 | ······var_se | 135 | ······var_secure_mode_policyload:·false |
| 136 | ······var_secadm_exec_content:·true | 136 | ······var_secadm_exec_content:·true |
| 137 | ······var_selinux_policy_name:·targeted | 137 | ······var_selinux_policy_name:·targeted |
| 138 | ······var_selinux_state:·enforcing | 138 | ······var_selinux_state:·enforcing |
| 139 | ······var_accounts_password_minlen_login_defs:·6 | 139 | ······var_accounts_password_minlen_login_defs:·6 |
| 140 | ······var_accounts_password_warn_age_login_defs:·7 | 140 | ······var_accounts_password_warn_age_login_defs:·7 |
| 141 | ······var_accounts_minimum_age_login_defs:·7 | 141 | ······var_accounts_minimum_age_login_defs:·7 |
| 142 | ······var_accounts_maximum_age_login_defs:·60 | 142 | ······var_accounts_maximum_age_login_defs:·60 |
| Offset 156, 22 lines modified | Offset 156, 22 lines modified | ||
| 156 | ······var_password_pam_difok:·8 | 156 | ······var_password_pam_difok:·8 |
| 157 | ······var_password_pam_ocredit:·-1 | 157 | ······var_password_pam_ocredit:·-1 |
| 158 | ······var_password_pam_lcredit:·-1 | 158 | ······var_password_pam_lcredit:·-1 |
| 159 | ······var_password_pam_ucredit:·-1 | 159 | ······var_password_pam_ucredit:·-1 |
| 160 | ······var_password_pam_retry:·3 | 160 | ······var_password_pam_retry:·3 |
| 161 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. | 161 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. |
| 162 | ······var_accounts_user_umask:·077 | 162 | ······var_accounts_user_umask:·077 |
| 163 | ······var_accounts_max_concurrent_login_sessions:·10 | ||
| 163 | ······var_accounts_fail_delay:·4 | 164 | ······var_accounts_fail_delay:·4 |
| 164 | ······var_accounts_tmout:·600 | 165 | ······var_accounts_tmout:·600 |
| 165 | ······var_accounts_max_concurrent_login_sessions:·10 | ||
| 166 | ······var_auditd_max_log_file:·6 | 166 | ······var_auditd_max_log_file:·6 |
| 167 | ······var_auditd_action_mail_acct:·root | 167 | ······var_auditd_action_mail_acct:·root |
| 168 | ······var_auditd_space_left_action:·email | ||
| 169 | ······var_auditd_admin_space_left_action:·single | 168 | ······var_auditd_admin_space_left_action:·single |
| 170 | ······var_auditd_max_log_file_action:·rotate | 169 | ······var_auditd_max_log_file_action:·rotate |
| 170 | ······var_auditd_space_left_action:·email | ||
| 171 | ······var_removable_partition:·/dev/cdrom | 171 | ······var_removable_partition:·/dev/cdrom |
| 172 | ······var_removable_partition:·/dev/cdrom | 172 | ······var_removable_partition:·/dev/cdrom |
| 173 | ······var_removable_partition:·/dev/cdrom | 173 | ······var_removable_partition:·/dev/cdrom |
| Max diff block lines reached; 173777/180658 bytes (96.19%) of diff not shown. | |||
| Offset 61, 93 lines modified | Offset 61, 93 lines modified | ||
| 61 | ·········· | 61 | ·········· |
| 62 | ···vars: | 62 | ···vars: |
| 63 | ······sshd_idle_timeout_value:·600 | 63 | ······sshd_idle_timeout_value:·600 |
| 64 | ······sshd_listening_port:·22 | 64 | ······sshd_listening_port:·22 |
| 65 | ······inactivity_timeout_value:·900 | 65 | ······inactivity_timeout_value:·900 |
| 66 | ······rsyslog_remote_loghost_address:·logcollector | 66 | ······rsyslog_remote_loghost_address:·logcollector |
| 67 | ······sysctl_net_ipv6_conf_default_accept_source_route_value:·0 | 67 | ······sysctl_net_ipv6_conf_default_accept_source_route_value:·0 |
| 68 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 | ||
| 69 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 | 68 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 |
| 69 | ······sysctl_net_ipv6_conf_all_forwarding_value:·0 | ||
| 70 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 | 70 | ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0 |
| 71 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 | 71 | ······sysctl_net_ipv6_conf_default_accept_ra_value:·0 |
| 72 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 | 72 | ······sysctl_net_ipv6_conf_all_accept_ra_value:·0 |
| 73 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 | 73 | ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0 |
| 74 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 74 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 75 | ······sysctl_net_ipv4_icmp_ | 75 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 76 | ······sysctl_net_ipv4_conf_default_ | 76 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 77 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 | 77 | ······sysctl_net_ipv4_conf_default_rp_filter_value:·1 |
| 78 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 | 78 | ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0 |
| 79 | ······sysctl_net_ipv4_conf_ | 79 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 |
| 80 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 | 80 | ······sysctl_net_ipv4_tcp_syncookies_value:·1 |
| 81 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | 81 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 |
| 82 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 | 82 | ······sysctl_net_ipv4_conf_all_log_martians_value:·1 |
| 83 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 | 83 | ······sysctl_net_ipv4_conf_all_rp_filter_value:·1 |
| 84 | ······sysctl_net_ipv4_icmp_ | 84 | ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1 |
| 85 | ······sysctl_net_ipv4_conf_ | 85 | ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 |
| 86 | ······sysctl_net_ipv4_conf_default_ | 86 | ······sysctl_net_ipv4_conf_default_log_martians_value:·1 |
| 87 | ······var_ssh_sysadm_login:·false | 87 | ······var_ssh_sysadm_login:·false |
| 88 | ······var_login_console_enabled:·true | ||
| 88 | ······var_auditadm_exec_content:·true | 89 | ······var_auditadm_exec_content:·true |
| 89 | ······var_selinuxuser_execstack:·true | 90 | ······var_selinuxuser_execstack:·true |
| 90 | ······var_mount_anyfile:·true | 91 | ······var_mount_anyfile:·true |
| 91 | ······var_ | 92 | ······var_cron_system_cronjob_use_shares:·false |
| 92 | ······var_cron_can_relabel:·false | 93 | ······var_cron_can_relabel:·false |
| 94 | ······var_guest_exec_content:·true | ||
| 95 | ······var_secure_mode:·false | ||
| 93 | ······var_user_exec_content:·true | 96 | ······var_user_exec_content:·true |
| 94 | ······var_deny_ptrace:·false | 97 | ······var_deny_ptrace:·false |
| 95 | ······var_guest_exec_content:·true | ||
| 96 | ······var_xserver_object_manager:·false | 98 | ······var_xserver_object_manager:·false |
| 97 | ······var_xdm_sysadm_login:·false | 99 | ······var_xdm_sysadm_login:·false |
| 100 | ······var_sysadm_exec_content:·true | ||
| 98 | ······var_selinuxuser_mysql_connect_enabled:·false | 101 | ······var_selinuxuser_mysql_connect_enabled:·false |
| 99 | ······var_ | 102 | ······var_selinuxuser_udp_server:·false |
| 100 | ······var_secure_mode:·false | ||
| 101 | ······var_ssh_keysign:·false | 103 | ······var_ssh_keysign:·false |
| 102 | ······var_staff_exec_content:·true | 104 | ······var_staff_exec_content:·true |
| 105 | ······var_gpg_web_anon_write:·false | ||
| 103 | ······var_xserver_execmem:·false | 106 | ······var_xserver_execmem:·false |
| 104 | ······var_ | 107 | ······var_cron_userdomain_transition:·true |
| 108 | ······var_xguest_mount_media:·true | ||
| 105 | ······var_selinuxuser_rw_noexattrfile:·true | 109 | ······var_selinuxuser_rw_noexattrfile:·true |
| 106 | ······var_deny_execmem:·false | 110 | ······var_deny_execmem:·false |
| 107 | ······var_ssh_chroot_rw_homedirs:·false | 111 | ······var_ssh_chroot_rw_homedirs:·false |
| 108 | ······var_logging_syslogd_can_sendmail:·false | ||
| 109 | ······var_abrt_anon_write:·false | 112 | ······var_abrt_anon_write:·false |
| 110 | ······var_ | 113 | ······var_kerberos_enabled:·true |
| 111 | ······var_logging_syslogd_use_tty:·true | 114 | ······var_logging_syslogd_use_tty:·true |
| 112 | ······var_login_console_enabled:·true | ||
| 113 | ······var_abrt_handle_event:·false | 115 | ······var_abrt_handle_event:·false |
| 116 | ······var_mock_enable_homedirs:·false | ||
| 117 | ······var_secure_mode_insmod:·false | ||
| 114 | ······var_unconfined_login:·true | 118 | ······var_unconfined_login:·true |
| 119 | ······var_logging_syslogd_can_sendmail:·false | ||
| 115 | ······var_selinuxuser_postgresql_connect_enabled:·false | 120 | ······var_selinuxuser_postgresql_connect_enabled:·false |
| 121 | ······var_daemons_use_tcp_wrapper:·false | ||
| 116 | ······var_abrt_upload_watch_anon_write:·true | 122 | ······var_abrt_upload_watch_anon_write:·true |
| 117 | ······var_daemons_use_tty:·false | 123 | ······var_daemons_use_tty:·false |
| 118 | ······var_selinuxuser_tcp_server:·false | 124 | ······var_selinuxuser_tcp_server:·false |
| 119 | ······var_selinuxuser_direct_dri_enabled:·true | 125 | ······var_selinuxuser_direct_dri_enabled:·true |
| 120 | ······var_xdm_bind_vnc_tcp_port:·false | 126 | ······var_xdm_bind_vnc_tcp_port:·false |
| 121 | ······var_xserver_clients_write_xshm:·false | 127 | ······var_xserver_clients_write_xshm:·false |
| 122 | ······var_use_ecryptfs_home_dirs:·false | 128 | ······var_use_ecryptfs_home_dirs:·false |
| 123 | ······var_mock_enable_homedirs:·false | ||
| 124 | ······var_xguest_exec_content:·true | 129 | ······var_xguest_exec_content:·true |
| 130 | ······var_xdm_write_home:·false | ||
| 131 | ······var_logadm_exec_content:·true | ||
| 125 | ······var_domain_fd_use:·true | 132 | ······var_domain_fd_use:·true |
| 126 | ······var_selinuxuser_udp_server:·false | ||
| 127 | ······var_mmap_low_allowed:·false | 133 | ······var_mmap_low_allowed:·false |
| 128 | ······var_selinuxuser_share_music:·false | 134 | ······var_selinuxuser_share_music:·false |
| 129 | ······var_selinuxuser_execmod:·true | 135 | ······var_selinuxuser_execmod:·true |
| 130 | ······var_cron_system_cronjob_use_shares:·false | ||
| 131 | ······var_logadm_exec_content:·true | ||
| 132 | ······var_xguest_connect_network:·true | 136 | ······var_xguest_connect_network:·true |
| 133 | ······var_xdm_write_home:·false | ||
| 134 | ······var_sysadm_exec_content:·true | ||
| 135 | ······var_xguest_use_bluetooth:·true | 137 | ······var_xguest_use_bluetooth:·true |
| 136 | ······var_ | 138 | ······var_selinuxuser_execheap:·false |
| 137 | ······var_secure_mode_policyload:·false | ||
| 138 | ······var_daemons_dump_core:·false | 139 | ······var_daemons_dump_core:·false |
| 139 | ······var_xdm_exec_bootloader:·false | 140 | ······var_xdm_exec_bootloader:·false |
| 140 | ······var_gpg_web_anon_write:·false | ||
| 141 | ······var_fips_mode:·true | 141 | ······var_fips_mode:·true |
| 142 | ······var_polyinstantiation_enabled:·false | 142 | ······var_polyinstantiation_enabled:·false |
| 143 | ······var_domain_kernel_load_modules:·false | 143 | ······var_domain_kernel_load_modules:·false |
| 144 | ······var_selinuxuser_use_ssh_chroot:·false | 144 | ······var_selinuxuser_use_ssh_chroot:·false |
| 145 | ······var_selinuxuser_ping:·true | 145 | ······var_selinuxuser_ping:·true |
| 146 | ······var_se | 146 | ······var_secure_mode_policyload:·false |
| 147 | ······var_secadm_exec_content:·true | 147 | ······var_secadm_exec_content:·true |
| 148 | ······var_selinux_policy_name:·targeted | 148 | ······var_selinux_policy_name:·targeted |
| 149 | ······var_selinux_state:·enforcing | 149 | ······var_selinux_state:·enforcing |
| 150 | ······var_accounts_password_minlen_login_defs:·6 | 150 | ······var_accounts_password_minlen_login_defs:·6 |
| 151 | ······var_accounts_password_warn_age_login_defs:·7 | 151 | ······var_accounts_password_warn_age_login_defs:·7 |
| 152 | ······var_accounts_minimum_age_login_defs:·7 | 152 | ······var_accounts_minimum_age_login_defs:·7 |
| 153 | ······var_accounts_maximum_age_login_defs:·60 | 153 | ······var_accounts_maximum_age_login_defs:·60 |
| Offset 167, 22 lines modified | Offset 167, 22 lines modified | ||
| 167 | ······var_password_pam_difok:·8 | 167 | ······var_password_pam_difok:·8 |
| 168 | ······var_password_pam_ocredit:·-1 | 168 | ······var_password_pam_ocredit:·-1 |
| 169 | ······var_password_pam_lcredit:·-1 | 169 | ······var_password_pam_lcredit:·-1 |
| 170 | ······var_password_pam_ucredit:·-1 | 170 | ······var_password_pam_ucredit:·-1 |
| 171 | ······var_password_pam_retry:·3 | 171 | ······var_password_pam_retry:·3 |
| 172 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. | 172 | ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. |
| 173 | ······var_accounts_user_umask:·077 | 173 | ······var_accounts_user_umask:·077 |
| 174 | ······var_accounts_max_concurrent_login_sessions:·10 | ||
| 174 | ······var_accounts_fail_delay:·4 | 175 | ······var_accounts_fail_delay:·4 |
| 175 | ······var_accounts_tmout:·600 | 176 | ······var_accounts_tmout:·600 |
| 176 | ······var_accounts_max_concurrent_login_sessions:·10 | ||
| 177 | ······var_auditd_max_log_file:·6 | 177 | ······var_auditd_max_log_file:·6 |
| 178 | ······var_auditd_action_mail_acct:·root | 178 | ······var_auditd_action_mail_acct:·root |
| 179 | ······var_auditd_space_left_action:·email | ||
| 180 | ······var_auditd_admin_space_left_action:·single | 179 | ······var_auditd_admin_space_left_action:·single |
| 181 | ······var_auditd_max_log_file_action:·rotate | 180 | ······var_auditd_max_log_file_action:·rotate |
| 181 | ······var_auditd_space_left_action:·email | ||
| 182 | ······var_removable_partition:·/dev/cdrom | 182 | ······var_removable_partition:·/dev/cdrom |
| 183 | ······var_removable_partition:·/dev/cdrom | 183 | ······var_removable_partition:·/dev/cdrom |
| 184 | ······var_removable_partition:·/dev/cdrom | 184 | ······var_removable_partition:·/dev/cdrom |
| Max diff block lines reached; 173778/180659 bytes (96.19%) of diff not shown. | |||
| Offset 43, 17 lines modified | Offset 43, 17 lines modified | ||
| 43 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 | 43 | ······var_accounts_passwords_pam_faillock_fail_interval:·100000000 |
| 44 | ······var_password_pam_minlen:·7 | 44 | ······var_password_pam_minlen:·7 |
| 45 | ······var_password_pam_dcredit:·-1 | 45 | ······var_password_pam_dcredit:·-1 |
| 46 | ······var_password_pam_lcredit:·-1 | 46 | ······var_password_pam_lcredit:·-1 |
| 47 | ······var_password_pam_ucredit:·-1 | 47 | ······var_password_pam_ucredit:·-1 |
| 48 | ······var_auditd_max_log_file:·1 | 48 | ······var_auditd_max_log_file:·1 |
| 49 | ······var_auditd_action_mail_acct:·admin | 49 | ······var_auditd_action_mail_acct:·admin |
| 50 | ······var_auditd_space_left_action:·suspend | ||
| 51 | ······var_auditd_admin_space_left_action:·suspend | 50 | ······var_auditd_admin_space_left_action:·suspend |
| 52 | ······var_auditd_max_log_file_action:·rotate | 51 | ······var_auditd_max_log_file_action:·rotate |
| 52 | ······var_auditd_space_left_action:·suspend | ||
| 53 | ···tasks: | 53 | ···tasks: |
| 54 | ···· | 54 | ···· |
| 55 | ···· | 55 | ···· |
| 56 | ····-·name:·Set·SSH·Idle·Timeout·Interval | 56 | ····-·name:·Set·SSH·Idle·Timeout·Interval |
| 57 | ······lineinfile: | 57 | ······lineinfile: |
| 58 | ········create:·yes | 58 | ········create:·yes |
| 59 | ········dest:·/etc/ssh/sshd_config | 59 | ········dest:·/etc/ssh/sshd_config |
| Offset 596, 91 lines modified | Offset 596, 91 lines modified | ||
| 596 | ········-·CCE-80111-8 | 596 | ········-·CCE-80111-8 |
| 597 | ········-·NIST-800-53-AC-11(a) | 597 | ········-·NIST-800-53-AC-11(a) |
| 598 | ········-·NIST-800-171-3.1.10 | 598 | ········-·NIST-800-171-3.1.10 |
| 599 | ········-·PCI-DSS-Req-8.1.8 | 599 | ········-·PCI-DSS-Req-8.1.8 |
| 600 | ········-·CJIS-5.5.5 | 600 | ········-·CJIS-5.5.5 |
| 601 | ········-·DISA-STIG-RHEL-07-010100 | 601 | ········-·DISA-STIG-RHEL-07-010100 |
| 602 | ···· | 602 | ···· |
| 603 | ···· | 603 | ····-·name:·"Implement·Blank·Screensaver" |
| 604 | ···· | ||
| 605 | ····-·name:·"Set·GNOME3·Screensaver·Inactivity·Timeout" | ||
| 606 | ······ini_file: | 604 | ······ini_file: |
| 607 | ········dest:·"/etc/dconf/db/local.d/00-security-settings" | 605 | ········dest:·"/etc/dconf/db/local.d/00-security-settings" |
| 608 | ········section:·"org/gnome/desktop/screensaver" | 606 | ········section:·"org/gnome/desktop/screensaver" |
| 609 | ········option:·i | 607 | ········option:·picture-uri |
| 610 | ········value:· | 608 | ········value:·string·'' |
| 611 | ········create:·yes | 609 | ········create:·yes |
| 612 | ······tags: | 610 | ······tags: |
| 613 | ········-·dconf_gnome_screensaver_ | 611 | ········-·dconf_gnome_screensaver_mode_blank |
| 614 | ········-· | 612 | ········-·unknown_severity |
| 615 | ········-·unknown_strategy | 613 | ········-·unknown_strategy |
| 616 | ········-·low_complexity | 614 | ········-·low_complexity |
| 617 | ········-·medium_disruption | 615 | ········-·medium_disruption |
| 618 | ········-·CCE-8011 | 616 | ········-·CCE-80113-4 |
| 619 | ········-·NIST-800-53-AC-11( | 617 | ········-·NIST-800-53-AC-11(b) |
| 620 | ········-·NIST-800-171-3.1.10 | 618 | ········-·NIST-800-171-3.1.10 |
| 621 | ········-·PCI-DSS-Req-8.1.8 | 619 | ········-·PCI-DSS-Req-8.1.8 |
| 622 | ········-·CJIS-5.5.5 | 620 | ········-·CJIS-5.5.5 |
| 623 | ········-·DISA-STIG-RHEL-07-010070 | ||
| 624 | ···· | 621 | ···· |
| 625 | ····-·name:·"Prevent·user·modification·of·GNOME·i | 622 | ····-·name:·"Prevent·user·modification·of·GNOME·picture-uri" |
| 626 | ······lineinfile: | 623 | ······lineinfile: |
| 627 | ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock | 624 | ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock |
| 628 | ········regexp:·'^/org/gnome/desktop/screensaver/i | 625 | ········regexp:·'^/org/gnome/desktop/screensaver/picture-uri' |
| 629 | ········line:·'/org/gnome/desktop/screensaver/i | 626 | ········line:·'/org/gnome/desktop/screensaver/picture-uri' |
| 630 | ········create:·yes | 627 | ········create:·yes |
| 631 | ······tags: | 628 | ······tags: |
| 632 | ········-·dconf_gnome_screensaver_ | 629 | ········-·dconf_gnome_screensaver_mode_blank |
| 633 | ········-· | 630 | ········-·unknown_severity |
| 634 | ········-·unknown_strategy | 631 | ········-·unknown_strategy |
| 635 | ········-·low_complexity | 632 | ········-·low_complexity |
| 636 | ········-·medium_disruption | 633 | ········-·medium_disruption |
| 637 | ········-·CCE-8011 | 634 | ········-·CCE-80113-4 |
| 638 | ········-·NIST-800-53-AC-11( | 635 | ········-·NIST-800-53-AC-11(b) |
| 639 | ········-·NIST-800-171-3.1.10 | 636 | ········-·NIST-800-171-3.1.10 |
| 640 | ········-·PCI-DSS-Req-8.1.8 | 637 | ········-·PCI-DSS-Req-8.1.8 |
| 641 | ········-·CJIS-5.5.5 | 638 | ········-·CJIS-5.5.5 |
| 642 | ········-·DISA-STIG-RHEL-07-010070 | ||
| 643 | ···· | 639 | ···· |
| 644 | ···· | 640 | ···· |
| 641 | ···· | ||
| 642 | ····-·name:·"Set·GNOME3·Screensaver·Inactivity·Timeout" | ||
| 645 | ······ini_file: | 643 | ······ini_file: |
| 646 | ········dest:·"/etc/dconf/db/local.d/00-security-settings" | 644 | ········dest:·"/etc/dconf/db/local.d/00-security-settings" |
| 647 | ········section:·"org/gnome/desktop/screensaver" | 645 | ········section:·"org/gnome/desktop/screensaver" |
| 648 | ········option:· | 646 | ········option:·idle-delay |
| 649 | ········value:· | 647 | ········value:·"{{·inactivity_timeout_value·}}" |
| 650 | ········create:·yes | 648 | ········create:·yes |
| 651 | ······tags: | 649 | ······tags: |
| 652 | ········-·dconf_gnome_screensaver_ | 650 | ········-·dconf_gnome_screensaver_idle_delay |
| 653 | ········-· | 651 | ········-·medium_severity |
| 654 | ········-·unknown_strategy | 652 | ········-·unknown_strategy |
| 655 | ········-·low_complexity | 653 | ········-·low_complexity |
| 656 | ········-·medium_disruption | 654 | ········-·medium_disruption |
| 657 | ········-·CCE-8011 | 655 | ········-·CCE-80110-0 |
| 658 | ········-·NIST-800-53-AC-11( | 656 | ········-·NIST-800-53-AC-11(a) |
| 659 | ········-·NIST-800-171-3.1.10 | 657 | ········-·NIST-800-171-3.1.10 |
| 660 | ········-·PCI-DSS-Req-8.1.8 | 658 | ········-·PCI-DSS-Req-8.1.8 |
| 661 | ········-·CJIS-5.5.5 | 659 | ········-·CJIS-5.5.5 |
| 660 | ········-·DISA-STIG-RHEL-07-010070 | ||
| 662 | ···· | 661 | ···· |
| 663 | ····-·name:·"Prevent·user·modification·of·GNOME· | 662 | ····-·name:·"Prevent·user·modification·of·GNOME·idle-delay" |
| 664 | ······lineinfile: | 663 | ······lineinfile: |
| 665 | ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock | 664 | ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock |
| 666 | ········regexp:·'^/org/gnome/desktop/screensaver/ | 665 | ········regexp:·'^/org/gnome/desktop/screensaver/idle-delay' |
| 667 | ········line:·'/org/gnome/desktop/screensaver/ | 666 | ········line:·'/org/gnome/desktop/screensaver/idle-delay' |
| 668 | ········create:·yes | 667 | ········create:·yes |
| 669 | ······tags: | 668 | ······tags: |
| 670 | ········-·dconf_gnome_screensaver_ | 669 | ········-·dconf_gnome_screensaver_idle_delay |
| 671 | ········-· | 670 | ········-·medium_severity |
| 672 | ········-·unknown_strategy | 671 | ········-·unknown_strategy |
| 673 | ········-·low_complexity | 672 | ········-·low_complexity |
| 674 | ········-·medium_disruption | 673 | ········-·medium_disruption |
| 675 | ········-·CCE-8011 | 674 | ········-·CCE-80110-0 |
| 676 | ········-·NIST-800-53-AC-11( | 675 | ········-·NIST-800-53-AC-11(a) |
| 677 | ········-·NIST-800-171-3.1.10 | 676 | ········-·NIST-800-171-3.1.10 |
| 678 | ········-·PCI-DSS-Req-8.1.8 | 677 | ········-·PCI-DSS-Req-8.1.8 |
| 679 | ········-·CJIS-5.5.5 | 678 | ········-·CJIS-5.5.5 |
| 679 | ········-·DISA-STIG-RHEL-07-010070 | ||
| 680 | ···· | 680 | ···· |
| 681 | ····-·name:·"Enable·GNOME3·Screensaver·Lock·After·Idle·Period" | 681 | ····-·name:·"Enable·GNOME3·Screensaver·Lock·After·Idle·Period" |
| 682 | ······ini_file: | 682 | ······ini_file: |
| 683 | ········dest:·"/etc/dconf/db/local.d/00-security-settings" | 683 | ········dest:·"/etc/dconf/db/local.d/00-security-settings" |
| 684 | ········section:·"org/gnome/desktop/screensaver" | 684 | ········section:·"org/gnome/desktop/screensaver" |
| 685 | ········option:·lock-enabled | 685 | ········option:·lock-enabled |
| 686 | ········value:·"true" | 686 | ········value:·"true" |
| Offset 1129, 79 lines modified | Offset 1129, 79 lines modified | ||
| 1129 | ········-·NIST-800-171-3.3.1 | 1129 | ········-·NIST-800-171-3.3.1 |
| 1130 | ········-·PCI-DSS-Req-10.7.a | 1130 | ········-·PCI-DSS-Req-10.7.a |
| 1131 | ········-·CJIS-5.4.1.1 | 1131 | ········-·CJIS-5.4.1.1 |
| 1132 | ········-·DISA-STIG-RHEL-07-030350 | 1132 | ········-·DISA-STIG-RHEL-07-030350 |
| 1133 | ···· | 1133 | ···· |
| 1134 | ···· | 1134 | ···· |
| 1135 | ···· | 1135 | ···· |
| 1136 | ····-·name:·Configure·auditd·space_left·Action·on·Low·Disk·Space | 1136 | ····-·name:·Configure·auditd·admin_space_left·Action·on·Low·Disk·Space |
| 1137 | ······lineinfile: | 1137 | ······lineinfile: |
| 1138 | ········dest:·/etc/audit/auditd.conf | 1138 | ········dest:·/etc/audit/auditd.conf |
| 1139 | ········line:·"space_left_action·=·{{·var_auditd_space_left_action·}}" | 1139 | ········line:·"admin_space_left_action·=·{{·var_auditd_admin_space_left_action·}}" |
| 1140 | ········regexp:·^space_left_action* | 1140 | ········regexp:·"^admin_space_left_action*" |
| Max diff block lines reached; 56742/62091 bytes (91.39%) of diff not shown. | |||
| Offset 164, 14 lines modified | Offset 164, 39 lines modified | ||
| 164 | ········-·NIST-800-53-AC-2(5) | 164 | ········-·NIST-800-53-AC-2(5) |
| 165 | ········-·NIST-800-53-SA-8 | 165 | ········-·NIST-800-53-SA-8 |
| 166 | ········-·NIST-800-53-AC-12 | 166 | ········-·NIST-800-53-AC-12 |
| 167 | ········-·NIST-800-171-3.1.11 | 167 | ········-·NIST-800-171-3.1.11 |
| 168 | ········-·CJIS-5.5.6 | 168 | ········-·CJIS-5.5.6 |
| 169 | ········-·DISA-STIG-RHEL-07-040340 | 169 | ········-·DISA-STIG-RHEL-07-040340 |
| 170 | ···· | 170 | ···· |
| 171 | ···· | ||
| 172 | ···· | ||
| 173 | ····-·name:·Set·SSH·Idle·Timeout·Interval | ||
| 174 | ······lineinfile: | ||
| 175 | ········create:·yes | ||
| 176 | ········dest:·/etc/ssh/sshd_config | ||
| 177 | ········regexp:·^ClientAliveInterval | ||
| 178 | ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}" | ||
| 179 | ········validate:·sshd·-t·-f·%s | ||
| 180 | ······#notify:·restart·sshd | ||
| 181 | ······tags: | ||
| 182 | ········-·sshd_set_idle_timeout | ||
| 183 | ········-·unknown_severity | ||
| 184 | ········-·restrict_strategy | ||
| 185 | ········-·low_complexity | ||
| 186 | ········-·low_disruption | ||
| 187 | ········-·CCE-27433-2 | ||
| 188 | ········-·NIST-800-53-AC-2(5) | ||
| 189 | ········-·NIST-800-53-SA-8(i) | ||
| 190 | ········-·NIST-800-53-AC-12 | ||
| 191 | ········-·NIST-800-171-3.1.11 | ||
| 192 | ········-·PCI-DSS-Req-8.1.8 | ||
| 193 | ········-·CJIS-5.5.6 | ||
| 194 | ········-·DISA-STIG-RHEL-07-040320 | ||
| 195 | ···· | ||
| 171 | ····-·name:·Enable·SSH·Warning·Banner | 196 | ····-·name:·Enable·SSH·Warning·Banner |
| 172 | ······lineinfile: | 197 | ······lineinfile: |
| 173 | ········create:·yes | 198 | ········create:·yes |
| 174 | ········dest:·/etc/ssh/sshd_config | 199 | ········dest:·/etc/ssh/sshd_config |
| 175 | ········regexp:·^Banner | 200 | ········regexp:·^Banner |
| 176 | ········line:·Banner·/etc/issue | 201 | ········line:·Banner·/etc/issue |
| 177 | ········validate:·sshd·-t·-f·%s | 202 | ········validate:·sshd·-t·-f·%s |
| Offset 187, 33 lines modified | Offset 212, 14 lines modified | ||
| 187 | ········-·NIST-800-53-AC-8(c)(1) | 212 | ········-·NIST-800-53-AC-8(c)(1) |
| 188 | ········-·NIST-800-53-AC-8(c)(2) | 213 | ········-·NIST-800-53-AC-8(c)(2) |
| 189 | ········-·NIST-800-53-AC-8(c)(3) | 214 | ········-·NIST-800-53-AC-8(c)(3) |
| 190 | ········-·NIST-800-171-3.1.9 | 215 | ········-·NIST-800-171-3.1.9 |
| 191 | ········-·CJIS-5.5.6 | 216 | ········-·CJIS-5.5.6 |
| 192 | ········-·DISA-STIG-RHEL-07-040170 | 217 | ········-·DISA-STIG-RHEL-07-040170 |
| 193 | ···· | 218 | ···· |
| 194 | ····-·name:·Do·Not·Allow·SSH·Environment·Options | ||
| 195 | ······lineinfile: | ||
| 196 | ········create:·yes | ||
| 197 | ········dest:·/etc/ssh/sshd_config | ||
| 198 | ········regexp:·^PermitUserEnvironment | ||
| 199 | ········line:·PermitUserEnvironment·no | ||
| 200 | ········validate:·sshd·-t·-f·%s | ||
| 201 | ······tags: | ||
| 202 | ········-·sshd_do_not_permit_user_env | ||
| 203 | ········-·medium_severity | ||
| 204 | ········-·restrict_strategy | ||
| 205 | ········-·low_complexity | ||
| 206 | ········-·low_disruption | ||
| 207 | ········-·CCE-27363-1 | ||
| 208 | ········-·NIST-800-53-CM-6(b) | ||
| 209 | ········-·NIST-800-171-3.1.12 | ||
| 210 | ········-·CJIS-5.5.6 | ||
| 211 | ········-·DISA-STIG-RHEL-07-010460 | ||
| 212 | ···· | ||
| 213 | ···· | 219 | ···· |
| 214 | ····-·name:·"Allow·Only·SSH·Protocol·2" | 220 | ····-·name:·"Allow·Only·SSH·Protocol·2" |
| 215 | ······lineinfile: | 221 | ······lineinfile: |
| 216 | ········dest:·/etc/ssh/sshd_config | 222 | ········dest:·/etc/ssh/sshd_config |
| 217 | ········regexp:·"^Protocol·[0-9]" | 223 | ········regexp:·"^Protocol·[0-9]" |
| 218 | ········line:·"Protocol·2" | 224 | ········line:·"Protocol·2" |
| 219 | ········validate:·sshd·-t·-f·%s | 225 | ········validate:·sshd·-t·-f·%s |
| Offset 248, 38 lines modified | Offset 254, 32 lines modified | ||
| 248 | ········-·CCE-27377-1 | 254 | ········-·CCE-27377-1 |
| 249 | ········-·NIST-800-53-AC-3 | 255 | ········-·NIST-800-53-AC-3 |
| 250 | ········-·NIST-800-53-CM-6(a) | 256 | ········-·NIST-800-53-CM-6(a) |
| 251 | ········-·NIST-800-171-3.1.12 | 257 | ········-·NIST-800-171-3.1.12 |
| 252 | ········-·CJIS-5.5.6 | 258 | ········-·CJIS-5.5.6 |
| 253 | ········-·DISA-STIG-RHEL-07-040350 | 259 | ········-·DISA-STIG-RHEL-07-040350 |
| 254 | ···· | 260 | ···· |
| 255 | ···· | 261 | ····-·name:·Do·Not·Allow·SSH·Environment·Options |
| 256 | ···· | ||
| 257 | ····-·name:·Set·SSH·Idle·Timeout·Interval | ||
| 258 | ······lineinfile: | 262 | ······lineinfile: |
| 259 | ········create:·yes | 263 | ········create:·yes |
| 260 | ········dest:·/etc/ssh/sshd_config | 264 | ········dest:·/etc/ssh/sshd_config |
| 261 | ········regexp:·^ | 265 | ········regexp:·^PermitUserEnvironment |
| 262 | ········line:· | 266 | ········line:·PermitUserEnvironment·no |
| 263 | ········validate:·sshd·-t·-f·%s | 267 | ········validate:·sshd·-t·-f·%s |
| 264 | ······#notify:·restart·sshd | ||
| 265 | ······tags: | 268 | ······tags: |
| 266 | ········-·sshd_ | 269 | ········-·sshd_do_not_permit_user_env |
| 267 | ········-· | 270 | ········-·medium_severity |
| 268 | ········-·restrict_strategy | 271 | ········-·restrict_strategy |
| 269 | ········-·low_complexity | 272 | ········-·low_complexity |
| 270 | ········-·low_disruption | 273 | ········-·low_disruption |
| 271 | ········-·CCE-27 | 274 | ········-·CCE-27363-1 |
| 272 | ········-·NIST-800-53- | 275 | ········-·NIST-800-53-CM-6(b) |
| 273 | ········-·NIST-800- | 276 | ········-·NIST-800-171-3.1.12 |
| 274 | ········-·NIST-800-53-AC-12 | ||
| 275 | ········-·NIST-800-171-3.1.11 | ||
| 276 | ········-·PCI-DSS-Req-8.1.8 | ||
| 277 | ········-·CJIS-5.5.6 | 277 | ········-·CJIS-5.5.6 |
| 278 | ········-·DISA-STIG-RHEL-07-0 | 278 | ········-·DISA-STIG-RHEL-07-010460 |
| 279 | ···· | 279 | ···· |
| 280 | ····-·name:·Use·Only·Approved·Ciphers | 280 | ····-·name:·Use·Only·Approved·Ciphers |
| 281 | ······lineinfile: | 281 | ······lineinfile: |
| 282 | ········create:·yes | 282 | ········create:·yes |
| 283 | ········dest:·/etc/ssh/sshd_config | 283 | ········dest:·/etc/ssh/sshd_config |
| 284 | ········regexp:·^Ciphers | 284 | ········regexp:·^Ciphers |
| 285 | ········line:·Ciphers·aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc | 285 | ········line:·Ciphers·aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc |
| Offset 1435, 72 lines modified | Offset 1435, 72 lines modified | ||
| 1435 | ········-·low_complexity | 1435 | ········-·low_complexity |
| 1436 | ········-·low_disruption | 1436 | ········-·low_disruption |
| 1437 | ········-·CCE-26887-0 | 1437 | ········-·CCE-26887-0 |
| 1438 | ········-·NIST-800-53-AC-6 | 1438 | ········-·NIST-800-53-AC-6 |
| 1439 | ········-·PCI-DSS-Req-8.7.c | 1439 | ········-·PCI-DSS-Req-8.7.c |
| 1440 | ········-·CJIS-5.5.2.2 | 1440 | ········-·CJIS-5.5.2.2 |
| 1441 | ···· | 1441 | ···· |
| 1442 | ····-·name:·"Read·list· | 1442 | ····-·name:·"Read·list·of·world·and·group·writable·system·executables" |
| 1443 | ······shell:·"find· | 1443 | ······shell:·"find·/bin·/usr/bin·/usr/local/bin·/sbin·/usr/sbin·/usr/local/sbin·/usr/libexec·-perm·/022·-type·f" |
| 1444 | ······register:· | 1444 | ······register:·world_writable_library_files |
| 1445 | ······changed_when:·False | 1445 | ······changed_when:·False |
| 1446 | ······failed_when:·False | 1446 | ······failed_when:·False |
| 1447 | ······check_mode:·no | 1447 | ······check_mode:·no |
| 1448 | ······tags: | 1448 | ······tags: |
| Max diff block lines reached; 2725/7023 bytes (38.80%) of diff not shown. | |||
| Offset 832, 1269 lines modified | Offset 832, 1269 lines modified | ||
| 832 | ········-·CJIS-5.4.1.1 | 832 | ········-·CJIS-5.4.1.1 |
| 833 | ········-·DISA-STIG-RHEL-07-030440 | 833 | ········-·DISA-STIG-RHEL-07-030440 |
| 834 | ···· | 834 | ···· |
| 835 | ···· | 835 | ···· |
| 836 | ····# | 836 | ····# |
| 837 | ····#·What·architecture·are·we·on? | 837 | ····#·What·architecture·are·we·on? |
| 838 | ····# | 838 | ····# |
| 839 | ····-·name:·Set·architecture·for·audit· | 839 | ····-·name:·Set·architecture·for·audit·chown·tasks |
| 840 | ······set_fact: | 840 | ······set_fact: |
| 841 | ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}" | 841 | ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}" |
| 842 | ···· | 842 | ···· |
| 843 | ····# | 843 | ····# |
| 844 | ····#·Inserts/replaces·the·rule·in·/etc/audit/rules.d | 844 | ····#·Inserts/replaces·the·rule·in·/etc/audit/rules.d |
| 845 | ····# | 845 | ····# |
| 846 | ····-·name:·Search·/etc/audit/rules.d·for·other·DAC·audit·rules | 846 | ····-·name:·Search·/etc/audit/rules.d·for·other·DAC·audit·rules |
| 847 | ······find: | 847 | ······find: |
| 848 | ········paths:·"/etc/audit/rules.d" | 848 | ········paths:·"/etc/audit/rules.d" |
| 849 | ········recurse:·no | 849 | ········recurse:·no |
| 850 | ········contains:·"-F·key=perm_mod$" | 850 | ········contains:·"-F·key=perm_mod$" |
| 851 | ········patterns:·"*.rules" | 851 | ········patterns:·"*.rules" |
| 852 | ······register:·find_ | 852 | ······register:·find_chown |
| 853 | ···· | 853 | ···· |
| 854 | ····-·name:·If·existing·DAC·ruleset·not·found,·use·/etc/audit/rules.d/privileged.rules·as·the·recipient·for·the·rule | 854 | ····-·name:·If·existing·DAC·ruleset·not·found,·use·/etc/audit/rules.d/privileged.rules·as·the·recipient·for·the·rule |
| 855 | ······set_fact: | 855 | ······set_fact: |
| 856 | ········all_files:· | 856 | ········all_files:· |
| 857 | ··········-·/etc/audit/rules.d/privileged.rules | 857 | ··········-·/etc/audit/rules.d/privileged.rules |
| 858 | ······when:·find_ | 858 | ······when:·find_chown.matched·==·0 |
| 859 | ···· | 859 | ···· |
| 860 | ····-·name:·Use·matched·file·as·the·recipient·for·the·rule | 860 | ····-·name:·Use·matched·file·as·the·recipient·for·the·rule |
| 861 | ······set_fact: | 861 | ······set_fact: |
| 862 | ········all_files: | 862 | ········all_files: |
| 863 | ··········-·"{{·find_ | 863 | ··········-·"{{·find_chown.files·|·map(attribute='path')·|·list·|·first·}}" |
| 864 | ······when:·find_ | 864 | ······when:·find_chown.matched·>·0 |
| 865 | ···· | 865 | ···· |
| 866 | ····-·name:·Inserts/replaces·the· | 866 | ····-·name:·Inserts/replaces·the·chown·rule·in·rules.d·when·on·x86 |
| 867 | ······lineinfile: | 867 | ······lineinfile: |
| 868 | ········path:·"{{·all_files[0]·}}" | 868 | ········path:·"{{·all_files[0]·}}" |
| 869 | ········line:·"-a·always,exit·-F·arch=b32·-S· | 869 | ········line:·"-a·always,exit·-F·arch=b32·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod" |
| 870 | ········create:·yes | 870 | ········create:·yes |
| 871 | ······tags: | 871 | ······tags: |
| 872 | ········-·audit_rules_dac_modification_ | 872 | ········-·audit_rules_dac_modification_chown |
| 873 | ········-·unknown_severity | 873 | ········-·unknown_severity |
| 874 | ········-·restrict_strategy | 874 | ········-·restrict_strategy |
| 875 | ········-·low_complexity | 875 | ········-·low_complexity |
| 876 | ········-·low_disruption | 876 | ········-·low_disruption |
| 877 | ········-·CCE-273 | 877 | ········-·CCE-27364-9 |
| 878 | ········-·NIST-800-53-AC-17(7) | 878 | ········-·NIST-800-53-AC-17(7) |
| 879 | ········-·NIST-800-53-AU-1(b) | 879 | ········-·NIST-800-53-AU-1(b) |
| 880 | ········-·NIST-800-53-AU-2(a) | 880 | ········-·NIST-800-53-AU-2(a) |
| 881 | ········-·NIST-800-53-AU-2(c) | 881 | ········-·NIST-800-53-AU-2(c) |
| 882 | ········-·NIST-800-53-AU-2(d) | 882 | ········-·NIST-800-53-AU-2(d) |
| 883 | ········-·NIST-800-53-AU-12(a) | 883 | ········-·NIST-800-53-AU-12(a) |
| 884 | ········-·NIST-800-53-AU-12(c) | 884 | ········-·NIST-800-53-AU-12(c) |
| 885 | ········-·NIST-800-53-IR-5 | 885 | ········-·NIST-800-53-IR-5 |
| 886 | ········-·NIST-800-171-3.1.7 | 886 | ········-·NIST-800-171-3.1.7 |
| 887 | ········-·PCI-DSS-Req-10.5.5 | 887 | ········-·PCI-DSS-Req-10.5.5 |
| 888 | ········-·CJIS-5.4.1.1 | 888 | ········-·CJIS-5.4.1.1 |
| 889 | ········-·DISA-STIG-RHEL-07-030 | 889 | ········-·DISA-STIG-RHEL-07-030370 |
| 890 | ···· | 890 | ···· |
| 891 | ····-·name:·Inserts/replaces·the· | 891 | ····-·name:·Inserts/replaces·the·chown·rule·in·rules.d·when·on·x86_64 |
| 892 | ······lineinfile: | 892 | ······lineinfile: |
| 893 | ········path:·"{{·all_files[0]·}}" | 893 | ········path:·"{{·all_files[0]·}}" |
| 894 | ········line:·"-a·always,exit·-F·arch=b64·-S· | 894 | ········line:·"-a·always,exit·-F·arch=b64·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod" |
| 895 | ········create:·yes | 895 | ········create:·yes |
| 896 | ······when:·audit_arch·==·'b64' | 896 | ······when:·audit_arch·==·'b64' |
| 897 | ······tags: | 897 | ······tags: |
| 898 | ········-·audit_rules_dac_modification_ | 898 | ········-·audit_rules_dac_modification_chown |
| 899 | ········-·unknown_severity | 899 | ········-·unknown_severity |
| 900 | ········-·restrict_strategy | 900 | ········-·restrict_strategy |
| 901 | ········-·low_complexity | 901 | ········-·low_complexity |
| 902 | ········-·low_disruption | 902 | ········-·low_disruption |
| 903 | ········-·CCE-273 | 903 | ········-·CCE-27364-9 |
| 904 | ········-·NIST-800-53-AC-17(7) | 904 | ········-·NIST-800-53-AC-17(7) |
| 905 | ········-·NIST-800-53-AU-1(b) | 905 | ········-·NIST-800-53-AU-1(b) |
| 906 | ········-·NIST-800-53-AU-2(a) | 906 | ········-·NIST-800-53-AU-2(a) |
| 907 | ········-·NIST-800-53-AU-2(c) | 907 | ········-·NIST-800-53-AU-2(c) |
| 908 | ········-·NIST-800-53-AU-2(d) | 908 | ········-·NIST-800-53-AU-2(d) |
| 909 | ········-·NIST-800-53-AU-12(a) | 909 | ········-·NIST-800-53-AU-12(a) |
| 910 | ········-·NIST-800-53-AU-12(c) | 910 | ········-·NIST-800-53-AU-12(c) |
| 911 | ········-·NIST-800-53-IR-5 | 911 | ········-·NIST-800-53-IR-5 |
| 912 | ········-·NIST-800-171-3.1.7 | 912 | ········-·NIST-800-171-3.1.7 |
| 913 | ········-·PCI-DSS-Req-10.5.5 | 913 | ········-·PCI-DSS-Req-10.5.5 |
| 914 | ········-·CJIS-5.4.1.1 | 914 | ········-·CJIS-5.4.1.1 |
| 915 | ········-·DISA-STIG-RHEL-07-030 | 915 | ········-·DISA-STIG-RHEL-07-030370 |
| 916 | ····#···· | 916 | ····#···· |
| 917 | ····#·Inserts/replaces·the·rule·in·/etc/audit/audit.rules | 917 | ····#·Inserts/replaces·the·rule·in·/etc/audit/audit.rules |
| 918 | ····# | 918 | ····# |
| 919 | ····-·name:·Inserts/replaces·the· | 919 | ····-·name:·Inserts/replaces·the·chown·rule·in·/etc/audit/audit.rules·when·on·x86 |
| 920 | ······lineinfile: | 920 | ······lineinfile: |
| 921 | ········line:·"{{·item·}}" | 921 | ········line:·"{{·item·}}" |
| 922 | ········state:·present | 922 | ········state:·present |
| 923 | ········dest:·/etc/audit/audit.rules | 923 | ········dest:·/etc/audit/audit.rules |
| 924 | ······with_items: | 924 | ······with_items: |
| 925 | ········-·"-a·always,exit·-F·arch=b32·-S· | 925 | ········-·"-a·always,exit·-F·arch=b32·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod" |
| 926 | ······tags: | 926 | ······tags: |
| 927 | ········-·audit_rules_dac_modification_ | 927 | ········-·audit_rules_dac_modification_chown |
| 928 | ········-·unknown_severity | 928 | ········-·unknown_severity |
| 929 | ········-·restrict_strategy | 929 | ········-·restrict_strategy |
| 930 | ········-·low_complexity | 930 | ········-·low_complexity |
| 931 | ········-·low_disruption | 931 | ········-·low_disruption |
| 932 | ········-·CCE-273 | 932 | ········-·CCE-27364-9 |
| 933 | ········-·NIST-800-53-AC-17(7) | 933 | ········-·NIST-800-53-AC-17(7) |
| 934 | ········-·NIST-800-53-AU-1(b) | 934 | ········-·NIST-800-53-AU-1(b) |
| 935 | ········-·NIST-800-53-AU-2(a) | 935 | ········-·NIST-800-53-AU-2(a) |
| 936 | ········-·NIST-800-53-AU-2(c) | 936 | ········-·NIST-800-53-AU-2(c) |
| 937 | ········-·NIST-800-53-AU-2(d) | 937 | ········-·NIST-800-53-AU-2(d) |
| 938 | ········-·NIST-800-53-AU-12(a) | 938 | ········-·NIST-800-53-AU-12(a) |
| 939 | ········-·NIST-800-53-AU-12(c) | 939 | ········-·NIST-800-53-AU-12(c) |
| 940 | ········-·NIST-800-53-IR-5 | 940 | ········-·NIST-800-53-IR-5 |
| 941 | ········-·NIST-800-171-3.1.7 | 941 | ········-·NIST-800-171-3.1.7 |
| 942 | ········-·PCI-DSS-Req-10.5.5 | 942 | ········-·PCI-DSS-Req-10.5.5 |
| 943 | ········-·CJIS-5.4.1.1 | 943 | ········-·CJIS-5.4.1.1 |
| 944 | ········-·DISA-STIG-RHEL-07-030 | 944 | ········-·DISA-STIG-RHEL-07-030370 |
| 945 | ···· | 945 | ···· |
| 946 | ····-·name:·Inserts/replaces·the· | 946 | ····-·name:·Inserts/replaces·the·chown·rule·in·audit.rules·when·on·x86_64 |
| 947 | ······lineinfile: | 947 | ······lineinfile: |
| 948 | ········line:·"{{·item·}}" | 948 | ········line:·"{{·item·}}" |
| 949 | ········state:·present | 949 | ········state:·present |
| 950 | ········dest:·/etc/audit/audit.rules | 950 | ········dest:·/etc/audit/audit.rules |
| 951 | ········create:·yes | 951 | ········create:·yes |
| 952 | ······with_items: | 952 | ······with_items: |
| 953 | ········-·"-a·always,exit·-F·arch=b64·-S· | 953 | ········-·"-a·always,exit·-F·arch=b64·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod" |
| 954 | ······when:·audit_arch·==·'b64' | 954 | ······when:·audit_arch·==·'b64' |
| 955 | ······tags: | 955 | ······tags: |
| 956 | ········-·audit_rules_dac_modification_ | 956 | ········-·audit_rules_dac_modification_chown |
| 957 | ········-·unknown_severity | 957 | ········-·unknown_severity |
| 958 | ········-·restrict_strategy | 958 | ········-·restrict_strategy |
| Max diff block lines reached; 48574/54119 bytes (89.75%) of diff not shown. | |||
| Offset 44, 18 lines modified | Offset 44, 18 lines modified | ||
| 44 | ·········· | 44 | ·········· |
| 45 | ···vars: | 45 | ···vars: |
| 46 | ······sshd_idle_timeout_value:·600 | 46 | ······sshd_idle_timeout_value:·600 |
| 47 | ······inactivity_timeout_value:·900 | 47 | ······inactivity_timeout_value:·900 |
| 48 | ······rsyslog_remote_loghost_address:·logcollector | 48 | ······rsyslog_remote_loghost_address:·logcollector |
| 49 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 | 49 | ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0 |
| 50 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 | 50 | ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0 |
| 51 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | ||
| 52 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 | 51 | ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1 |
| 53 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 | ||
| 54 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 | 52 | ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0 |
| 53 | ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 | ||
| 54 | ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 | ||
| 55 | ······var_selinux_policy_name:·targeted | 55 | ······var_selinux_policy_name:·targeted |
| 56 | ······var_selinux_state:·enforcing | 56 | ······var_selinux_state:·enforcing |
| 57 | ······var_accounts_minimum_age_login_defs:·1 | 57 | ······var_accounts_minimum_age_login_defs:·1 |
| 58 | ······var_accounts_maximum_age_login_defs:·60 | 58 | ······var_accounts_maximum_age_login_defs:·60 |
| 59 | ······var_account_disable_post_pw_expiration:·0 | 59 | ······var_account_disable_post_pw_expiration:·0 |
| 60 | ······var_accounts_passwords_pam_faillock_deny:·3 | 60 | ······var_accounts_passwords_pam_faillock_deny:·3 |
| 61 | ······var_accounts_passwords_pam_faillock_unlock_time:·never | 61 | ······var_accounts_passwords_pam_faillock_unlock_time:·never |
| Offset 72, 17 lines modified | Offset 72, 17 lines modified | ||
| 72 | ······var_password_pam_difok:·8 | 72 | ······var_password_pam_difok:·8 |
| 73 | ······var_password_pam_ocredit:·-1 | 73 | ······var_password_pam_ocredit:·-1 |
| 74 | ······var_password_pam_lcredit:·-1 | 74 | ······var_password_pam_lcredit:·-1 |
| 75 | ······var_password_pam_ucredit:·-1 | 75 | ······var_password_pam_ucredit:·-1 |
| 76 | ······var_password_pam_retry:·3 | 76 | ······var_password_pam_retry:·3 |
| 77 | ······login_banner_text:·^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$) | 77 | ······login_banner_text:·^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$) |
| 78 | ······var_accounts_user_umask:·077 | 78 | ······var_accounts_user_umask:·077 |
| 79 | ······var_accounts_max_concurrent_login_sessions:·10 | ||
| 79 | ······var_accounts_fail_delay:·4 | 80 | ······var_accounts_fail_delay:·4 |
| 80 | ······var_accounts_tmout:·600 | 81 | ······var_accounts_tmout:·600 |
| 81 | ······var_accounts_max_concurrent_login_sessions:·10 | ||
| 82 | ······var_auditd_action_mail_acct:·root | 82 | ······var_auditd_action_mail_acct:·root |
| 83 | ······var_auditd_space_left_action:·email | 83 | ······var_auditd_space_left_action:·email |
| 84 | ······var_removable_partition:·/dev/cdrom | 84 | ······var_removable_partition:·/dev/cdrom |
| 85 | ···tasks: | 85 | ···tasks: |
| 86 | ····-·name:·Ensure·rsh-server·is·removed | 86 | ····-·name:·Ensure·rsh-server·is·removed |
| 87 | ······package: | 87 | ······package: |
| 88 | ········name="{{item}}" | 88 | ········name="{{item}}" |
| Offset 250, 14 lines modified | Offset 250, 33 lines modified | ||
| 250 | ········-·low_disruption | 250 | ········-·low_disruption |
| 251 | ········-·CCE-80258-7 | 251 | ········-·CCE-80258-7 |
| 252 | ········-·NIST-800-53-AC-17(8) | 252 | ········-·NIST-800-53-AC-17(8) |
| 253 | ········-·NIST-800-53-CM-7 | 253 | ········-·NIST-800-53-CM-7 |
| 254 | ········-·NIST-800-53-CM-6(b) | 254 | ········-·NIST-800-53-CM-6(b) |
| 255 | ········-·DISA-STIG-RHEL-07-021300 | 255 | ········-·DISA-STIG-RHEL-07-021300 |
| 256 | ···· | 256 | ···· |
| 257 | ····-·name:·"Enable·Use·of·Strict·Mode·Checking" | ||
| 258 | ······lineinfile: | ||
| 259 | ········create:·yes | ||
| 260 | ········dest:·/etc/ssh/sshd_config | ||
| 261 | ········regexp:·(?i)^#?strictmodes | ||
| 262 | ········line:·StrictModes·yes | ||
| 263 | ········validate:·sshd·-t·-f·%s | ||
| 264 | ······#notify:·restart·sshd | ||
| 265 | ······tags: | ||
| 266 | ········-·sshd_enable_strictmodes | ||
| 267 | ········-·medium_severity | ||
| 268 | ········-·restrict_strategy | ||
| 269 | ········-·low_complexity | ||
| 270 | ········-·low_disruption | ||
| 271 | ········-·CCE-80222-3 | ||
| 272 | ········-·NIST-800-53-AC-6 | ||
| 273 | ········-·NIST-800-171-3.1.12 | ||
| 274 | ········-·DISA-STIG-RHEL-07-040450 | ||
| 275 | ···· | ||
| 257 | ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts" | 276 | ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts" |
| 258 | ······lineinfile: | 277 | ······lineinfile: |
| 259 | ········create:·yes | 278 | ········create:·yes |
| 260 | ········dest:·/etc/ssh/sshd_config | 279 | ········dest:·/etc/ssh/sshd_config |
| 261 | ········regexp:·^IgnoreUserKnownHosts | 280 | ········regexp:·^IgnoreUserKnownHosts |
| 262 | ········line:·IgnoreUserKnownHosts·yes | 281 | ········line:·IgnoreUserKnownHosts·yes |
| 263 | ········validate:·sshd·-t·-f·%s | 282 | ········validate:·sshd·-t·-f·%s |
| Offset 313, 31 lines modified | Offset 332, 38 lines modified | ||
| 313 | ········-·NIST-800-53-AC-2(5) | 332 | ········-·NIST-800-53-AC-2(5) |
| 314 | ········-·NIST-800-53-SA-8 | 333 | ········-·NIST-800-53-SA-8 |
| 315 | ········-·NIST-800-53-AC-12 | 334 | ········-·NIST-800-53-AC-12 |
| 316 | ········-·NIST-800-171-3.1.11 | 335 | ········-·NIST-800-171-3.1.11 |
| 317 | ········-·CJIS-5.5.6 | 336 | ········-·CJIS-5.5.6 |
| 318 | ········-·DISA-STIG-RHEL-07-040340 | 337 | ········-·DISA-STIG-RHEL-07-040340 |
| 319 | ···· | 338 | ···· |
| 320 | ···· | 339 | ···· |
| 340 | ···· | ||
| 341 | ····-·name:·Set·SSH·Idle·Timeout·Interval | ||
| 321 | ······lineinfile: | 342 | ······lineinfile: |
| 322 | ········create:·yes | 343 | ········create:·yes |
| 323 | ········dest:·/etc/ssh/sshd_config | 344 | ········dest:·/etc/ssh/sshd_config |
| 324 | ········regexp:·^ | 345 | ········regexp:·^ClientAliveInterval |
| 325 | ········line:· | 346 | ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}" |
| 326 | ········validate:·sshd·-t·-f·%s | 347 | ········validate:·sshd·-t·-f·%s |
| 348 | ······#notify:·restart·sshd | ||
| 327 | ······tags: | 349 | ······tags: |
| 328 | ········-·sshd_ | 350 | ········-·sshd_set_idle_timeout |
| 329 | ········-· | 351 | ········-·unknown_severity |
| 330 | ········-·restrict_strategy | 352 | ········-·restrict_strategy |
| 331 | ········-·low_complexity | 353 | ········-·low_complexity |
| 332 | ········-·low_disruption | 354 | ········-·low_disruption |
| 333 | ········-·CCE- | 355 | ········-·CCE-27433-2 |
| 334 | ········-·NIST-800-53- | 356 | ········-·NIST-800-53-AC-2(5) |
| 335 | ········-·NIST-800- | 357 | ········-·NIST-800-53-SA-8(i) |
| 336 | ········-· | 358 | ········-·NIST-800-53-AC-12 |
| 359 | ········-·NIST-800-171-3.1.11 | ||
| 360 | ········-·PCI-DSS-Req-8.1.8 | ||
| 361 | ········-·CJIS-5.5.6 | ||
| 362 | ········-·DISA-STIG-RHEL-07-040320 | ||
| 337 | ···· | 363 | ···· |
| 338 | ····-·name:·Enable·SSH·Warning·Banner | 364 | ····-·name:·Enable·SSH·Warning·Banner |
| 339 | ······lineinfile: | 365 | ······lineinfile: |
| 340 | ········create:·yes | 366 | ········create:·yes |
| 341 | ········dest:·/etc/ssh/sshd_config | 367 | ········dest:·/etc/ssh/sshd_config |
| 342 | ········regexp:·^Banner | 368 | ········regexp:·^Banner |
| 343 | ········line:·Banner·/etc/issue | 369 | ········line:·Banner·/etc/issue |
| Offset 377, 33 lines modified | Offset 403, 14 lines modified | ||
| 377 | ········-·NIST-800-53-IA-7 | 403 | ········-·NIST-800-53-IA-7 |
| 378 | ········-·NIST-800-53-SC-13 | 404 | ········-·NIST-800-53-SC-13 |
| 379 | ········-·NIST-800-171-3.1.13 | 405 | ········-·NIST-800-171-3.1.13 |
| 380 | ········-·NIST-800-171-3.13.11 | 406 | ········-·NIST-800-171-3.13.11 |
| 381 | ········-·NIST-800-171-3.13.8 | 407 | ········-·NIST-800-171-3.13.8 |
| 382 | ········-·DISA-STIG-RHEL-07-040400 | 408 | ········-·DISA-STIG-RHEL-07-040400 |
| 383 | ···· | 409 | ···· |
| 384 | ····-·name:·Do·Not·Allow·SSH·Environment·Options | ||
| 385 | ······lineinfile: | ||
| 386 | ········create:·yes | ||
| 387 | ········dest:·/etc/ssh/sshd_config | ||
| 388 | ········regexp:·^PermitUserEnvironment | ||
| 389 | ········line:·PermitUserEnvironment·no | ||
| 390 | ········validate:·sshd·-t·-f·%s | ||
| Max diff block lines reached; 106151/113585 bytes (93.46%) of diff not shown. | |||
| Offset 27, 17 lines modified | Offset 27, 17 lines modified | ||
| 27 | # | 27 | # |
| 28 | #·How·to·apply·this·remediation·role: | 28 | #·How·to·apply·this·remediation·role: |
| 29 | #·$·sudo·./remediation-role.sh | 29 | #·$·sudo·./remediation-role.sh |
| 30 | # | 30 | # |
| 31 | ############################################################################### | 31 | ############################################################################### |
| 32 | ############################################################################### | 32 | ############################################################################### |
| 33 | #·BEGIN·fix·(1·/·188)·for·'package_s | 33 | #·BEGIN·fix·(1·/·188)·for·'package_vsftpd_removed' |
| 34 | ############################################################################### | 34 | ############################################################################### |
| 35 | (>&2·echo·"Remediating·rule·1/188:·'package_s | 35 | (>&2·echo·"Remediating·rule·1/188:·'package_vsftpd_removed'") |
| 36 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 36 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 37 | # | 37 | # |
| 38 | #·Example·Call(s): | 38 | #·Example·Call(s): |
| 39 | # | 39 | # |
| 40 | #·····package_remove·telnet-server | 40 | #·····package_remove·telnet-server |
| 41 | # | 41 | # |
| 42 | function·package_remove·{ | 42 | function·package_remove·{ |
| Offset 67, 16 lines modified | Offset 67, 16 lines modified | ||
| 67 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 67 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 68 | ··echo·"Aborting." | 68 | ··echo·"Aborting." |
| 69 | ··exit·1 | 69 | ··exit·1 |
| 70 | fi | 70 | fi |
| 71 | } | 71 | } |
| 72 | package_remove·s | 72 | package_remove·vsftpd |
| 73 | #·END·fix·for·'package_s | 73 | #·END·fix·for·'package_vsftpd_removed' |
| 74 | ############################################################################### | 74 | ############################################################################### |
| 75 | #·BEGIN·fix·(2·/·188)·for·'package_httpd_removed' | 75 | #·BEGIN·fix·(2·/·188)·for·'package_httpd_removed' |
| 76 | ############################################################################### | 76 | ############################################################################### |
| 77 | (>&2·echo·"Remediating·rule·2/188:·'package_httpd_removed'") | 77 | (>&2·echo·"Remediating·rule·2/188:·'package_httpd_removed'") |
| 78 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 78 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 79 | # | 79 | # |
| Offset 115, 24 lines modified | Offset 115, 61 lines modified | ||
| 115 | } | 115 | } |
| 116 | package_remove·httpd | 116 | package_remove·httpd |
| 117 | #·END·fix·for·'package_httpd_removed' | 117 | #·END·fix·for·'package_httpd_removed' |
| 118 | ############################################################################### | 118 | ############################################################################### |
| 119 | #·BEGIN·fix·(3·/·188)·for·'p | 119 | #·BEGIN·fix·(3·/·188)·for·'package_bind_removed' |
| 120 | ############################################################################### | 120 | ############################################################################### |
| 121 | (>&2·echo·"Remediating·rule·3/188:·'p | 121 | (>&2·echo·"Remediating·rule·3/188:·'package_bind_removed'") |
| 122 | #·F | 122 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 123 | # | 123 | # |
| 124 | #·Example·Call(s): | ||
| 125 | # | ||
| 126 | #·····package_remove·telnet-server | ||
| 127 | # | ||
| 128 | function·package_remove·{ | ||
| 129 | #·Load·function·arguments·into·local·variables | ||
| 130 | local·package="$1" | ||
| 131 | #·Check·sanity·of·the·input | ||
| 132 | if·[·$#·-ne·"1"·] | ||
| 133 | then | ||
| 134 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 135 | ··echo·"Aborting." | ||
| 136 | ··exit·1 | ||
| 137 | fi | ||
| 138 | if·which·dnf·;·then | ||
| 139 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 140 | ····dnf·remove·-y·"$package" | ||
| 141 | ··fi | ||
| 142 | elif·which·yum·;·then | ||
| 143 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 144 | ····yum·remove·-y·"$package" | ||
| 145 | ··fi | ||
| 146 | elif·which·apt-get·;·then | ||
| 147 | ··apt-get·remove·-y·"$package" | ||
| 148 | else | ||
| 149 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 150 | ··echo·"Aborting." | ||
| 151 | ··exit·1 | ||
| 152 | fi | ||
| 153 | } | ||
| 154 | package_remove·bind | ||
| 155 | #·END·fix·for·'package_bind_removed' | ||
| 124 | ############################################################################### | 156 | ############################################################################### |
| 125 | #·BEGIN·fix·(4·/·188)·for·'package_ | 157 | #·BEGIN·fix·(4·/·188)·for·'package_samba_removed' |
| 126 | ############################################################################### | 158 | ############################################################################### |
| 127 | (>&2·echo·"Remediating·rule·4/188:·'package_ | 159 | (>&2·echo·"Remediating·rule·4/188:·'package_samba_removed'") |
| 128 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 160 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 129 | # | 161 | # |
| 130 | #·Example·Call(s): | 162 | #·Example·Call(s): |
| 131 | # | 163 | # |
| 132 | #·····package_remove·telnet-server | 164 | #·····package_remove·telnet-server |
| 133 | # | 165 | # |
| 134 | function·package_remove·{ | 166 | function·package_remove·{ |
| Offset 162, 16 lines modified | Offset 199, 16 lines modified | ||
| 162 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 199 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 163 | ··echo·"Aborting." | 200 | ··echo·"Aborting." |
| 164 | ··exit·1 | 201 | ··exit·1 |
| 165 | fi | 202 | fi |
| 166 | } | 203 | } |
| 167 | package_remove· | 204 | package_remove·samba |
| 168 | #·END·fix·for·'package_ | 205 | #·END·fix·for·'package_samba_removed' |
| 169 | ############################################################################### | 206 | ############################################################################### |
| 170 | #·BEGIN·fix·(5·/·188)·for·'service_ntpd_enabled' | 207 | #·BEGIN·fix·(5·/·188)·for·'service_ntpd_enabled' |
| 171 | ############################################################################### | 208 | ############################################################################### |
| 172 | (>&2·echo·"Remediating·rule·5/188:·'service_ntpd_enabled'") | 209 | (>&2·echo·"Remediating·rule·5/188:·'service_ntpd_enabled'") |
| 173 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 210 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 174 | # | 211 | # |
| Offset 262, 17 lines modified | Offset 299, 105 lines modified | ||
| 262 | #·BEGIN·fix·(7·/·188)·for·'ntpd_specify_remote_server' | 299 | #·BEGIN·fix·(7·/·188)·for·'ntpd_specify_remote_server' |
| 263 | ############################################################################### | 300 | ############################################################################### |
| 264 | (>&2·echo·"Remediating·rule·7/188:·'ntpd_specify_remote_server'") | 301 | (>&2·echo·"Remediating·rule·7/188:·'ntpd_specify_remote_server'") |
| 265 | #·FIX·FOR·THIS·RULE·IS·MISSING | 302 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 266 | #·END·fix·for·'ntpd_specify_remote_server' | 303 | #·END·fix·for·'ntpd_specify_remote_server' |
| 267 | ############################################################################### | 304 | ############################################################################### |
| 268 | #·BEGIN·fix·(8·/·188)·for·' | 305 | #·BEGIN·fix·(8·/·188)·for·'package_openldap-servers_removed' |
| 269 | ############################################################################### | 306 | ############################################################################### |
| 270 | (>&2·echo·"Remediating·rule·8/188:·' | 307 | (>&2·echo·"Remediating·rule·8/188:·'package_openldap-servers_removed'") |
| 308 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 309 | # | ||
| 310 | #·Example·Call(s): | ||
| Max diff block lines reached; 329997/337019 bytes (97.92%) of diff not shown. | |||
| Offset 18, 17 lines modified | Offset 18, 31 lines modified | ||
| 18 | # | 18 | # |
| 19 | #·How·to·apply·this·remediation·role: | 19 | #·How·to·apply·this·remediation·role: |
| 20 | #·$·sudo·./remediation-role.sh | 20 | #·$·sudo·./remediation-role.sh |
| 21 | # | 21 | # |
| 22 | ############################################################################### | 22 | ############################################################################### |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | #·BEGIN·fix·(1·/·313)·for·' | 24 | #·BEGIN·fix·(1·/·313)·for·'ftp_log_transactions' |
| 25 | ############################################################################### | 25 | ############################################################################### |
| 26 | (>&2·echo·"Remediating·rule·1/313:·' | 26 | (>&2·echo·"Remediating·rule·1/313:·'ftp_log_transactions'") |
| 27 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 28 | #·END·fix·for·'ftp_log_transactions' | ||
| 29 | ############################################################################### | ||
| 30 | #·BEGIN·fix·(2·/·313)·for·'ftp_present_banner' | ||
| 31 | ############################################################################### | ||
| 32 | (>&2·echo·"Remediating·rule·2/313:·'ftp_present_banner'") | ||
| 33 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 34 | #·END·fix·for·'ftp_present_banner' | ||
| 35 | ############################################################################### | ||
| 36 | #·BEGIN·fix·(3·/·313)·for·'service_vsftpd_disabled' | ||
| 37 | ############################################################################### | ||
| 38 | (>&2·echo·"Remediating·rule·3/313:·'service_vsftpd_disabled'") | ||
| 27 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 39 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 28 | # | 40 | # |
| 29 | #·Example·Call(s): | 41 | #·Example·Call(s): |
| 30 | # | 42 | # |
| 31 | #·····service_command·enable·bluetooth | 43 | #·····service_command·enable·bluetooth |
| 32 | #·····service_command·disable·bluetooth.service | 44 | #·····service_command·disable·bluetooth.service |
| 33 | # | 45 | # |
| Offset 96, 49 lines modified | Offset 110, 60 lines modified | ||
| 96 | ··else | 110 | ··else |
| 97 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 111 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 98 | ··fi | 112 | ··fi |
| 99 | fi | 113 | fi |
| 100 | } | 114 | } |
| 101 | service_command·disable·s | 115 | service_command·disable·vsftpd |
| 102 | #·END·fix·for·'service_s | 116 | #·END·fix·for·'service_vsftpd_disabled' |
| 103 | ############################################################################### | 117 | ############################################################################### |
| 104 | #·BEGIN·fix·( | 118 | #·BEGIN·fix·(4·/·313)·for·'package_vsftpd_removed' |
| 105 | ############################################################################### | 119 | ############################################################################### |
| 106 | (>&2·echo·"Remediating·rule· | 120 | (>&2·echo·"Remediating·rule·4/313:·'package_vsftpd_removed'") |
| 107 | #·F | 121 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 108 | # | 122 | # |
| 123 | #·Example·Call(s): | ||
| 124 | # | ||
| 125 | #·····package_remove·telnet-server | ||
| 126 | # | ||
| 127 | function·package_remove·{ | ||
| 109 | # | 128 | #·Load·function·arguments·into·local·variables |
| 110 | 129 | local·package="$1" | |
| 111 | ############################################################################### | ||
| 112 | (>&2·echo·"Remediating·rule·3/313:·'require_smb_client_signing'") | ||
| 113 | ###################################################################### | ||
| 114 | #By·Luke·"Brisk-OH"·Brisk | ||
| 115 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com | ||
| 116 | ###################################################################### | ||
| 117 | 130 | #·Check·sanity·of·the·input | |
| 131 | if·[·$#·-ne·"1"·] | ||
| 132 | then | ||
| 133 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 134 | ··echo·"Aborting." | ||
| 135 | ··exit·1 | ||
| 136 | fi | ||
| 118 | if· | 137 | if·which·dnf·;·then |
| 119 | 138 | ··if·rpm·-q·--quiet·"$package";·then | |
| 120 | 139 | ····dnf·remove·-y·"$package" | |
| 140 | ··fi | ||
| 141 | elif·which·yum·;·then | ||
| 142 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 143 | ····yum·remove·-y·"$package" | ||
| 144 | ··fi | ||
| 145 | elif·which·apt-get·;·then | ||
| 146 | ··apt-get·remove·-y·"$package" | ||
| 121 | else | 147 | else |
| 122 | 148 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 149 | ··echo·"Aborting." | ||
| 150 | ··exit·1 | ||
| 123 | fi | 151 | fi |
| 124 | #·END·fix·for·'require_smb_client_signing' | ||
| 125 | 152 | } | |
| 126 | #·BEGIN·fix·(4·/·313)·for·'mount_option_smb_client_signing' | ||
| 127 | 153 | package_remove·vsftpd | |
| 128 | 154 | #·END·fix·for·'package_vsftpd_removed' | |
| 129 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 130 | #·END·fix·for·'mount_option_smb_client_signing' | ||
| 131 | ############################################################################### | 155 | ############################################################################### |
| 132 | #·BEGIN·fix·(5·/·313)·for·'package_httpd_removed' | 156 | #·BEGIN·fix·(5·/·313)·for·'package_httpd_removed' |
| 133 | ############################################################################### | 157 | ############################################################################### |
| 134 | (>&2·echo·"Remediating·rule·5/313:·'package_httpd_removed'") | 158 | (>&2·echo·"Remediating·rule·5/313:·'package_httpd_removed'") |
| 135 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 159 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 136 | # | 160 | # |
| Offset 248, 94 lines modified | Offset 273, 183 lines modified | ||
| 248 | #·BEGIN·fix·(15·/·313)·for·'httpd_ldap_support' | 273 | #·BEGIN·fix·(15·/·313)·for·'httpd_ldap_support' |
| 249 | ############################################################################### | 274 | ############################################################################### |
| 250 | (>&2·echo·"Remediating·rule·15/313:·'httpd_ldap_support'") | 275 | (>&2·echo·"Remediating·rule·15/313:·'httpd_ldap_support'") |
| 251 | #·FIX·FOR·THIS·RULE·IS·MISSING | 276 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 252 | #·END·fix·for·'httpd_ldap_support' | 277 | #·END·fix·for·'httpd_ldap_support' |
| 253 | ############################################################################### | 278 | ############################################################################### |
| 254 | #·BEGIN·fix·(16·/·313)·for·'httpd_ | 279 | #·BEGIN·fix·(16·/·313)·for·'httpd_cgi_support' |
| 255 | ############################################################################### | 280 | ############################################################################### |
| 256 | (>&2·echo·"Remediating·rule·16/313:·'httpd_ | 281 | (>&2·echo·"Remediating·rule·16/313:·'httpd_cgi_support'") |
| 257 | #·FIX·FOR·THIS·RULE·IS·MISSING | 282 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 258 | #·END·fix·for·'httpd_ | 283 | #·END·fix·for·'httpd_cgi_support' |
| 259 | ############################################################################### | 284 | ############################################################################### |
| 260 | #·BEGIN·fix·(17·/·313)·for·'httpd_ | 285 | #·BEGIN·fix·(17·/·313)·for·'httpd_url_correction' |
| 261 | ############################################################################### | 286 | ############################################################################### |
| 262 | (>&2·echo·"Remediating·rule·17/313:·'httpd_ | 287 | (>&2·echo·"Remediating·rule·17/313:·'httpd_url_correction'") |
| 263 | #·FIX·FOR·THIS·RULE·IS·MISSING | 288 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 264 | #·END·fix·for·'httpd_ | 289 | #·END·fix·for·'httpd_url_correction' |
| 265 | ############################################################################### | 290 | ############################################################################### |
| 266 | #·BEGIN·fix·(18·/·313)·for·'httpd_server_activity_status' | 291 | #·BEGIN·fix·(18·/·313)·for·'httpd_server_activity_status' |
| 267 | ############################################################################### | 292 | ############################################################################### |
| 268 | (>&2·echo·"Remediating·rule·18/313:·'httpd_server_activity_status'") | 293 | (>&2·echo·"Remediating·rule·18/313:·'httpd_server_activity_status'") |
| 269 | #·FIX·FOR·THIS·RULE·IS·MISSING | 294 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| Max diff block lines reached; 441404/447704 bytes (98.59%) of diff not shown. | |||
| Offset 23, 46 lines modified | Offset 23, 99 lines modified | ||
| 23 | # | 23 | # |
| 24 | #·How·to·apply·this·remediation·role: | 24 | #·How·to·apply·this·remediation·role: |
| 25 | #·$·sudo·./remediation-role.sh | 25 | #·$·sudo·./remediation-role.sh |
| 26 | # | 26 | # |
| 27 | ############################################################################### | 27 | ############################################################################### |
| 28 | ############################################################################### | 28 | ############################################################################### |
| 29 | #·BEGIN·fix·(1·/·215)·for·' | 29 | #·BEGIN·fix·(1·/·215)·for·'service_vsftpd_disabled' |
| 30 | ############################################################################### | 30 | ############################################################################### |
| 31 | (>&2·echo·"Remediating·rule·1/215:·' | 31 | (>&2·echo·"Remediating·rule·1/215:·'service_vsftpd_disabled'") |
| 32 | #·F | 32 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 33 | # | 33 | # |
| 34 | #·Example·Call(s): | ||
| 35 | # | ||
| 36 | #·····service_command·enable·bluetooth | ||
| 37 | #·····service_command·disable·bluetooth.service | ||
| 38 | # | ||
| 39 | #·····Using·xinetd: | ||
| 40 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 41 | # | ||
| 42 | function·service_command·{ | ||
| 34 | # | 43 | #·Load·function·arguments·into·local·variables |
| 35 | 44 | local·service_state=$1 | |
| 36 | 45 | local·service=$2 | |
| 37 | 46 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | |
| 38 | 47 | #·Check·sanity·of·the·input | |
| 39 | 48 | if·[·$#·-lt·"2"·] | |
| 49 | then | ||
| 50 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 51 | ··echo | ||
| 52 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 53 | ··echo·"as·the·last·argument"·· | ||
| 54 | ··echo·"Aborting." | ||
| 55 | ··exit·1 | ||
| 56 | fi | ||
| 40 | # | 57 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands |
| 41 | 58 | if·[·-f·"/usr/bin/systemctl"·]·;·then | |
| 42 | 59 | ··service_util="/usr/bin/systemctl" | |
| 43 | 60 | else | |
| 44 | 61 | ··service_util="/sbin/service" | |
| 45 | 62 | ··chkconfig_util="/sbin/chkconfig" | |
| 63 | fi | ||
| 46 | # | 64 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. |
| 47 | #· | 65 | #·Otherwise,·variables·are·to·be·set·to·disable·services. |
| 48 | 66 | if·[·"$service_state"·!=·'disable'·]·;·then | |
| 49 | 67 | ··service_state="enable" | |
| 50 | 68 | ··service_operation="start" | |
| 51 | 69 | ··chkconfig_state="on" | |
| 70 | else | ||
| 71 | ··service_state="disable" | ||
| 72 | ··service_operation="stop" | ||
| 73 | ··chkconfig_state="off" | ||
| 74 | fi | ||
| 75 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 76 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 77 | ··$service_util·$service·$service_operation | ||
| 78 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 79 | else | ||
| 80 | ··$service_util·$service_operation·$service | ||
| 81 | ··$service_util·$service_state·$service | ||
| 82 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 83 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 84 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 85 | ··$service_util·reset-failed·$service | ||
| 86 | fi | ||
| 87 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 88 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 89 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 90 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 91 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 92 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 93 | ··else | ||
| 94 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 95 | ··fi | ||
| 96 | fi | ||
| 97 | } | ||
| 98 | service_command·disable·vsftpd | ||
| 99 | #·END·fix·for·'service_vsftpd_disabled' | ||
| 52 | ############################################################################### | 100 | ############################################################################### |
| 53 | #·BEGIN·fix·( | 101 | #·BEGIN·fix·(2·/·215)·for·'package_vsftpd_removed' |
| 54 | ############################################################################### | 102 | ############################################################################### |
| 55 | (>&2·echo·"Remediating·rule· | 103 | (>&2·echo·"Remediating·rule·2/215:·'package_vsftpd_removed'") |
| 56 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 104 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 57 | # | 105 | # |
| 58 | #·Example·Call(s): | 106 | #·Example·Call(s): |
| 59 | # | 107 | # |
| 60 | #·····package_remove·telnet-server | 108 | #·····package_remove·telnet-server |
| 61 | # | 109 | # |
| 62 | function·package_remove·{ | 110 | function·package_remove·{ |
| Offset 92, 49 lines modified | Offset 145, 132 lines modified | ||
| 92 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 145 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 93 | ··echo·"Aborting." | 146 | ··echo·"Aborting." |
| 94 | ··exit·1 | 147 | ··exit·1 |
| 95 | fi | 148 | fi |
| 96 | } | 149 | } |
| 97 | package_remove· | 150 | package_remove·vsftpd |
| 98 | #·END·fix·for·'package_ | 151 | #·END·fix·for·'package_vsftpd_removed' |
| 99 | ############################################################################### | 152 | ############################################################################### |
| 100 | #·BEGIN·fix·( | 153 | #·BEGIN·fix·(3·/·215)·for·'httpd_servertokens_prod' |
| 101 | ############################################################################### | 154 | ############################################################################### |
| 102 | (>&2·echo·"Remediating·rule· | 155 | (>&2·echo·"Remediating·rule·3/215:·'httpd_servertokens_prod'") |
| 103 | #·FIX·FOR·THIS·RULE·IS·MISSING | 156 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 104 | #·END·fix·for·' | 157 | #·END·fix·for·'httpd_servertokens_prod' |
| 105 | ############################################################################### | 158 | ############################################################################### |
| 106 | #·BEGIN·fix·( | 159 | #·BEGIN·fix·(4·/·215)·for·'file_permissions_httpd_server_conf_files' |
| 107 | ############################################################################### | 160 | ############################################################################### |
| 108 | (>&2·echo·"Remediating·rule· | 161 | (>&2·echo·"Remediating·rule·4/215:·'file_permissions_httpd_server_conf_files'") |
| 109 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 110 | 162 | chmod·0640·/etc/httpd/conf/* | |
| 163 | #·END·fix·for·'file_permissions_httpd_server_conf_files' | ||
| 111 | ############################################################################### | 164 | ############################################################################### |
| 112 | #·BEGIN·fix·( | 165 | #·BEGIN·fix·(5·/·215)·for·'dir_perms_var_log_httpd' |
| Max diff block lines reached; 292875/299278 bytes (97.86%) of diff not shown. | |||
| Offset 19, 17 lines modified | Offset 19, 17 lines modified | ||
| 19 | # | 19 | # |
| 20 | #·How·to·apply·this·remediation·role: | 20 | #·How·to·apply·this·remediation·role: |
| 21 | #·$·sudo·./remediation-role.sh | 21 | #·$·sudo·./remediation-role.sh |
| 22 | # | 22 | # |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | ############################################################################### | 24 | ############################################################################### |
| 25 | #·BEGIN·fix·(1·/·206)·for·'service_s | 25 | #·BEGIN·fix·(1·/·206)·for·'service_vsftpd_disabled' |
| 26 | ############################################################################### | 26 | ############################################################################### |
| 27 | (>&2·echo·"Remediating·rule·1/206:·'service_s | 27 | (>&2·echo·"Remediating·rule·1/206:·'service_vsftpd_disabled'") |
| 28 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 28 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 29 | # | 29 | # |
| 30 | #·Example·Call(s): | 30 | #·Example·Call(s): |
| 31 | # | 31 | # |
| 32 | #·····service_command·enable·bluetooth | 32 | #·····service_command·enable·bluetooth |
| 33 | #·····service_command·disable·bluetooth.service | 33 | #·····service_command·disable·bluetooth.service |
| 34 | # | 34 | # |
| Offset 97, 47 lines modified | Offset 97, 65 lines modified | ||
| 97 | ··else | 97 | ··else |
| 98 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 98 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 99 | ··fi | 99 | ··fi |
| 100 | fi | 100 | fi |
| 101 | } | 101 | } |
| 102 | service_command·disable·s | 102 | service_command·disable·vsftpd |
| 103 | #·END·fix·for·'service_s | 103 | #·END·fix·for·'service_vsftpd_disabled' |
| 104 | ############################################################################### | 104 | ############################################################################### |
| 105 | #·BEGIN·fix·(2·/·206)·for·' | 105 | #·BEGIN·fix·(2·/·206)·for·'package_vsftpd_removed' |
| 106 | ############################################################################### | 106 | ############################################################################### |
| 107 | (>&2·echo·"Remediating·rule·2/206:·' | 107 | (>&2·echo·"Remediating·rule·2/206:·'package_vsftpd_removed'") |
| 108 | # | 108 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 109 | # | 109 | # |
| 110 | # | 110 | #·Example·Call(s): |
| 111 | # | 111 | # |
| 112 | #·····package_remove·telnet-server | ||
| 113 | # | ||
| 114 | function·package_remove·{ | ||
| 112 | 115 | #·Load·function·arguments·into·local·variables | |
| 116 | local·package="$1" | ||
| 113 | 117 | #·Check·sanity·of·the·input | |
| 114 | 118 | if·[·$#·-ne·"1"·] | |
| 115 | 119 | then | |
| 120 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 121 | ··echo·"Aborting." | ||
| 122 | ··exit·1 | ||
| 123 | fi | ||
| 124 | if·which·dnf·;·then | ||
| 125 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 126 | ····dnf·remove·-y·"$package" | ||
| 127 | ··fi | ||
| 128 | elif·which·yum·;·then | ||
| 129 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 130 | ····yum·remove·-y·"$package" | ||
| 131 | ··fi | ||
| 132 | elif·which·apt-get·;·then | ||
| 133 | ··apt-get·remove·-y·"$package" | ||
| 116 | else | 134 | else |
| 117 | 135 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 136 | ··echo·"Aborting." | ||
| 137 | ··exit·1 | ||
| 118 | fi | 138 | fi |
| 119 | #·END·fix·for·'require_smb_client_signing' | ||
| 120 | 139 | } | |
| 121 | #·BEGIN·fix·(3·/·206)·for·'mount_option_smb_client_signing' | ||
| 122 | 140 | package_remove·vsftpd | |
| 123 | 141 | #·END·fix·for·'package_vsftpd_removed' | |
| 124 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 125 | #·END·fix·for·'mount_option_smb_client_signing' | ||
| 126 | ############################################################################### | 142 | ############################################################################### |
| 127 | #·BEGIN·fix·( | 143 | #·BEGIN·fix·(3·/·206)·for·'service_httpd_disabled' |
| 128 | ############################################################################### | 144 | ############################################################################### |
| 129 | (>&2·echo·"Remediating·rule· | 145 | (>&2·echo·"Remediating·rule·3/206:·'service_httpd_disabled'") |
| 130 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 146 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 131 | # | 147 | # |
| 132 | #·Example·Call(s): | 148 | #·Example·Call(s): |
| 133 | # | 149 | # |
| 134 | #·····service_command·enable·bluetooth | 150 | #·····service_command·enable·bluetooth |
| 135 | #·····service_command·disable·bluetooth.service | 151 | #·····service_command·disable·bluetooth.service |
| 136 | # | 152 | # |
| Offset 209, 17 lines modified | Offset 227, 17 lines modified | ||
| 209 | } | 227 | } |
| 210 | service_command·disable·httpd | 228 | service_command·disable·httpd |
| 211 | #·END·fix·for·'service_httpd_disabled' | 229 | #·END·fix·for·'service_httpd_disabled' |
| 212 | ############################################################################### | 230 | ############################################################################### |
| 213 | #·BEGIN·fix·( | 231 | #·BEGIN·fix·(4·/·206)·for·'package_httpd_removed' |
| 214 | ############################################################################### | 232 | ############################################################################### |
| 215 | (>&2·echo·"Remediating·rule· | 233 | (>&2·echo·"Remediating·rule·4/206:·'package_httpd_removed'") |
| 216 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 234 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 217 | # | 235 | # |
| 218 | #·Example·Call(s): | 236 | #·Example·Call(s): |
| 219 | # | 237 | # |
| 220 | #·····package_remove·telnet-server | 238 | #·····package_remove·telnet-server |
| 221 | # | 239 | # |
| 222 | function·package_remove·{ | 240 | function·package_remove·{ |
| Offset 253, 24 lines modified | Offset 271, 99 lines modified | ||
| 253 | } | 271 | } |
| 254 | package_remove·httpd | 272 | package_remove·httpd |
| 255 | #·END·fix·for·'package_httpd_removed' | 273 | #·END·fix·for·'package_httpd_removed' |
| 256 | ############################################################################### | 274 | ############################################################################### |
| 257 | #·BEGIN·fix·( | 275 | #·BEGIN·fix·(5·/·206)·for·'service_named_disabled' |
| 258 | ############################################################################### | 276 | ############################################################################### |
| 259 | (>&2·echo·"Remediating·rule· | 277 | (>&2·echo·"Remediating·rule·5/206:·'service_named_disabled'") |
| 260 | #·F | 278 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 261 | # | 279 | # |
| 280 | #·Example·Call(s): | ||
| 281 | # | ||
| 282 | #·····service_command·enable·bluetooth | ||
| 283 | #·····service_command·disable·bluetooth.service | ||
| 284 | # | ||
| 285 | #·····Using·xinetd: | ||
| 286 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 287 | # | ||
| 288 | function·service_command·{ | ||
| Max diff block lines reached; 321323/328772 bytes (97.73%) of diff not shown. | |||
| Offset 114, 17 lines modified | Offset 114, 181 lines modified | ||
| 114 | #·BEGIN·fix·(3·/·211)·for·'ntpd_specify_remote_server' | 114 | #·BEGIN·fix·(3·/·211)·for·'ntpd_specify_remote_server' |
| 115 | ############################################################################### | 115 | ############################################################################### |
| 116 | (>&2·echo·"Remediating·rule·3/211:·'ntpd_specify_remote_server'") | 116 | (>&2·echo·"Remediating·rule·3/211:·'ntpd_specify_remote_server'") |
| 117 | #·FIX·FOR·THIS·RULE·IS·MISSING | 117 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 118 | #·END·fix·for·'ntpd_specify_remote_server' | 118 | #·END·fix·for·'ntpd_specify_remote_server' |
| 119 | ############################################################################### | 119 | ############################################################################### |
| 120 | #·BEGIN·fix·(4·/·211)·for·' | 120 | #·BEGIN·fix·(4·/·211)·for·'service_crond_enabled' |
| 121 | ############################################################################### | 121 | ############################################################################### |
| 122 | (>&2·echo·"Remediating·rule·4/211:·' | 122 | (>&2·echo·"Remediating·rule·4/211:·'service_crond_enabled'") |
| 123 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 124 | # | ||
| 125 | #·Example·Call(s): | ||
| 126 | # | ||
| 127 | #·····service_command·enable·bluetooth | ||
| 128 | #·····service_command·disable·bluetooth.service | ||
| 129 | # | ||
| 130 | #·····Using·xinetd: | ||
| 131 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 132 | # | ||
| 133 | function·service_command·{ | ||
| 134 | #·Load·function·arguments·into·local·variables | ||
| 135 | local·service_state=$1 | ||
| 136 | local·service=$2 | ||
| 137 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 138 | #·Check·sanity·of·the·input | ||
| 139 | if·[·$#·-lt·"2"·] | ||
| 140 | then | ||
| 141 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 142 | ··echo | ||
| 143 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 144 | ··echo·"as·the·last·argument"·· | ||
| 145 | ··echo·"Aborting." | ||
| 146 | ··exit·1 | ||
| 147 | fi | ||
| 148 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 149 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 150 | ··service_util="/usr/bin/systemctl" | ||
| 151 | else | ||
| 152 | ··service_util="/sbin/service" | ||
| 153 | ··chkconfig_util="/sbin/chkconfig" | ||
| 154 | fi | ||
| 155 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 156 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 157 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 158 | ··service_state="enable" | ||
| 159 | ··service_operation="start" | ||
| 160 | ··chkconfig_state="on" | ||
| 161 | else | ||
| 162 | ··service_state="disable" | ||
| 163 | ··service_operation="stop" | ||
| 164 | ··chkconfig_state="off" | ||
| 165 | fi | ||
| 166 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 167 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 168 | ··$service_util·$service·$service_operation | ||
| 169 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 170 | else | ||
| 171 | ··$service_util·$service_operation·$service | ||
| 172 | ··$service_util·$service_state·$service | ||
| 173 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 174 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 175 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 176 | ··$service_util·reset-failed·$service | ||
| 177 | fi | ||
| 178 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 179 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 180 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 181 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 182 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 183 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 184 | ··else | ||
| 185 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 186 | ··fi | ||
| 187 | fi | ||
| 188 | } | ||
| 189 | service_command·enable·crond | ||
| 190 | #·END·fix·for·'service_crond_enabled' | ||
| 191 | ############################################################################### | ||
| 192 | #·BEGIN·fix·(5·/·211)·for·'service_atd_disabled' | ||
| 193 | ############################################################################### | ||
| 194 | (>&2·echo·"Remediating·rule·5/211:·'service_atd_disabled'") | ||
| 195 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 196 | # | ||
| 197 | #·Example·Call(s): | ||
| 198 | # | ||
| 199 | #·····service_command·enable·bluetooth | ||
| 200 | #·····service_command·disable·bluetooth.service | ||
| 201 | # | ||
| 202 | #·····Using·xinetd: | ||
| 203 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 204 | # | ||
| 205 | function·service_command·{ | ||
| 206 | #·Load·function·arguments·into·local·variables | ||
| 207 | local·service_state=$1 | ||
| 208 | local·service=$2 | ||
| 209 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 210 | #·Check·sanity·of·the·input | ||
| 211 | if·[·$#·-lt·"2"·] | ||
| 212 | then | ||
| 213 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 214 | ··echo | ||
| 215 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 216 | ··echo·"as·the·last·argument"·· | ||
| 217 | ··echo·"Aborting." | ||
| 218 | ··exit·1 | ||
| 219 | fi | ||
| 220 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 221 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 222 | ··service_util="/usr/bin/systemctl" | ||
| 223 | else | ||
| 224 | ··service_util="/sbin/service" | ||
| 225 | ··chkconfig_util="/sbin/chkconfig" | ||
| 226 | fi | ||
| Max diff block lines reached; 326691/332694 bytes (98.20%) of diff not shown. | |||
| Offset 18, 17 lines modified | Offset 18, 96 lines modified | ||
| 18 | # | 18 | # |
| 19 | #·How·to·apply·this·remediation·role: | 19 | #·How·to·apply·this·remediation·role: |
| 20 | #·$·sudo·./remediation-role.sh | 20 | #·$·sudo·./remediation-role.sh |
| 21 | # | 21 | # |
| 22 | ############################################################################### | 22 | ############################################################################### |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | #·BEGIN·fix·(1·/·192)·for·' | 24 | #·BEGIN·fix·(1·/·192)·for·'ftp_restrict_to_anon' |
| 25 | ############################################################################### | 25 | ############################################################################### |
| 26 | (>&2·echo·"Remediating·rule·1/192:·' | 26 | (>&2·echo·"Remediating·rule·1/192:·'ftp_restrict_to_anon'") |
| 27 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 28 | #·END·fix·for·'ftp_restrict_to_anon' | ||
| 29 | ############################################################################### | ||
| 30 | #·BEGIN·fix·(2·/·192)·for·'ftp_home_partition' | ||
| 31 | ############################################################################### | ||
| 32 | (>&2·echo·"Remediating·rule·2/192:·'ftp_home_partition'") | ||
| 33 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 34 | #·END·fix·for·'ftp_home_partition' | ||
| 35 | ############################################################################### | ||
| 36 | #·BEGIN·fix·(3·/·192)·for·'ftp_log_transactions' | ||
| 37 | ############################################################################### | ||
| 38 | (>&2·echo·"Remediating·rule·3/192:·'ftp_log_transactions'") | ||
| 39 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 40 | #·END·fix·for·'ftp_log_transactions' | ||
| 41 | ############################################################################### | ||
| 42 | #·BEGIN·fix·(4·/·192)·for·'ftp_disable_uploads' | ||
| 43 | ############################################################################### | ||
| 44 | (>&2·echo·"Remediating·rule·4/192:·'ftp_disable_uploads'") | ||
| 45 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 46 | #·END·fix·for·'ftp_disable_uploads' | ||
| 47 | ############################################################################### | ||
| 48 | #·BEGIN·fix·(5·/·192)·for·'ftp_present_banner' | ||
| 49 | ############################################################################### | ||
| 50 | (>&2·echo·"Remediating·rule·5/192:·'ftp_present_banner'") | ||
| 51 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 52 | #·END·fix·for·'ftp_present_banner' | ||
| 53 | ############################################################################### | ||
| 54 | #·BEGIN·fix·(6·/·192)·for·'package_vsftpd_installed' | ||
| 55 | ############################################################################### | ||
| 56 | (>&2·echo·"Remediating·rule·6/192:·'package_vsftpd_installed'") | ||
| 57 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 58 | # | ||
| 59 | #·Example·Call(s): | ||
| 60 | # | ||
| 61 | #·····package_install·aide | ||
| 62 | # | ||
| 63 | function·package_install·{ | ||
| 64 | #·Load·function·arguments·into·local·variables | ||
| 65 | local·package="$1" | ||
| 66 | #·Check·sanity·of·the·input | ||
| 67 | if·[·$#·-ne·"1"·] | ||
| 68 | then | ||
| 69 | ··echo·"Usage:·package_install·'package_name'" | ||
| 70 | ··echo·"Aborting." | ||
| 71 | ··exit·1 | ||
| 72 | fi | ||
| 73 | if·which·dnf·;·then | ||
| 74 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 75 | ····dnf·install·-y·"$package" | ||
| 76 | ··fi | ||
| 77 | elif·which·yum·;·then | ||
| 78 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 79 | ····yum·install·-y·"$package" | ||
| 80 | ··fi | ||
| 81 | elif·which·apt-get·;·then | ||
| 82 | ··apt-get·install·-y·"$package" | ||
| 83 | else | ||
| 84 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 85 | ··echo·"Aborting." | ||
| 86 | ··exit·1 | ||
| 87 | fi | ||
| 88 | } | ||
| 89 | package_install·vsftpd | ||
| 90 | #·END·fix·for·'package_vsftpd_installed' | ||
| 91 | ############################################################################### | ||
| 92 | #·BEGIN·fix·(7·/·192)·for·'require_smb_client_signing' | ||
| 93 | ############################################################################### | ||
| 94 | (>&2·echo·"Remediating·rule·7/192:·'require_smb_client_signing'") | ||
| 27 | ###################################################################### | 95 | ###################################################################### |
| 28 | #By·Luke·"Brisk-OH"·Brisk | 96 | #By·Luke·"Brisk-OH"·Brisk |
| 29 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com | 97 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com |
| 30 | ###################################################################### | 98 | ###################################################################### |
| 31 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) | 99 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) |
| Offset 37, 38 lines modified | Offset 116, 24 lines modified | ||
| 37 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf | 116 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 38 | else | 117 | else |
| 39 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf | 118 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 40 | fi | 119 | fi |
| 41 | #·END·fix·for·'require_smb_client_signing' | 120 | #·END·fix·for·'require_smb_client_signing' |
| 42 | ############################################################################### | 121 | ############################################################################### |
| 43 | #·BEGIN·fix·( | 122 | #·BEGIN·fix·(8·/·192)·for·'mount_option_smb_client_signing' |
| 44 | ############################################################################### | 123 | ############################################################################### |
| 45 | (>&2·echo·"Remediating·rule· | 124 | (>&2·echo·"Remediating·rule·8/192:·'mount_option_smb_client_signing'") |
| 46 | #·FIX·FOR·THIS·RULE·IS·MISSING | 125 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 47 | #·END·fix·for·'mount_option_smb_client_signing' | 126 | #·END·fix·for·'mount_option_smb_client_signing' |
| 48 | ############################################################################### | 127 | ############################################################################### |
| 49 | #·BEGIN·fix·( | 128 | #·BEGIN·fix·(9·/·192)·for·'service_ntpd_enabled' |
| 50 | ############################################################################### | ||
| 51 | (>&2·echo·"Remediating·rule·3/192:·'postfix_network_listening_disabled'") | ||
| 52 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 53 | #·END·fix·for·'postfix_network_listening_disabled' | ||
| 54 | ############################################################################### | ||
| 55 | #·BEGIN·fix·(4·/·192)·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 56 | ############################################################################### | ||
| 57 | (>&2·echo·"Remediating·rule·4/192:·'sysconfig_networking_bootproto_ifcfg'") | ||
| 58 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 59 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 60 | ############################################################################### | ||
| 61 | #·BEGIN·fix·(5·/·192)·for·'service_ntpd_enabled' | ||
| 62 | ############################################################################### | 129 | ############################################################################### |
| Max diff block lines reached; 286922/292683 bytes (98.03%) of diff not shown. | |||
| Offset 22, 43 lines modified | Offset 22, 61 lines modified | ||
| 22 | # | 22 | # |
| 23 | #·How·to·apply·this·remediation·role: | 23 | #·How·to·apply·this·remediation·role: |
| 24 | #·$·sudo·./remediation-role.sh | 24 | #·$·sudo·./remediation-role.sh |
| 25 | # | 25 | # |
| 26 | ############################################################################### | 26 | ############################################################################### |
| 27 | ############################################################################### | 27 | ############################################################################### |
| 28 | #·BEGIN·fix·(1·/·270)·for·' | 28 | #·BEGIN·fix·(1·/·270)·for·'package_vsftpd_removed' |
| 29 | ############################################################################### | 29 | ############################################################################### |
| 30 | (>&2·echo·"Remediating·rule·1/270:·' | 30 | (>&2·echo·"Remediating·rule·1/270:·'package_vsftpd_removed'") |
| 31 | # | 31 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 32 | # | 32 | # |
| 33 | # | 33 | #·Example·Call(s): |
| 34 | # | 34 | # |
| 35 | #·····package_remove·telnet-server | ||
| 36 | # | ||
| 37 | function·package_remove·{ | ||
| 35 | 38 | #·Load·function·arguments·into·local·variables | |
| 39 | local·package="$1" | ||
| 36 | 40 | #·Check·sanity·of·the·input | |
| 37 | 41 | if·[·$#·-ne·"1"·] | |
| 38 | 42 | then | |
| 43 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 44 | ··echo·"Aborting." | ||
| 45 | ··exit·1 | ||
| 46 | fi | ||
| 47 | if·which·dnf·;·then | ||
| 48 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 49 | ····dnf·remove·-y·"$package" | ||
| 50 | ··fi | ||
| 51 | elif·which·yum·;·then | ||
| 52 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 53 | ····yum·remove·-y·"$package" | ||
| 54 | ··fi | ||
| 55 | elif·which·apt-get·;·then | ||
| 56 | ··apt-get·remove·-y·"$package" | ||
| 39 | else | 57 | else |
| 40 | 58 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 59 | ··echo·"Aborting." | ||
| 60 | ··exit·1 | ||
| 41 | fi | 61 | fi |
| 42 | #·END·fix·for·'require_smb_client_signing' | ||
| 43 | 62 | } | |
| 44 | #·BEGIN·fix·(2·/·270)·for·'mount_option_smb_client_signing' | ||
| 45 | 63 | package_remove·vsftpd | |
| 46 | 64 | #·END·fix·for·'package_vsftpd_removed' | |
| 47 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 48 | #·END·fix·for·'mount_option_smb_client_signing' | ||
| 49 | ############################################################################### | 65 | ############################################################################### |
| 50 | #·BEGIN·fix·( | 66 | #·BEGIN·fix·(2·/·270)·for·'service_httpd_disabled' |
| 51 | ############################################################################### | 67 | ############################################################################### |
| 52 | (>&2·echo·"Remediating·rule· | 68 | (>&2·echo·"Remediating·rule·2/270:·'service_httpd_disabled'") |
| 53 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 69 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 54 | # | 70 | # |
| 55 | #·Example·Call(s): | 71 | #·Example·Call(s): |
| 56 | # | 72 | # |
| 57 | #·····service_command·enable·bluetooth | 73 | #·····service_command·enable·bluetooth |
| 58 | #·····service_command·disable·bluetooth.service | 74 | #·····service_command·disable·bluetooth.service |
| 59 | # | 75 | # |
| Offset 130, 17 lines modified | Offset 148, 17 lines modified | ||
| 130 | } | 148 | } |
| 131 | service_command·disable·httpd | 149 | service_command·disable·httpd |
| 132 | #·END·fix·for·'service_httpd_disabled' | 150 | #·END·fix·for·'service_httpd_disabled' |
| 133 | ############################################################################### | 151 | ############################################################################### |
| 134 | #·BEGIN·fix·( | 152 | #·BEGIN·fix·(3·/·270)·for·'package_httpd_removed' |
| 135 | ############################################################################### | 153 | ############################################################################### |
| 136 | (>&2·echo·"Remediating·rule· | 154 | (>&2·echo·"Remediating·rule·3/270:·'package_httpd_removed'") |
| 137 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 155 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 138 | # | 156 | # |
| 139 | #·Example·Call(s): | 157 | #·Example·Call(s): |
| 140 | # | 158 | # |
| 141 | #·····package_remove·telnet-server | 159 | #·····package_remove·telnet-server |
| 142 | # | 160 | # |
| 143 | function·package_remove·{ | 161 | function·package_remove·{ |
| Offset 174, 75 lines modified | Offset 192, 99 lines modified | ||
| 174 | } | 192 | } |
| 175 | package_remove·httpd | 193 | package_remove·httpd |
| 176 | #·END·fix·for·'package_httpd_removed' | 194 | #·END·fix·for·'package_httpd_removed' |
| 177 | ############################################################################### | 195 | ############################################################################### |
| 178 | #·BEGIN·fix·( | 196 | #·BEGIN·fix·(4·/·270)·for·'service_named_disabled' |
| 179 | ############################################################################### | 197 | ############################################################################### |
| 180 | (>&2·echo·"Remediating·rule· | 198 | (>&2·echo·"Remediating·rule·4/270:·'service_named_disabled'") |
| 181 | #·F | 199 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 182 | #·END·fix·for·'postfix_network_listening_disabled' | ||
| 183 | ############################################################################### | ||
| 184 | #·BEGIN·fix·(6·/·270)·for·'package_sendmail_removed' | ||
| 185 | ############################################################################### | ||
| 186 | (>&2·echo·"Remediating·rule·6/270:·'package_sendmail_removed'") | ||
| 187 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 188 | # | 200 | # |
| 189 | #·Example·Call(s): | 201 | #·Example·Call(s): |
| 190 | # | 202 | # |
| 191 | #····· | 203 | #·····service_command·enable·bluetooth |
| 204 | #·····service_command·disable·bluetooth.service | ||
| 192 | # | 205 | # |
| 193 | 206 | #·····Using·xinetd: | |
| 207 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 208 | # | ||
| 209 | function·service_command·{ | ||
| 194 | #·Load·function·arguments·into·local·variables | 210 | #·Load·function·arguments·into·local·variables |
| 195 | local· | 211 | local·service_state=$1 |
| 212 | local·service=$2 | ||
| 213 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 196 | #·Check·sanity·of·the·input | 214 | #·Check·sanity·of·the·input |
| 197 | if·[·$#·- | 215 | if·[·$#·-lt·"2"·] |
| 198 | then | 216 | then |
| 199 | ··echo·"Usage:· | 217 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" |
| 218 | ··echo | ||
| 219 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 220 | ··echo·"as·the·last·argument"·· | ||
| 200 | ··echo·"Aborting." | 221 | ··echo·"Aborting." |
| 201 | ··exit·1 | 222 | ··exit·1 |
| 202 | fi | 223 | fi |
| Max diff block lines reached; 415516/421004 bytes (98.70%) of diff not shown. | |||
| Offset 128, 424 lines modified | Offset 128, 17 lines modified | ||
| 128 | ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config | 128 | ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config |
| 129 | if·!·[·$?·-eq·0·];·then | 129 | if·!·[·$?·-eq·0·];·then |
| 130 | ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config | 130 | ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config |
| 131 | fi | 131 | fi |
| 132 | #·END·fix·for·'sshd_set_idle_timeout' | 132 | #·END·fix·for·'sshd_set_idle_timeout' |
| 133 | ############################################################################### | 133 | ############################################################################### |
| 134 | #·BEGIN·fix·(5·/·94)·for·'r | 134 | #·BEGIN·fix·(5·/·94)·for·'rsyslog_files_permissions' |
| 135 | ############################################################################### | 135 | ############################################################################### |
| 136 | (>&2·echo·"Remediating·rule·5/94:·'r | 136 | (>&2·echo·"Remediating·rule·5/94:·'rsyslog_files_permissions'") |
| 137 | #·Declare·array·to·hold·list·of·RPM·packages·we·need·to·correct·permissions·for | ||
| 138 | declare·-a·SETPERMS_RPM_LIST | ||
| 139 | #·Create·a·list·of·files·on·the·system·having·permissions·different·from·what | ||
| 140 | #·is·expected·by·the·RPM·database | ||
| 141 | FILES_WITH_INCORRECT_PERMS=($(rpm·-Va·--nofiledigest·|·grep·'^.M'·|·cut·-d·'·'·-f4-)) | ||
| 142 | #·For·each·file·path·from·that·list: | ||
| 143 | #·*·Determine·the·RPM·package·the·file·path·is·shipped·by, | ||
| 144 | #·*·Include·it·into·SETPERMS_RPM_LIST·array | ||
| 145 | for·FILE_PATH·in·"${FILES_WITH_INCORRECT_PERMS[@]}" | ||
| 146 | do | ||
| 147 | » RPM_PACKAGE=$(rpm·-qf·"$FILE_PATH") | ||
| 148 | » SETPERMS_RPM_LIST=("${SETPERMS_RPM_LIST[@]}"·"$RPM_PACKAGE") | ||
| 149 | done | ||
| 150 | #·Remove·duplicate·mention·of·same·RPM·in·$SETPERMS_RPM_LIST·(if·any) | ||
| 151 | SETPERMS_RPM_LIST=(·$(echo·"${SETPERMS_RPM_LIST[@]}"·|·tr·'·'·'\n'·|·sort·-u·|·tr·'\n'·'·')·) | ||
| 152 | #·For·each·of·the·RPM·packages·left·in·the·list·--·reset·its·permissions·to·the | ||
| 153 | #·correct·values | ||
| 154 | for·RPM_PACKAGE·in·"${SETPERMS_RPM_LIST[@]}" | ||
| 155 | do | ||
| 156 | » rpm·--setperms·"${RPM_PACKAGE}" | ||
| 157 | done | ||
| 158 | #·END·fix·for·'rpm_verify_permissions' | ||
| 159 | ############################################################################### | ||
| 160 | #·BEGIN·fix·(6·/·94)·for·'rpm_verify_hashes' | ||
| 161 | ############################################################################### | ||
| 162 | (>&2·echo·"Remediating·rule·6/94:·'rpm_verify_hashes'") | ||
| 163 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 164 | #·END·fix·for·'rpm_verify_hashes' | ||
| 165 | ############################################################################### | ||
| 166 | #·BEGIN·fix·(7·/·94)·for·'install_hids' | ||
| 167 | ############################################################################### | ||
| 168 | (>&2·echo·"Remediating·rule·7/94:·'install_hids'") | ||
| 169 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 170 | #·END·fix·for·'install_hids' | ||
| 171 | ############################################################################### | ||
| 172 | #·BEGIN·fix·(8·/·94)·for·'package_aide_installed' | ||
| 173 | ############################################################################### | ||
| 174 | (>&2·echo·"Remediating·rule·8/94:·'package_aide_installed'") | ||
| 175 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 176 | # | ||
| 177 | #·Example·Call(s): | ||
| 178 | # | ||
| 179 | #·····package_install·aide | ||
| 180 | # | ||
| 181 | function·package_install·{ | ||
| 182 | #·Load·function·arguments·into·local·variables | ||
| 183 | local·package="$1" | ||
| 184 | #·Check·sanity·of·the·input | ||
| 185 | if·[·$#·-ne·"1"·] | ||
| 186 | then | ||
| 187 | ··echo·"Usage:·package_install·'package_name'" | ||
| 188 | ··echo·"Aborting." | ||
| 189 | ··exit·1 | ||
| 190 | fi | ||
| 191 | if·which·dnf·;·then | ||
| 192 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 193 | ····dnf·install·-y·"$package" | ||
| 194 | ··fi | ||
| 195 | elif·which·yum·;·then | ||
| 196 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 197 | ····yum·install·-y·"$package" | ||
| 198 | ··fi | ||
| 199 | elif·which·apt-get·;·then | ||
| 200 | ··apt-get·install·-y·"$package" | ||
| 201 | else | ||
| 202 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 203 | ··echo·"Aborting." | ||
| 204 | ··exit·1 | ||
| 205 | fi | ||
| 206 | } | ||
| 207 | package_install·aide | ||
| 208 | #·END·fix·for·'package_aide_installed' | ||
| 209 | ############################################################################### | ||
| 210 | #·BEGIN·fix·(9·/·94)·for·'aide_periodic_cron_checking' | ||
| 211 | ############################################################################### | ||
| 212 | (>&2·echo·"Remediating·rule·9/94:·'aide_periodic_cron_checking'") | ||
| 213 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 214 | # | ||
| 215 | #·Example·Call(s): | ||
| 216 | # | ||
| 217 | #·····package_install·aide | ||
| 218 | # | ||
| 219 | function·package_install·{ | ||
| 220 | #·Load·function·arguments·into·local·variables | ||
| 221 | local·package="$1" | ||
| 222 | #·Check·sanity·of·the·input | ||
| 223 | if·[·$#·-ne·"1"·] | ||
| 224 | then | ||
| 225 | ··echo·"Usage:·package_install·'package_name'" | ||
| 226 | ··echo·"Aborting." | ||
| 227 | ··exit·1 | ||
| 228 | fi | ||
| 229 | if·which·dnf·;·then | ||
| 230 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 231 | ····dnf·install·-y·"$package" | ||
| 232 | ··fi | ||
| 233 | elif·which·yum·;·then | ||
| 234 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 235 | ····yum·install·-y·"$package" | ||
| Max diff block lines reached; 176223/192119 bytes (91.73%) of diff not shown. | |||
| Offset 18, 38 lines modified | Offset 18, 120 lines modified | ||
| 18 | # | 18 | # |
| 19 | #·How·to·apply·this·remediation·role: | 19 | #·How·to·apply·this·remediation·role: |
| 20 | #·$·sudo·./remediation-role.sh | 20 | #·$·sudo·./remediation-role.sh |
| 21 | # | 21 | # |
| 22 | ############################################################################### | 22 | ############################################################################### |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | #·BEGIN·fix·(1·/·94)·for·'service_ | 24 | #·BEGIN·fix·(1·/·94)·for·'service_atd_disabled' |
| 25 | ############################################################################### | 25 | ############################################################################### |
| 26 | (>&2·echo·"Remediating·rule·1/94:·'service_ | 26 | (>&2·echo·"Remediating·rule·1/94:·'service_atd_disabled'") |
| 27 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 28 | # | ||
| 29 | #·Example·Call(s): | ||
| 30 | # | ||
| 31 | #·····service_command·enable·bluetooth | ||
| 32 | #·····service_command·disable·bluetooth.service | ||
| 33 | # | ||
| 34 | #·····Using·xinetd: | ||
| 35 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 36 | # | ||
| 37 | function·service_command·{ | ||
| 38 | #·Load·function·arguments·into·local·variables | ||
| 39 | local·service_state=$1 | ||
| 40 | local·service=$2 | ||
| 41 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 42 | #·Check·sanity·of·the·input | ||
| 43 | if·[·$#·-lt·"2"·] | ||
| 44 | then | ||
| 45 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 46 | ··echo | ||
| 47 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 48 | ··echo·"as·the·last·argument"·· | ||
| 49 | ··echo·"Aborting." | ||
| 50 | ··exit·1 | ||
| 51 | fi | ||
| 52 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 53 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 54 | ··service_util="/usr/bin/systemctl" | ||
| 55 | else | ||
| 56 | ··service_util="/sbin/service" | ||
| 57 | ··chkconfig_util="/sbin/chkconfig" | ||
| 58 | fi | ||
| 59 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 60 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 61 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 62 | ··service_state="enable" | ||
| 63 | ··service_operation="start" | ||
| 64 | ··chkconfig_state="on" | ||
| 65 | else | ||
| 66 | ··service_state="disable" | ||
| 67 | ··service_operation="stop" | ||
| 68 | ··chkconfig_state="off" | ||
| 69 | fi | ||
| 70 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 71 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 72 | ··$service_util·$service·$service_operation | ||
| 73 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 74 | else | ||
| 75 | ··$service_util·$service_operation·$service | ||
| 76 | ··$service_util·$service_state·$service | ||
| 77 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 78 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 79 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 80 | ··$service_util·reset-failed·$service | ||
| 81 | fi | ||
| 82 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 83 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 84 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 85 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 86 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 87 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 88 | ··else | ||
| 89 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 90 | ··fi | ||
| 91 | fi | ||
| 92 | } | ||
| 93 | service_command·disable·atd | ||
| 94 | #·END·fix·for·'service_atd_disabled' | ||
| 95 | ############################################################################### | ||
| 96 | #·BEGIN·fix·(2·/·94)·for·'service_rlogin_disabled' | ||
| 97 | ############################################################################### | ||
| 98 | (>&2·echo·"Remediating·rule·2/94:·'service_rlogin_disabled'") | ||
| 27 | #·FIX·FOR·THIS·RULE·IS·MISSING | 99 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 28 | #·END·fix·for·'service_rlogin_disabled' | 100 | #·END·fix·for·'service_rlogin_disabled' |
| 29 | ############################################################################### | 101 | ############################################################################### |
| 30 | #·BEGIN·fix·( | 102 | #·BEGIN·fix·(3·/·94)·for·'service_rexec_disabled' |
| 31 | ############################################################################### | 103 | ############################################################################### |
| 32 | (>&2·echo·"Remediating·rule· | 104 | (>&2·echo·"Remediating·rule·3/94:·'service_rexec_disabled'") |
| 33 | #·FIX·FOR·THIS·RULE·IS·MISSING | 105 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 34 | #·END·fix·for·'service_rexec_disabled' | 106 | #·END·fix·for·'service_rexec_disabled' |
| 35 | ############################################################################### | 107 | ############################################################################### |
| 36 | #·BEGIN·fix·( | 108 | #·BEGIN·fix·(4·/·94)·for·'service_rsh_disabled' |
| 37 | ############################################################################### | 109 | ############################################################################### |
| 38 | (>&2·echo·"Remediating·rule· | 110 | (>&2·echo·"Remediating·rule·4/94:·'service_rsh_disabled'") |
| 39 | #·FIX·FOR·THIS·RULE·IS·MISSING | 111 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 40 | #·END·fix·for·'service_rsh_disabled' | 112 | #·END·fix·for·'service_rsh_disabled' |
| 41 | ############################################################################### | 113 | ############################################################################### |
| 42 | #·BEGIN·fix·( | 114 | #·BEGIN·fix·(5·/·94)·for·'package_rsh-server_removed' |
| 43 | ############################################################################### | 115 | ############################################################################### |
| 44 | (>&2·echo·"Remediating·rule· | 116 | (>&2·echo·"Remediating·rule·5/94:·'package_rsh-server_removed'") |
| 45 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 117 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 46 | # | 118 | # |
| 47 | #·Example·Call(s): | 119 | #·Example·Call(s): |
| 48 | # | 120 | # |
| 49 | #·····package_remove·telnet-server | 121 | #·····package_remove·telnet-server |
| 50 | # | 122 | # |
| 51 | function·package_remove·{ | 123 | function·package_remove·{ |
| Offset 83, 17 lines modified | Offset 165, 17 lines modified | ||
| 83 | } | 165 | } |
| 84 | package_remove·rsh-server | 166 | package_remove·rsh-server |
| 85 | #·END·fix·for·'package_rsh-server_removed' | 167 | #·END·fix·for·'package_rsh-server_removed' |
| Max diff block lines reached; 79730/84667 bytes (94.17%) of diff not shown. | |||
| Offset 45, 31 lines modified | Offset 45, 17 lines modified | ||
| 45 | #·BEGIN·fix·(2·/·186)·for·'mount_option_smb_client_signing' | 45 | #·BEGIN·fix·(2·/·186)·for·'mount_option_smb_client_signing' |
| 46 | ############################################################################### | 46 | ############################################################################### |
| 47 | (>&2·echo·"Remediating·rule·2/186:·'mount_option_smb_client_signing'") | 47 | (>&2·echo·"Remediating·rule·2/186:·'mount_option_smb_client_signing'") |
| 48 | #·FIX·FOR·THIS·RULE·IS·MISSING | 48 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 49 | #·END·fix·for·'mount_option_smb_client_signing' | 49 | #·END·fix·for·'mount_option_smb_client_signing' |
| 50 | ############################################################################### | 50 | ############################################################################### |
| 51 | #·BEGIN·fix·(3·/·186)·for·' | 51 | #·BEGIN·fix·(3·/·186)·for·'service_ntpd_enabled' |
| 52 | ############################################################################### | 52 | ############################################################################### |
| 53 | (>&2·echo·"Remediating·rule·3/186:·' | 53 | (>&2·echo·"Remediating·rule·3/186:·'service_ntpd_enabled'") |
| 54 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 55 | #·END·fix·for·'postfix_network_listening_disabled' | ||
| 56 | ############################################################################### | ||
| 57 | #·BEGIN·fix·(4·/·186)·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 58 | ############################################################################### | ||
| 59 | (>&2·echo·"Remediating·rule·4/186:·'sysconfig_networking_bootproto_ifcfg'") | ||
| 60 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 61 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 62 | ############################################################################### | ||
| 63 | #·BEGIN·fix·(5·/·186)·for·'service_ntpd_enabled' | ||
| 64 | ############################################################################### | ||
| 65 | (>&2·echo·"Remediating·rule·5/186:·'service_ntpd_enabled'") | ||
| 66 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 54 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 67 | # | 55 | # |
| 68 | #·Example·Call(s): | 56 | #·Example·Call(s): |
| 69 | # | 57 | # |
| 70 | #·····service_command·enable·bluetooth | 58 | #·····service_command·enable·bluetooth |
| 71 | #·····service_command·disable·bluetooth.service | 59 | #·····service_command·disable·bluetooth.service |
| 72 | # | 60 | # |
| Offset 141, 45 lines modified | Offset 127, 24 lines modified | ||
| 141 | } | 127 | } |
| 142 | service_command·enable·ntpd | 128 | service_command·enable·ntpd |
| 143 | #·END·fix·for·'service_ntpd_enabled' | 129 | #·END·fix·for·'service_ntpd_enabled' |
| 144 | ############################################################################### | 130 | ############################################################################### |
| 145 | #·BEGIN·fix·( | 131 | #·BEGIN·fix·(4·/·186)·for·'ntpd_specify_remote_server' |
| 146 | ############################################################################### | 132 | ############################################################################### |
| 147 | (>&2·echo·"Remediating·rule· | 133 | (>&2·echo·"Remediating·rule·4/186:·'ntpd_specify_remote_server'") |
| 148 | #·FIX·FOR·THIS·RULE·IS·MISSING | 134 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 149 | #·END·fix·for·'ntpd_specify_remote_server' | 135 | #·END·fix·for·'ntpd_specify_remote_server' |
| 150 | ############################################################################### | 136 | ############################################################################### |
| 151 | #·BEGIN·fix·( | 137 | #·BEGIN·fix·(5·/·186)·for·'package_openldap-servers_removed' |
| 152 | ############################################################################### | ||
| 153 | (>&2·echo·"Remediating·rule·7/186:·'service_rlogin_disabled'") | ||
| 154 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 155 | #·END·fix·for·'service_rlogin_disabled' | ||
| 156 | ############################################################################### | ||
| 157 | #·BEGIN·fix·(8·/·186)·for·'service_rexec_disabled' | ||
| 158 | ############################################################################### | 138 | ############################################################################### |
| 159 | (>&2·echo·"Remediating·rule· | 139 | (>&2·echo·"Remediating·rule·5/186:·'package_openldap-servers_removed'") |
| 160 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 161 | #·END·fix·for·'service_rexec_disabled' | ||
| 162 | ############################################################################### | ||
| 163 | #·BEGIN·fix·(9·/·186)·for·'service_rsh_disabled' | ||
| 164 | ############################################################################### | ||
| 165 | (>&2·echo·"Remediating·rule·9/186:·'service_rsh_disabled'") | ||
| 166 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 167 | #·END·fix·for·'service_rsh_disabled' | ||
| 168 | ############################################################################### | ||
| 169 | #·BEGIN·fix·(10·/·186)·for·'package_rsh-server_removed' | ||
| 170 | ############################################################################### | ||
| 171 | (>&2·echo·"Remediating·rule·10/186:·'package_rsh-server_removed'") | ||
| 172 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 140 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 173 | # | 141 | # |
| 174 | #·Example·Call(s): | 142 | #·Example·Call(s): |
| 175 | # | 143 | # |
| 176 | #·····package_remove·telnet-server | 144 | #·····package_remove·telnet-server |
| 177 | # | 145 | # |
| 178 | function·package_remove·{ | 146 | function·package_remove·{ |
| Offset 209, 83 lines modified | Offset 174, 279 lines modified | ||
| 209 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 174 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 210 | ··echo·"Aborting." | 175 | ··echo·"Aborting." |
| 211 | ··exit·1 | 176 | ··exit·1 |
| 212 | fi | 177 | fi |
| 213 | } | 178 | } |
| 214 | package_remove· | 179 | package_remove·openldap-servers |
| 215 | #·END·fix·for·'package_ | 180 | #·END·fix·for·'package_openldap-servers_removed' |
| 216 | ############################################################################### | 181 | ############################################################################### |
| 217 | #·BEGIN·fix·( | 182 | #·BEGIN·fix·(6·/·186)·for·'ldap_client_start_tls' |
| 218 | ############################################################################### | 183 | ############################################################################### |
| 219 | (>&2·echo·"Remediating·rule· | 184 | (>&2·echo·"Remediating·rule·6/186:·'ldap_client_start_tls'") |
| 220 | find·/home·-maxdepth·2·-type·f·-name·.rhosts·-exec·rm·-f·'{}'·\; | ||
| 221 | if·[·-f·/etc/hosts.equiv·];·then | ||
| 222 | 185 | #·Use·LDAP·for·authentication | |
| 223 | fi | 186 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 224 | #· | 187 | #·it·does·not·exist. |
| 188 | # | ||
| 189 | #·Expects·arguments: | ||
| 190 | # | ||
| 191 | #·config_file:» » Configuration·file·that·will·be·modified | ||
| 192 | #·key:» » » Configuration·option·to·change | ||
| 193 | #·value:»»Value·of·the·configuration·option·to·change | ||
| 194 | #·cce:» » » The·CCE·identifier·or·'@CCENUM@'·if·no·CCE·identifier·exists | ||
| 195 | #·format:» » The·printf-like·format·string·that·will·be·given·stripped·key·and·value·as·arguments, | ||
| 196 | #» » » so·e.g.·'%s=%s'·will·result·in·key=value·subsitution·(i.e.·without·spaces·around·=) | ||
| 197 | # | ||
| 198 | #·Optional·arugments: | ||
| 199 | # | ||
| 200 | #·format:» » Optional·argument·to·specify·the·format·of·how·key/value·should·be | ||
| 201 | #·» » » modified/appended·in·the·configuration·file.·The·default·is·key·=·value. | ||
| 202 | # | ||
| 203 | #·Example·Call(s): | ||
| 204 | # | ||
| 205 | #·····With·default·format·of·'key·=·value': | ||
| 206 | #·····replace_or_append·'/etc/sysctl.conf'·'^kernel.randomize_va_space'·'2'·'@CCENUM@' | ||
| 207 | # | ||
| 208 | #·····With·custom·key/value·format: | ||
| 209 | #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·'disabled'·'@CCENUM@'·'%s=%s' | ||
| 210 | # | ||
| 211 | #·····With·a·variable: | ||
| 212 | #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·$var_selinux_state·'@CCENUM@'·'%s=%s' | ||
| 213 | # | ||
| 214 | function·replace_or_append·{ | ||
| 215 | ··local·default_format='%s·=·%s'·case_insensitive_mode=yes·sed_case_insensitive_option=''·grep_case_insensitive_option='' | ||
| 216 | ··local·config_file=$1 | ||
| Max diff block lines reached; 274005/285608 bytes (95.94%) of diff not shown. | |||
| Offset 46, 24 lines modified | Offset 46, 17 lines modified | ||
| 46 | #·BEGIN·fix·(2·/·182)·for·'mount_option_smb_client_signing' | 46 | #·BEGIN·fix·(2·/·182)·for·'mount_option_smb_client_signing' |
| 47 | ############################################################################### | 47 | ############################################################################### |
| 48 | (>&2·echo·"Remediating·rule·2/182:·'mount_option_smb_client_signing'") | 48 | (>&2·echo·"Remediating·rule·2/182:·'mount_option_smb_client_signing'") |
| 49 | #·FIX·FOR·THIS·RULE·IS·MISSING | 49 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 50 | #·END·fix·for·'mount_option_smb_client_signing' | 50 | #·END·fix·for·'mount_option_smb_client_signing' |
| 51 | ############################################################################### | 51 | ############################################################################### |
| 52 | #·BEGIN·fix·(3·/·182)·for·' | 52 | #·BEGIN·fix·(3·/·182)·for·'service_ntpd_enabled' |
| 53 | ############################################################################### | 53 | ############################################################################### |
| 54 | (>&2·echo·"Remediating·rule·3/182:·' | 54 | (>&2·echo·"Remediating·rule·3/182:·'service_ntpd_enabled'") |
| 55 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 56 | #·END·fix·for·'postfix_network_listening_disabled' | ||
| 57 | ############################################################################### | ||
| 58 | #·BEGIN·fix·(4·/·182)·for·'service_ntpd_enabled' | ||
| 59 | ############################################################################### | ||
| 60 | (>&2·echo·"Remediating·rule·4/182:·'service_ntpd_enabled'") | ||
| 61 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 55 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 62 | # | 56 | # |
| 63 | #·Example·Call(s): | 57 | #·Example·Call(s): |
| 64 | # | 58 | # |
| 65 | #·····service_command·enable·bluetooth | 59 | #·····service_command·enable·bluetooth |
| 66 | #·····service_command·disable·bluetooth.service | 60 | #·····service_command·disable·bluetooth.service |
| 67 | # | 61 | # |
| Offset 135, 45 lines modified | Offset 128, 24 lines modified | ||
| 135 | } | 128 | } |
| 136 | service_command·enable·ntpd | 129 | service_command·enable·ntpd |
| 137 | #·END·fix·for·'service_ntpd_enabled' | 130 | #·END·fix·for·'service_ntpd_enabled' |
| 138 | ############################################################################### | 131 | ############################################################################### |
| 139 | #·BEGIN·fix·( | 132 | #·BEGIN·fix·(4·/·182)·for·'ntpd_specify_remote_server' |
| 140 | ############################################################################### | 133 | ############################################################################### |
| 141 | (>&2·echo·"Remediating·rule· | 134 | (>&2·echo·"Remediating·rule·4/182:·'ntpd_specify_remote_server'") |
| 142 | #·FIX·FOR·THIS·RULE·IS·MISSING | 135 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 143 | #·END·fix·for·'ntpd_specify_remote_server' | 136 | #·END·fix·for·'ntpd_specify_remote_server' |
| 144 | ############################################################################### | 137 | ############################################################################### |
| 145 | #·BEGIN·fix·( | 138 | #·BEGIN·fix·(5·/·182)·for·'package_openldap-servers_removed' |
| 146 | ############################################################################### | ||
| 147 | (>&2·echo·"Remediating·rule·6/182:·'service_rlogin_disabled'") | ||
| 148 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 149 | #·END·fix·for·'service_rlogin_disabled' | ||
| 150 | ############################################################################### | ||
| 151 | #·BEGIN·fix·(7·/·182)·for·'service_rexec_disabled' | ||
| 152 | ############################################################################### | ||
| 153 | (>&2·echo·"Remediating·rule·7/182:·'service_rexec_disabled'") | ||
| 154 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 155 | #·END·fix·for·'service_rexec_disabled' | ||
| 156 | ############################################################################### | ||
| 157 | #·BEGIN·fix·(8·/·182)·for·'service_rsh_disabled' | ||
| 158 | ############################################################################### | 139 | ############################################################################### |
| 159 | (>&2·echo·"Remediating·rule· | 140 | (>&2·echo·"Remediating·rule·5/182:·'package_openldap-servers_removed'") |
| 160 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 161 | #·END·fix·for·'service_rsh_disabled' | ||
| 162 | ############################################################################### | ||
| 163 | #·BEGIN·fix·(9·/·182)·for·'package_rsh-server_removed' | ||
| 164 | ############################################################################### | ||
| 165 | (>&2·echo·"Remediating·rule·9/182:·'package_rsh-server_removed'") | ||
| 166 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 141 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 167 | # | 142 | # |
| 168 | #·Example·Call(s): | 143 | #·Example·Call(s): |
| 169 | # | 144 | # |
| 170 | #·····package_remove·telnet-server | 145 | #·····package_remove·telnet-server |
| 171 | # | 146 | # |
| 172 | function·package_remove·{ | 147 | function·package_remove·{ |
| Offset 203, 83 lines modified | Offset 175, 279 lines modified | ||
| 203 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 175 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 204 | ··echo·"Aborting." | 176 | ··echo·"Aborting." |
| 205 | ··exit·1 | 177 | ··exit·1 |
| 206 | fi | 178 | fi |
| 207 | } | 179 | } |
| 208 | package_remove· | 180 | package_remove·openldap-servers |
| 209 | #·END·fix·for·'package_ | 181 | #·END·fix·for·'package_openldap-servers_removed' |
| 210 | ############################################################################### | 182 | ############################################################################### |
| 211 | #·BEGIN·fix·( | 183 | #·BEGIN·fix·(6·/·182)·for·'ldap_client_start_tls' |
| 212 | ############################################################################### | 184 | ############################################################################### |
| 213 | (>&2·echo·"Remediating·rule· | 185 | (>&2·echo·"Remediating·rule·6/182:·'ldap_client_start_tls'") |
| 214 | find·/home·-maxdepth·2·-type·f·-name·.rhosts·-exec·rm·-f·'{}'·\; | ||
| 215 | if·[·-f·/etc/hosts.equiv·];·then | ||
| 216 | 186 | #·Use·LDAP·for·authentication | |
| 217 | fi | 187 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 218 | #· | 188 | #·it·does·not·exist. |
| 189 | # | ||
| 190 | #·Expects·arguments: | ||
| 191 | # | ||
| 192 | #·config_file:» » Configuration·file·that·will·be·modified | ||
| 193 | #·key:» » » Configuration·option·to·change | ||
| 194 | #·value:»»Value·of·the·configuration·option·to·change | ||
| 195 | #·cce:» » » The·CCE·identifier·or·'@CCENUM@'·if·no·CCE·identifier·exists | ||
| 196 | #·format:» » The·printf-like·format·string·that·will·be·given·stripped·key·and·value·as·arguments, | ||
| 197 | #» » » so·e.g.·'%s=%s'·will·result·in·key=value·subsitution·(i.e.·without·spaces·around·=) | ||
| 198 | # | ||
| 199 | #·Optional·arugments: | ||
| 200 | # | ||
| 201 | #·format:» » Optional·argument·to·specify·the·format·of·how·key/value·should·be | ||
| 202 | #·» » » modified/appended·in·the·configuration·file.·The·default·is·key·=·value. | ||
| 203 | # | ||
| 204 | #·Example·Call(s): | ||
| 205 | # | ||
| 206 | #·····With·default·format·of·'key·=·value': | ||
| 207 | #·····replace_or_append·'/etc/sysctl.conf'·'^kernel.randomize_va_space'·'2'·'@CCENUM@' | ||
| 208 | # | ||
| 209 | #·····With·custom·key/value·format: | ||
| 210 | #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·'disabled'·'@CCENUM@'·'%s=%s' | ||
| 211 | # | ||
| 212 | #·····With·a·variable: | ||
| 213 | #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·$var_selinux_state·'@CCENUM@'·'%s=%s' | ||
| 214 | # | ||
| 215 | function·replace_or_append·{ | ||
| 216 | ··local·default_format='%s·=·%s'·case_insensitive_mode=yes·sed_case_insensitive_option=''·grep_case_insensitive_option='' | ||
| 217 | ··local·config_file=$1 | ||
| 218 | ··local·key=$2 | ||
| 219 | ··local·value=$3 | ||
| 220 | ··local·cce=$4 | ||
| 221 | ··local·format=$5 | ||
| 222 | ··if·[·"$case_insensitive_mode"·=·yes·];·then | ||
| 223 | ····sed_case_insensitive_option="i" | ||
| Max diff block lines reached; 270022/281230 bytes (96.01%) of diff not shown. | |||
| Offset 25, 17 lines modified | Offset 25, 31 lines modified | ||
| 25 | # | 25 | # |
| 26 | #·How·to·apply·this·remediation·role: | 26 | #·How·to·apply·this·remediation·role: |
| 27 | #·$·sudo·./remediation-role.sh | 27 | #·$·sudo·./remediation-role.sh |
| 28 | # | 28 | # |
| 29 | ############################################################################### | 29 | ############################################################################### |
| 30 | ############################################################################### | 30 | ############################################################################### |
| 31 | #·BEGIN·fix·(1·/·250)·for·' | 31 | #·BEGIN·fix·(1·/·250)·for·'ftp_log_transactions' |
| 32 | ############################################################################### | 32 | ############################################################################### |
| 33 | (>&2·echo·"Remediating·rule·1/250:·' | 33 | (>&2·echo·"Remediating·rule·1/250:·'ftp_log_transactions'") |
| 34 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 35 | #·END·fix·for·'ftp_log_transactions' | ||
| 36 | ############################################################################### | ||
| 37 | #·BEGIN·fix·(2·/·250)·for·'ftp_present_banner' | ||
| 38 | ############################################################################### | ||
| 39 | (>&2·echo·"Remediating·rule·2/250:·'ftp_present_banner'") | ||
| 40 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 41 | #·END·fix·for·'ftp_present_banner' | ||
| 42 | ############################################################################### | ||
| 43 | #·BEGIN·fix·(3·/·250)·for·'require_smb_client_signing' | ||
| 44 | ############################################################################### | ||
| 45 | (>&2·echo·"Remediating·rule·3/250:·'require_smb_client_signing'") | ||
| 34 | ###################################################################### | 46 | ###################################################################### |
| 35 | #By·Luke·"Brisk-OH"·Brisk | 47 | #By·Luke·"Brisk-OH"·Brisk |
| 36 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com | 48 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com |
| 37 | ###################################################################### | 49 | ###################################################################### |
| 38 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) | 50 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) |
| Offset 44, 38 lines modified | Offset 58, 113 lines modified | ||
| 44 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf | 58 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 45 | else | 59 | else |
| 46 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf | 60 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 47 | fi | 61 | fi |
| 48 | #·END·fix·for·'require_smb_client_signing' | 62 | #·END·fix·for·'require_smb_client_signing' |
| 49 | ############################################################################### | 63 | ############################################################################### |
| 50 | #·BEGIN·fix·( | 64 | #·BEGIN·fix·(4·/·250)·for·'mount_option_smb_client_signing' |
| 51 | ############################################################################### | 65 | ############################################################################### |
| 52 | (>&2·echo·"Remediating·rule· | 66 | (>&2·echo·"Remediating·rule·4/250:·'mount_option_smb_client_signing'") |
| 53 | #·FIX·FOR·THIS·RULE·IS·MISSING | 67 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 54 | #·END·fix·for·'mount_option_smb_client_signing' | 68 | #·END·fix·for·'mount_option_smb_client_signing' |
| 55 | ############################################################################### | 69 | ############################################################################### |
| 56 | #·BEGIN·fix·( | 70 | #·BEGIN·fix·(5·/·250)·for·'service_ntpd_enabled' |
| 57 | ############################################################################### | 71 | ############################################################################### |
| 58 | (>&2·echo·"Remediating·rule· | 72 | (>&2·echo·"Remediating·rule·5/250:·'service_ntpd_enabled'") |
| 59 | #·F | 73 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 60 | # | 74 | # |
| 75 | #·Example·Call(s): | ||
| 76 | # | ||
| 77 | #·····service_command·enable·bluetooth | ||
| 78 | #·····service_command·disable·bluetooth.service | ||
| 79 | # | ||
| 80 | #·····Using·xinetd: | ||
| 81 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 82 | # | ||
| 83 | function·service_command·{ | ||
| 84 | #·Load·function·arguments·into·local·variables | ||
| 85 | local·service_state=$1 | ||
| 86 | local·service=$2 | ||
| 87 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 88 | #·Check·sanity·of·the·input | ||
| 89 | if·[·$#·-lt·"2"·] | ||
| 90 | then | ||
| 91 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 92 | ··echo | ||
| 93 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 94 | ··echo·"as·the·last·argument"·· | ||
| 95 | ··echo·"Aborting." | ||
| 96 | ··exit·1 | ||
| 97 | fi | ||
| 98 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 99 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 100 | ··service_util="/usr/bin/systemctl" | ||
| 101 | else | ||
| 102 | ··service_util="/sbin/service" | ||
| 103 | ··chkconfig_util="/sbin/chkconfig" | ||
| 104 | fi | ||
| 105 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 106 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 107 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 108 | ··service_state="enable" | ||
| 109 | ··service_operation="start" | ||
| 110 | ··chkconfig_state="on" | ||
| 111 | else | ||
| 112 | ··service_state="disable" | ||
| 113 | ··service_operation="stop" | ||
| 114 | ··chkconfig_state="off" | ||
| 115 | fi | ||
| 116 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 117 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 118 | ··$service_util·$service·$service_operation | ||
| 119 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 120 | else | ||
| 121 | ··$service_util·$service_operation·$service | ||
| 122 | ··$service_util·$service_state·$service | ||
| 123 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 124 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 125 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 126 | ··$service_util·reset-failed·$service | ||
| 127 | fi | ||
| 128 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 129 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 130 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 131 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 132 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 133 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 134 | ··else | ||
| 135 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 136 | ··fi | ||
| 137 | fi | ||
| 138 | } | ||
| 139 | service_command·enable·ntpd | ||
| 140 | #·END·fix·for·'service_ntpd_enabled' | ||
| Max diff block lines reached; 353872/359166 bytes (98.53%) of diff not shown. | |||
| Offset 19, 17 lines modified | Offset 19, 17 lines modified | ||
| 19 | # | 19 | # |
| 20 | #·How·to·apply·this·remediation·role: | 20 | #·How·to·apply·this·remediation·role: |
| 21 | #·$·sudo·./remediation-role.sh | 21 | #·$·sudo·./remediation-role.sh |
| 22 | # | 22 | # |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | ############################################################################### | 24 | ############################################################################### |
| 25 | #·BEGIN·fix·(1·/·223)·for·'service_s | 25 | #·BEGIN·fix·(1·/·223)·for·'service_vsftpd_disabled' |
| 26 | ############################################################################### | 26 | ############################################################################### |
| 27 | (>&2·echo·"Remediating·rule·1/223:·'service_s | 27 | (>&2·echo·"Remediating·rule·1/223:·'service_vsftpd_disabled'") |
| 28 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 28 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 29 | # | 29 | # |
| 30 | #·Example·Call(s): | 30 | #·Example·Call(s): |
| 31 | # | 31 | # |
| 32 | #·····service_command·enable·bluetooth | 32 | #·····service_command·enable·bluetooth |
| 33 | #·····service_command·disable·bluetooth.service | 33 | #·····service_command·disable·bluetooth.service |
| 34 | # | 34 | # |
| Offset 97, 47 lines modified | Offset 97, 65 lines modified | ||
| 97 | ··else | 97 | ··else |
| 98 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 98 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 99 | ··fi | 99 | ··fi |
| 100 | fi | 100 | fi |
| 101 | } | 101 | } |
| 102 | service_command·disable·s | 102 | service_command·disable·vsftpd |
| 103 | #·END·fix·for·'service_s | 103 | #·END·fix·for·'service_vsftpd_disabled' |
| 104 | ############################################################################### | 104 | ############################################################################### |
| 105 | #·BEGIN·fix·(2·/·223)·for·' | 105 | #·BEGIN·fix·(2·/·223)·for·'package_vsftpd_removed' |
| 106 | ############################################################################### | 106 | ############################################################################### |
| 107 | (>&2·echo·"Remediating·rule·2/223:·' | 107 | (>&2·echo·"Remediating·rule·2/223:·'package_vsftpd_removed'") |
| 108 | # | 108 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 109 | # | 109 | # |
| 110 | # | 110 | #·Example·Call(s): |
| 111 | # | 111 | # |
| 112 | #·····package_remove·telnet-server | ||
| 113 | # | ||
| 114 | function·package_remove·{ | ||
| 112 | 115 | #·Load·function·arguments·into·local·variables | |
| 116 | local·package="$1" | ||
| 113 | 117 | #·Check·sanity·of·the·input | |
| 114 | 118 | if·[·$#·-ne·"1"·] | |
| 115 | 119 | then | |
| 120 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 121 | ··echo·"Aborting." | ||
| 122 | ··exit·1 | ||
| 123 | fi | ||
| 124 | if·which·dnf·;·then | ||
| 125 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 126 | ····dnf·remove·-y·"$package" | ||
| 127 | ··fi | ||
| 128 | elif·which·yum·;·then | ||
| 129 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 130 | ····yum·remove·-y·"$package" | ||
| 131 | ··fi | ||
| 132 | elif·which·apt-get·;·then | ||
| 133 | ··apt-get·remove·-y·"$package" | ||
| 116 | else | 134 | else |
| 117 | 135 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 136 | ··echo·"Aborting." | ||
| 137 | ··exit·1 | ||
| 118 | fi | 138 | fi |
| 119 | #·END·fix·for·'require_smb_client_signing' | ||
| 120 | 139 | } | |
| 121 | #·BEGIN·fix·(3·/·223)·for·'mount_option_smb_client_signing' | ||
| 122 | 140 | package_remove·vsftpd | |
| 123 | 141 | #·END·fix·for·'package_vsftpd_removed' | |
| 124 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 125 | #·END·fix·for·'mount_option_smb_client_signing' | ||
| 126 | ############################################################################### | 142 | ############################################################################### |
| 127 | #·BEGIN·fix·( | 143 | #·BEGIN·fix·(3·/·223)·for·'service_httpd_disabled' |
| 128 | ############################################################################### | 144 | ############################################################################### |
| 129 | (>&2·echo·"Remediating·rule· | 145 | (>&2·echo·"Remediating·rule·3/223:·'service_httpd_disabled'") |
| 130 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 146 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 131 | # | 147 | # |
| 132 | #·Example·Call(s): | 148 | #·Example·Call(s): |
| 133 | # | 149 | # |
| 134 | #·····service_command·enable·bluetooth | 150 | #·····service_command·enable·bluetooth |
| 135 | #·····service_command·disable·bluetooth.service | 151 | #·····service_command·disable·bluetooth.service |
| 136 | # | 152 | # |
| Offset 209, 17 lines modified | Offset 227, 17 lines modified | ||
| 209 | } | 227 | } |
| 210 | service_command·disable·httpd | 228 | service_command·disable·httpd |
| 211 | #·END·fix·for·'service_httpd_disabled' | 229 | #·END·fix·for·'service_httpd_disabled' |
| 212 | ############################################################################### | 230 | ############################################################################### |
| 213 | #·BEGIN·fix·( | 231 | #·BEGIN·fix·(4·/·223)·for·'package_httpd_removed' |
| 214 | ############################################################################### | 232 | ############################################################################### |
| 215 | (>&2·echo·"Remediating·rule· | 233 | (>&2·echo·"Remediating·rule·4/223:·'package_httpd_removed'") |
| 216 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 234 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 217 | # | 235 | # |
| 218 | #·Example·Call(s): | 236 | #·Example·Call(s): |
| 219 | # | 237 | # |
| 220 | #·····package_remove·telnet-server | 238 | #·····package_remove·telnet-server |
| 221 | # | 239 | # |
| 222 | function·package_remove·{ | 240 | function·package_remove·{ |
| Offset 253, 68 lines modified | Offset 271, 99 lines modified | ||
| 253 | } | 271 | } |
| 254 | package_remove·httpd | 272 | package_remove·httpd |
| 255 | #·END·fix·for·'package_httpd_removed' | 273 | #·END·fix·for·'package_httpd_removed' |
| 256 | ############################################################################### | 274 | ############################################################################### |
| 257 | #·BEGIN·fix·( | 275 | #·BEGIN·fix·(5·/·223)·for·'service_named_disabled' |
| 258 | ############################################################################### | ||
| 259 | (>&2·echo·"Remediating·rule·6/223:·'postfix_network_listening_disabled'") | ||
| 260 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 261 | #·END·fix·for·'postfix_network_listening_disabled' | ||
| 262 | ############################################################################### | ||
| 263 | #·BEGIN·fix·(7·/·223)·for·'package_sendmail_removed' | ||
| 264 | ############################################################################### | 276 | ############################################################################### |
| 265 | (>&2·echo·"Remediating·rule· | 277 | (>&2·echo·"Remediating·rule·5/223:·'service_named_disabled'") |
| 266 | #·Function·to· | 278 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 267 | # | 279 | # |
| 268 | #·Example·Call(s): | 280 | #·Example·Call(s): |
| 269 | # | 281 | # |
| 270 | #····· | 282 | #·····service_command·enable·bluetooth |
| Max diff block lines reached; 388953/394659 bytes (98.55%) of diff not shown. | |||
| Offset 369, 17 lines modified | Offset 369, 61 lines modified | ||
| 369 | } | 369 | } |
| 370 | service_command·disable·tftp | 370 | service_command·disable·tftp |
| 371 | #·END·fix·for·'service_tftp_disabled' | 371 | #·END·fix·for·'service_tftp_disabled' |
| 372 | ############################################################################### | 372 | ############################################################################### |
| 373 | #·BEGIN·fix·(11·/·213)·for·' | 373 | #·BEGIN·fix·(11·/·213)·for·'package_tcp_wrappers_installed' |
| 374 | ############################################################################### | 374 | ############################################################################### |
| 375 | (>&2·echo·"Remediating·rule·11/213:·' | 375 | (>&2·echo·"Remediating·rule·11/213:·'package_tcp_wrappers_installed'") |
| 376 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 377 | # | ||
| 378 | #·Example·Call(s): | ||
| 379 | # | ||
| 380 | #·····package_install·aide | ||
| 381 | # | ||
| 382 | function·package_install·{ | ||
| 383 | #·Load·function·arguments·into·local·variables | ||
| 384 | local·package="$1" | ||
| 385 | #·Check·sanity·of·the·input | ||
| 386 | if·[·$#·-ne·"1"·] | ||
| 387 | then | ||
| 388 | ··echo·"Usage:·package_install·'package_name'" | ||
| 389 | ··echo·"Aborting." | ||
| 390 | ··exit·1 | ||
| 391 | fi | ||
| 392 | if·which·dnf·;·then | ||
| 393 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 394 | ····dnf·install·-y·"$package" | ||
| 395 | ··fi | ||
| 396 | elif·which·yum·;·then | ||
| 397 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 398 | ····yum·install·-y·"$package" | ||
| 399 | ··fi | ||
| 400 | elif·which·apt-get·;·then | ||
| 401 | ··apt-get·install·-y·"$package" | ||
| 402 | else | ||
| 403 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 404 | ··echo·"Aborting." | ||
| 405 | ··exit·1 | ||
| 406 | fi | ||
| 407 | } | ||
| 408 | package_install·tcp_wrappers | ||
| 409 | #·END·fix·for·'package_tcp_wrappers_installed' | ||
| 410 | ############################################################################### | ||
| 411 | #·BEGIN·fix·(12·/·213)·for·'service_xinetd_disabled' | ||
| 412 | ############################################################################### | ||
| 413 | (>&2·echo·"Remediating·rule·12/213:·'service_xinetd_disabled'") | ||
| 376 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 414 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 377 | # | 415 | # |
| 378 | #·Example·Call(s): | 416 | #·Example·Call(s): |
| 379 | # | 417 | # |
| 380 | #·····service_command·enable·bluetooth | 418 | #·····service_command·enable·bluetooth |
| 381 | #·····service_command·disable·bluetooth.service | 419 | #·····service_command·disable·bluetooth.service |
| 382 | # | 420 | # |
| Offset 451, 61 lines modified | Offset 495, 61 lines modified | ||
| 451 | } | 495 | } |
| 452 | service_command·disable·xinetd | 496 | service_command·disable·xinetd |
| 453 | #·END·fix·for·'service_xinetd_disabled' | 497 | #·END·fix·for·'service_xinetd_disabled' |
| 454 | ############################################################################### | 498 | ############################################################################### |
| 455 | #·BEGIN·fix·(1 | 499 | #·BEGIN·fix·(13·/·213)·for·'package_talk_removed' |
| 456 | ############################################################################### | 500 | ############################################################################### |
| 457 | (>&2·echo·"Remediating·rule·1 | 501 | (>&2·echo·"Remediating·rule·13/213:·'package_talk_removed'") |
| 458 | #·Function·to· | 502 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 459 | # | 503 | # |
| 460 | #·Example·Call(s): | 504 | #·Example·Call(s): |
| 461 | # | 505 | # |
| 462 | #·····package_ | 506 | #·····package_remove·telnet-server |
| 463 | # | 507 | # |
| 464 | function·package_ | 508 | function·package_remove·{ |
| 465 | #·Load·function·arguments·into·local·variables | 509 | #·Load·function·arguments·into·local·variables |
| 466 | local·package="$1" | 510 | local·package="$1" |
| 467 | #·Check·sanity·of·the·input | 511 | #·Check·sanity·of·the·input |
| 468 | if·[·$#·-ne·"1"·] | 512 | if·[·$#·-ne·"1"·] |
| 469 | then | 513 | then |
| 470 | ··echo·"Usage:·package_ | 514 | ··echo·"Usage:·package_remove·'package_name'" |
| 471 | ··echo·"Aborting." | 515 | ··echo·"Aborting." |
| 472 | ··exit·1 | 516 | ··exit·1 |
| 473 | fi | 517 | fi |
| 474 | if·which·dnf·;·then | 518 | if·which·dnf·;·then |
| 475 | ··if· | 519 | ··if·rpm·-q·--quiet·"$package";·then |
| 476 | ····dnf· | 520 | ····dnf·remove·-y·"$package" |
| 477 | ··fi | 521 | ··fi |
| 478 | elif·which·yum·;·then | 522 | elif·which·yum·;·then |
| 479 | ··if· | 523 | ··if·rpm·-q·--quiet·"$package";·then |
| 480 | ····yum· | 524 | ····yum·remove·-y·"$package" |
| 481 | ··fi | 525 | ··fi |
| 482 | elif·which·apt-get·;·then | 526 | elif·which·apt-get·;·then |
| 483 | ··apt-get· | 527 | ··apt-get·remove·-y·"$package" |
| 484 | else | 528 | else |
| 485 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 529 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 486 | ··echo·"Aborting." | 530 | ··echo·"Aborting." |
| 487 | ··exit·1 | 531 | ··exit·1 |
| 488 | fi | 532 | fi |
| 489 | } | 533 | } |
| 490 | package_ | 534 | package_remove·talk |
| 491 | #·END·fix·for·'package_t | 535 | #·END·fix·for·'package_talk_removed' |
| 492 | ############################################################################### | 536 | ############################################################################### |
| 493 | #·BEGIN·fix·(1 | 537 | #·BEGIN·fix·(14·/·213)·for·'package_talk-server_removed' |
| 494 | ############################################################################### | 538 | ############################################################################### |
| 495 | (>&2·echo·"Remediating·rule·1 | 539 | (>&2·echo·"Remediating·rule·14/213:·'package_talk-server_removed'") |
| 496 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 540 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 497 | # | 541 | # |
| 498 | #·Example·Call(s): | 542 | #·Example·Call(s): |
| 499 | # | 543 | # |
| 500 | #·····package_remove·telnet-server | 544 | #·····package_remove·telnet-server |
| 501 | # | 545 | # |
| 502 | function·package_remove·{ | 546 | function·package_remove·{ |
| Offset 535, 65 lines modified | Offset 579, 103 lines modified | ||
| 535 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 579 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 536 | ··echo·"Aborting." | 580 | ··echo·"Aborting." |
| 537 | ··exit·1 | 581 | ··exit·1 |
| Max diff block lines reached; 132822/137164 bytes (96.83%) of diff not shown. | |||
| Offset 192, 17 lines modified | Offset 192, 19 lines modified | ||
| 192 | ··fi | 192 | ··fi |
| 193 | } | 193 | } |
| 194 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' | 194 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' |
| 195 | #·END·fix·for·'sshd_set_keepalive' | 195 | #·END·fix·for·'sshd_set_keepalive' |
| 196 | ############################################################################### | 196 | ############################################################################### |
| 197 | #·BEGIN·fix·(3·/·102)·for·'sshd_e | 197 | #·BEGIN·fix·(3·/·102)·for·'sshd_set_idle_timeout' |
| 198 | ############################################################################### | 198 | ############################################################################### |
| 199 | (>&2·echo·"Remediating·rule·3/102:·'sshd_e | 199 | (>&2·echo·"Remediating·rule·3/102:·'sshd_set_idle_timeout'") |
| 200 | sshd_idle_timeout_value="1800" | ||
| 200 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 201 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 201 | #·it·does·not·exist. | 202 | #·it·does·not·exist. |
| 202 | # | 203 | # |
| 203 | #·Expects·arguments: | 204 | #·Expects·arguments: |
| 204 | # | 205 | # |
| 205 | #·config_file:» » Configuration·file·that·will·be·modified | 206 | #·config_file:» » Configuration·file·that·will·be·modified |
| 206 | #·key:» » » Configuration·option·to·change | 207 | #·key:» » » Configuration·option·to·change |
| Offset 273, 21 lines modified | Offset 275, 21 lines modified | ||
| 273 | ··else | 275 | ··else |
| 274 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 276 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 275 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 277 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 276 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 278 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 277 | ··fi | 279 | ··fi |
| 278 | } | 280 | } |
| 279 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 281 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s' |
| 280 | #·END·fix·for·'sshd_e | 282 | #·END·fix·for·'sshd_set_idle_timeout' |
| 281 | ############################################################################### | 283 | ############################################################################### |
| 282 | #·BEGIN·fix·(4·/·102)·for·'sshd_ | 284 | #·BEGIN·fix·(4·/·102)·for·'sshd_enable_warning_banner' |
| 283 | ############################################################################### | 285 | ############################################################################### |
| 284 | (>&2·echo·"Remediating·rule·4/102:·'sshd_ | 286 | (>&2·echo·"Remediating·rule·4/102:·'sshd_enable_warning_banner'") |
| 285 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 287 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 286 | #·it·does·not·exist. | 288 | #·it·does·not·exist. |
| 287 | # | 289 | # |
| 288 | #·Expects·arguments: | 290 | #·Expects·arguments: |
| 289 | # | 291 | # |
| 290 | #·config_file:» » Configuration·file·that·will·be·modified | 292 | #·config_file:» » Configuration·file·that·will·be·modified |
| 291 | #·key:» » » Configuration·option·to·change | 293 | #·key:» » » Configuration·option·to·change |
| Offset 358, 16 lines modified | Offset 360, 16 lines modified | ||
| 358 | ··else | 360 | ··else |
| 359 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 361 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 360 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 362 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 361 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 363 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 362 | ··fi | 364 | ··fi |
| 363 | } | 365 | } |
| 364 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 366 | replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s' |
| 365 | #·END·fix·for·'sshd_ | 367 | #·END·fix·for·'sshd_enable_warning_banner' |
| 366 | ############################################################################### | 368 | ############################################################################### |
| 367 | #·BEGIN·fix·(5·/·102)·for·'sshd_allow_only_protocol2' | 369 | #·BEGIN·fix·(5·/·102)·for·'sshd_allow_only_protocol2' |
| 368 | ############################################################################### | 370 | ############################################################################### |
| 369 | (>&2·echo·"Remediating·rule·5/102:·'sshd_allow_only_protocol2'") | 371 | (>&2·echo·"Remediating·rule·5/102:·'sshd_allow_only_protocol2'") |
| 370 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 372 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 371 | #·it·does·not·exist. | 373 | #·it·does·not·exist. |
| Offset 532, 19 lines modified | Offset 534, 17 lines modified | ||
| 532 | ··fi | 534 | ··fi |
| 533 | } | 535 | } |
| 534 | replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s' | 536 | replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s' |
| 535 | #·END·fix·for·'sshd_disable_rhosts' | 537 | #·END·fix·for·'sshd_disable_rhosts' |
| 536 | ############################################################################### | 538 | ############################################################################### |
| 537 | #·BEGIN·fix·(7·/·102)·for·'sshd_ | 539 | #·BEGIN·fix·(7·/·102)·for·'sshd_do_not_permit_user_env' |
| 538 | ############################################################################### | 540 | ############################################################################### |
| 539 | (>&2·echo·"Remediating·rule·7/102:·'sshd_ | 541 | (>&2·echo·"Remediating·rule·7/102:·'sshd_do_not_permit_user_env'") |
| 540 | sshd_idle_timeout_value="1800" | ||
| 541 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 542 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 542 | #·it·does·not·exist. | 543 | #·it·does·not·exist. |
| 543 | # | 544 | # |
| 544 | #·Expects·arguments: | 545 | #·Expects·arguments: |
| 545 | # | 546 | # |
| 546 | #·config_file:» » Configuration·file·that·will·be·modified | 547 | #·config_file:» » Configuration·file·that·will·be·modified |
| 547 | #·key:» » » Configuration·option·to·change | 548 | #·key:» » » Configuration·option·to·change |
| Offset 615, 16 lines modified | Offset 615, 16 lines modified | ||
| 615 | ··else | 615 | ··else |
| 616 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 616 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 617 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 617 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 618 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 618 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 619 | ··fi | 619 | ··fi |
| 620 | } | 620 | } |
| 621 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 621 | replace_or_append·'/etc/ssh/sshd_config'·'^PermitUserEnvironment'·'no'·'CCE-27363-1'·'%s·%s' |
| 622 | #·END·fix·for·'sshd_ | 622 | #·END·fix·for·'sshd_do_not_permit_user_env' |
| 623 | ############################################################################### | 623 | ############################################################################### |
| 624 | #·BEGIN·fix·(8·/·102)·for·'sshd_use_approved_ciphers' | 624 | #·BEGIN·fix·(8·/·102)·for·'sshd_use_approved_ciphers' |
| 625 | ############################################################################### | 625 | ############################################################################### |
| 626 | (>&2·echo·"Remediating·rule·8/102:·'sshd_use_approved_ciphers'") | 626 | (>&2·echo·"Remediating·rule·8/102:·'sshd_use_approved_ciphers'") |
| 627 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 627 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 628 | #·it·does·not·exist. | 628 | #·it·does·not·exist. |
| Offset 1193, 19 lines modified | Offset 1193, 17 lines modified | ||
| 1193 | include_dconf_settings | 1193 | include_dconf_settings |
| 1194 | dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings' | 1194 | dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings' |
| 1195 | dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock' | 1195 | dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock' |
| 1196 | #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled' | 1196 | #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled' |
| 1197 | ############################################################################### | 1197 | ############################################################################### |
| 1198 | #·BEGIN·fix·(23·/·102)·for·'dconf_gnome_screensaver_ | 1198 | #·BEGIN·fix·(23·/·102)·for·'dconf_gnome_screensaver_mode_blank' |
| 1199 | ############################################################################### | 1199 | ############################################################################### |
| 1200 | (>&2·echo·"Remediating·rule·23/102:·'dconf_gnome_screensaver_ | 1200 | (>&2·echo·"Remediating·rule·23/102:·'dconf_gnome_screensaver_mode_blank'") |
| 1201 | inactivity_timeout_value="1800" | ||
| 1202 | function·include_dconf_settings·{ | 1201 | function·include_dconf_settings·{ |
| 1203 | » : | 1202 | » : |
| 1204 | } | 1203 | } |
| 1205 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. | 1204 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. |
| 1206 | # | 1205 | # |
| 1207 | #·Example·Call(s): | 1206 | #·Example·Call(s): |
| Offset 1273, 22 lines modified | Offset 1271, 24 lines modified | ||
| 1273 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" | 1271 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" |
| 1274 | » fi | 1272 | » fi |
| 1275 | } | 1273 | } |
| 1276 | include_dconf_settings | 1274 | include_dconf_settings |
| 1277 | dconf_settings·'org/gnome/desktop/s | 1275 | dconf_settings·'org/gnome/desktop/screensaver'·'picture-uri'·"string·''"·'local.d'·'00-security-settings' |
| 1278 | dconf_lock·'org/gnome/desktop/ses | 1276 | dconf_lock·'org/gnome/desktop/screensaver'·'picture-uri'·'local.d'·'00-security-settings-lock' |
| 1279 | #·END·fix·for·'dconf_gnome_screensaver_ | 1277 | #·END·fix·for·'dconf_gnome_screensaver_mode_blank' |
| Max diff block lines reached; 69231/75731 bytes (91.42%) of diff not shown. | |||
| Offset 285, 17 lines modified | Offset 285, 61 lines modified | ||
| 285 | } | 285 | } |
| 286 | package_remove·telnet-server | 286 | package_remove·telnet-server |
| 287 | #·END·fix·for·'package_telnet-server_removed' | 287 | #·END·fix·for·'package_telnet-server_removed' |
| 288 | ############################################################################### | 288 | ############################################################################### |
| 289 | #·BEGIN·fix·(10·/·149)·for·' | 289 | #·BEGIN·fix·(10·/·149)·for·'package_ypbind_removed' |
| 290 | ############################################################################### | 290 | ############################################################################### |
| 291 | (>&2·echo·"Remediating·rule·10/149:·' | 291 | (>&2·echo·"Remediating·rule·10/149:·'package_ypbind_removed'") |
| 292 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 293 | # | ||
| 294 | #·Example·Call(s): | ||
| 295 | # | ||
| 296 | #·····package_remove·telnet-server | ||
| 297 | # | ||
| 298 | function·package_remove·{ | ||
| 299 | #·Load·function·arguments·into·local·variables | ||
| 300 | local·package="$1" | ||
| 301 | #·Check·sanity·of·the·input | ||
| 302 | if·[·$#·-ne·"1"·] | ||
| 303 | then | ||
| 304 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 305 | ··echo·"Aborting." | ||
| 306 | ··exit·1 | ||
| 307 | fi | ||
| 308 | if·which·dnf·;·then | ||
| 309 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 310 | ····dnf·remove·-y·"$package" | ||
| 311 | ··fi | ||
| 312 | elif·which·yum·;·then | ||
| 313 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 314 | ····yum·remove·-y·"$package" | ||
| 315 | ··fi | ||
| 316 | elif·which·apt-get·;·then | ||
| 317 | ··apt-get·remove·-y·"$package" | ||
| 318 | else | ||
| 319 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 320 | ··echo·"Aborting." | ||
| 321 | ··exit·1 | ||
| 322 | fi | ||
| 323 | } | ||
| 324 | package_remove·ypbind | ||
| 325 | #·END·fix·for·'package_ypbind_removed' | ||
| 326 | ############################################################################### | ||
| 327 | #·BEGIN·fix·(11·/·149)·for·'service_ypbind_disabled' | ||
| 328 | ############################################################################### | ||
| 329 | (>&2·echo·"Remediating·rule·11/149:·'service_ypbind_disabled'") | ||
| 292 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 330 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 293 | # | 331 | # |
| 294 | #·Example·Call(s): | 332 | #·Example·Call(s): |
| 295 | # | 333 | # |
| 296 | #·····service_command·enable·bluetooth | 334 | #·····service_command·enable·bluetooth |
| 297 | #·····service_command·disable·bluetooth.service | 335 | #·····service_command·disable·bluetooth.service |
| 298 | # | 336 | # |
| Offset 367, 58 lines modified | Offset 411, 14 lines modified | ||
| 367 | } | 411 | } |
| 368 | service_command·disable·ypbind | 412 | service_command·disable·ypbind |
| 369 | #·END·fix·for·'service_ypbind_disabled' | 413 | #·END·fix·for·'service_ypbind_disabled' |
| 370 | ############################################################################### | 414 | ############################################################################### |
| 371 | #·BEGIN·fix·(11·/·149)·for·'package_ypbind_removed' | ||
| 372 | ############################################################################### | ||
| 373 | (>&2·echo·"Remediating·rule·11/149:·'package_ypbind_removed'") | ||
| 374 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 375 | # | ||
| 376 | #·Example·Call(s): | ||
| 377 | # | ||
| 378 | #·····package_remove·telnet-server | ||
| 379 | # | ||
| 380 | function·package_remove·{ | ||
| 381 | #·Load·function·arguments·into·local·variables | ||
| 382 | local·package="$1" | ||
| 383 | #·Check·sanity·of·the·input | ||
| 384 | if·[·$#·-ne·"1"·] | ||
| 385 | then | ||
| 386 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 387 | ··echo·"Aborting." | ||
| 388 | ··exit·1 | ||
| 389 | fi | ||
| 390 | if·which·dnf·;·then | ||
| 391 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 392 | ····dnf·remove·-y·"$package" | ||
| 393 | ··fi | ||
| 394 | elif·which·yum·;·then | ||
| 395 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 396 | ····yum·remove·-y·"$package" | ||
| 397 | ··fi | ||
| 398 | elif·which·apt-get·;·then | ||
| 399 | ··apt-get·remove·-y·"$package" | ||
| 400 | else | ||
| 401 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 402 | ··echo·"Aborting." | ||
| 403 | ··exit·1 | ||
| 404 | fi | ||
| 405 | } | ||
| 406 | package_remove·ypbind | ||
| 407 | #·END·fix·for·'package_ypbind_removed' | ||
| 408 | ############################################################################### | ||
| 409 | #·BEGIN·fix·(12·/·149)·for·'package_ypserv_removed' | 415 | #·BEGIN·fix·(12·/·149)·for·'package_ypserv_removed' |
| 410 | ############################################################################### | 416 | ############################################################################### |
| 411 | (>&2·echo·"Remediating·rule·12/149:·'package_ypserv_removed'") | 417 | (>&2·echo·"Remediating·rule·12/149:·'package_ypserv_removed'") |
| 412 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 418 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 413 | # | 419 | # |
| 414 | #·Example·Call(s): | 420 | #·Example·Call(s): |
| 415 | # | 421 | # |
| Offset 922, 17 lines modified | Offset 922, 17 lines modified | ||
| 922 | #·BEGIN·fix·(20·/·149)·for·'use_kerberos_security_all_exports' | 922 | #·BEGIN·fix·(20·/·149)·for·'use_kerberos_security_all_exports' |
| 923 | ############################################################################### | 923 | ############################################################################### |
| 924 | (>&2·echo·"Remediating·rule·20/149:·'use_kerberos_security_all_exports'") | 924 | (>&2·echo·"Remediating·rule·20/149:·'use_kerberos_security_all_exports'") |
| 925 | #·FIX·FOR·THIS·RULE·IS·MISSING | 925 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 926 | #·END·fix·for·'use_kerberos_security_all_exports' | 926 | #·END·fix·for·'use_kerberos_security_all_exports' |
| Max diff block lines reached; 96537/100366 bytes (96.18%) of diff not shown. | |||
| Offset 293, 17 lines modified | Offset 293, 61 lines modified | ||
| 293 | } | 293 | } |
| 294 | package_remove·telnet-server | 294 | package_remove·telnet-server |
| 295 | #·END·fix·for·'package_telnet-server_removed' | 295 | #·END·fix·for·'package_telnet-server_removed' |
| 296 | ############################################################################### | 296 | ############################################################################### |
| 297 | #·BEGIN·fix·(10·/·358)·for·' | 297 | #·BEGIN·fix·(10·/·358)·for·'package_ypbind_removed' |
| 298 | ############################################################################### | 298 | ############################################################################### |
| 299 | (>&2·echo·"Remediating·rule·10/358:·' | 299 | (>&2·echo·"Remediating·rule·10/358:·'package_ypbind_removed'") |
| 300 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 301 | # | ||
| 302 | #·Example·Call(s): | ||
| 303 | # | ||
| 304 | #·····package_remove·telnet-server | ||
| 305 | # | ||
| 306 | function·package_remove·{ | ||
| 307 | #·Load·function·arguments·into·local·variables | ||
| 308 | local·package="$1" | ||
| 309 | #·Check·sanity·of·the·input | ||
| 310 | if·[·$#·-ne·"1"·] | ||
| 311 | then | ||
| 312 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 313 | ··echo·"Aborting." | ||
| 314 | ··exit·1 | ||
| 315 | fi | ||
| 316 | if·which·dnf·;·then | ||
| 317 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 318 | ····dnf·remove·-y·"$package" | ||
| 319 | ··fi | ||
| 320 | elif·which·yum·;·then | ||
| 321 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 322 | ····yum·remove·-y·"$package" | ||
| 323 | ··fi | ||
| 324 | elif·which·apt-get·;·then | ||
| 325 | ··apt-get·remove·-y·"$package" | ||
| 326 | else | ||
| 327 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 328 | ··echo·"Aborting." | ||
| 329 | ··exit·1 | ||
| 330 | fi | ||
| 331 | } | ||
| 332 | package_remove·ypbind | ||
| 333 | #·END·fix·for·'package_ypbind_removed' | ||
| 334 | ############################################################################### | ||
| 335 | #·BEGIN·fix·(11·/·358)·for·'service_ypbind_disabled' | ||
| 336 | ############################################################################### | ||
| 337 | (>&2·echo·"Remediating·rule·11/358:·'service_ypbind_disabled'") | ||
| 300 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 338 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 301 | # | 339 | # |
| 302 | #·Example·Call(s): | 340 | #·Example·Call(s): |
| 303 | # | 341 | # |
| 304 | #·····service_command·enable·bluetooth | 342 | #·····service_command·enable·bluetooth |
| 305 | #·····service_command·disable·bluetooth.service | 343 | #·····service_command·disable·bluetooth.service |
| 306 | # | 344 | # |
| Offset 375, 58 lines modified | Offset 419, 14 lines modified | ||
| 375 | } | 419 | } |
| 376 | service_command·disable·ypbind | 420 | service_command·disable·ypbind |
| 377 | #·END·fix·for·'service_ypbind_disabled' | 421 | #·END·fix·for·'service_ypbind_disabled' |
| 378 | ############################################################################### | 422 | ############################################################################### |
| 379 | #·BEGIN·fix·(11·/·358)·for·'package_ypbind_removed' | ||
| 380 | ############################################################################### | ||
| 381 | (>&2·echo·"Remediating·rule·11/358:·'package_ypbind_removed'") | ||
| 382 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 383 | # | ||
| 384 | #·Example·Call(s): | ||
| 385 | # | ||
| 386 | #·····package_remove·telnet-server | ||
| 387 | # | ||
| 388 | function·package_remove·{ | ||
| 389 | #·Load·function·arguments·into·local·variables | ||
| 390 | local·package="$1" | ||
| 391 | #·Check·sanity·of·the·input | ||
| 392 | if·[·$#·-ne·"1"·] | ||
| 393 | then | ||
| 394 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 395 | ··echo·"Aborting." | ||
| 396 | ··exit·1 | ||
| 397 | fi | ||
| 398 | if·which·dnf·;·then | ||
| 399 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 400 | ····dnf·remove·-y·"$package" | ||
| 401 | ··fi | ||
| 402 | elif·which·yum·;·then | ||
| 403 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 404 | ····yum·remove·-y·"$package" | ||
| 405 | ··fi | ||
| 406 | elif·which·apt-get·;·then | ||
| 407 | ··apt-get·remove·-y·"$package" | ||
| 408 | else | ||
| 409 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 410 | ··echo·"Aborting." | ||
| 411 | ··exit·1 | ||
| 412 | fi | ||
| 413 | } | ||
| 414 | package_remove·ypbind | ||
| 415 | #·END·fix·for·'package_ypbind_removed' | ||
| 416 | ############################################################################### | ||
| 417 | #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed' | 423 | #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed' |
| 418 | ############################################################################### | 424 | ############################################################################### |
| 419 | (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'") | 425 | (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'") |
| 420 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 426 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 421 | # | 427 | # |
| 422 | #·Example·Call(s): | 428 | #·Example·Call(s): |
| 423 | # | 429 | # |
| Offset 1428, 17 lines modified | Offset 1428, 17 lines modified | ||
| 1428 | #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems' | 1428 | #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems' |
| 1429 | ############################################################################### | 1429 | ############################################################################### |
| 1430 | (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'") | 1430 | (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'") |
| 1431 | #·FIX·FOR·THIS·RULE·IS·MISSING | 1431 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 1432 | #·END·fix·for·'mount_option_nodev_remote_filesystems' | 1432 | #·END·fix·for·'mount_option_nodev_remote_filesystems' |
| Max diff block lines reached; 227689/231532 bytes (98.34%) of diff not shown. | |||
| Offset 304, 17 lines modified | Offset 304, 61 lines modified | ||
| 304 | } | 304 | } |
| 305 | package_remove·telnet-server | 305 | package_remove·telnet-server |
| 306 | #·END·fix·for·'package_telnet-server_removed' | 306 | #·END·fix·for·'package_telnet-server_removed' |
| 307 | ############################################################################### | 307 | ############################################################################### |
| 308 | #·BEGIN·fix·(10·/·358)·for·' | 308 | #·BEGIN·fix·(10·/·358)·for·'package_ypbind_removed' |
| 309 | ############################################################################### | 309 | ############################################################################### |
| 310 | (>&2·echo·"Remediating·rule·10/358:·' | 310 | (>&2·echo·"Remediating·rule·10/358:·'package_ypbind_removed'") |
| 311 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 312 | # | ||
| 313 | #·Example·Call(s): | ||
| 314 | # | ||
| 315 | #·····package_remove·telnet-server | ||
| 316 | # | ||
| 317 | function·package_remove·{ | ||
| 318 | #·Load·function·arguments·into·local·variables | ||
| 319 | local·package="$1" | ||
| 320 | #·Check·sanity·of·the·input | ||
| 321 | if·[·$#·-ne·"1"·] | ||
| 322 | then | ||
| 323 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 324 | ··echo·"Aborting." | ||
| 325 | ··exit·1 | ||
| 326 | fi | ||
| 327 | if·which·dnf·;·then | ||
| 328 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 329 | ····dnf·remove·-y·"$package" | ||
| 330 | ··fi | ||
| 331 | elif·which·yum·;·then | ||
| 332 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 333 | ····yum·remove·-y·"$package" | ||
| 334 | ··fi | ||
| 335 | elif·which·apt-get·;·then | ||
| 336 | ··apt-get·remove·-y·"$package" | ||
| 337 | else | ||
| 338 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 339 | ··echo·"Aborting." | ||
| 340 | ··exit·1 | ||
| 341 | fi | ||
| 342 | } | ||
| 343 | package_remove·ypbind | ||
| 344 | #·END·fix·for·'package_ypbind_removed' | ||
| 345 | ############################################################################### | ||
| 346 | #·BEGIN·fix·(11·/·358)·for·'service_ypbind_disabled' | ||
| 347 | ############################################################################### | ||
| 348 | (>&2·echo·"Remediating·rule·11/358:·'service_ypbind_disabled'") | ||
| 311 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 349 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 312 | # | 350 | # |
| 313 | #·Example·Call(s): | 351 | #·Example·Call(s): |
| 314 | # | 352 | # |
| 315 | #·····service_command·enable·bluetooth | 353 | #·····service_command·enable·bluetooth |
| 316 | #·····service_command·disable·bluetooth.service | 354 | #·····service_command·disable·bluetooth.service |
| 317 | # | 355 | # |
| Offset 386, 58 lines modified | Offset 430, 14 lines modified | ||
| 386 | } | 430 | } |
| 387 | service_command·disable·ypbind | 431 | service_command·disable·ypbind |
| 388 | #·END·fix·for·'service_ypbind_disabled' | 432 | #·END·fix·for·'service_ypbind_disabled' |
| 389 | ############################################################################### | 433 | ############################################################################### |
| 390 | #·BEGIN·fix·(11·/·358)·for·'package_ypbind_removed' | ||
| 391 | ############################################################################### | ||
| 392 | (>&2·echo·"Remediating·rule·11/358:·'package_ypbind_removed'") | ||
| 393 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 394 | # | ||
| 395 | #·Example·Call(s): | ||
| 396 | # | ||
| 397 | #·····package_remove·telnet-server | ||
| 398 | # | ||
| 399 | function·package_remove·{ | ||
| 400 | #·Load·function·arguments·into·local·variables | ||
| 401 | local·package="$1" | ||
| 402 | #·Check·sanity·of·the·input | ||
| 403 | if·[·$#·-ne·"1"·] | ||
| 404 | then | ||
| 405 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 406 | ··echo·"Aborting." | ||
| 407 | ··exit·1 | ||
| 408 | fi | ||
| 409 | if·which·dnf·;·then | ||
| 410 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 411 | ····dnf·remove·-y·"$package" | ||
| 412 | ··fi | ||
| 413 | elif·which·yum·;·then | ||
| 414 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 415 | ····yum·remove·-y·"$package" | ||
| 416 | ··fi | ||
| 417 | elif·which·apt-get·;·then | ||
| 418 | ··apt-get·remove·-y·"$package" | ||
| 419 | else | ||
| 420 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 421 | ··echo·"Aborting." | ||
| 422 | ··exit·1 | ||
| 423 | fi | ||
| 424 | } | ||
| 425 | package_remove·ypbind | ||
| 426 | #·END·fix·for·'package_ypbind_removed' | ||
| 427 | ############################################################################### | ||
| 428 | #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed' | 434 | #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed' |
| 429 | ############################################################################### | 435 | ############################################################################### |
| 430 | (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'") | 436 | (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'") |
| 431 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 437 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 432 | # | 438 | # |
| 433 | #·Example·Call(s): | 439 | #·Example·Call(s): |
| 434 | # | 440 | # |
| Offset 1439, 17 lines modified | Offset 1439, 17 lines modified | ||
| 1439 | #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems' | 1439 | #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems' |
| 1440 | ############################################################################### | 1440 | ############################################################################### |
| 1441 | (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'") | 1441 | (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'") |
| 1442 | #·FIX·FOR·THIS·RULE·IS·MISSING | 1442 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 1443 | #·END·fix·for·'mount_option_nodev_remote_filesystems' | 1443 | #·END·fix·for·'mount_option_nodev_remote_filesystems' |
| Max diff block lines reached; 227689/231532 bytes (98.34%) of diff not shown. | |||
| Offset 793, 19 lines modified | Offset 793, 17 lines modified | ||
| 793 | include_dconf_settings | 793 | include_dconf_settings |
| 794 | dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings' | 794 | dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings' |
| 795 | dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock' | 795 | dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock' |
| 796 | #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled' | 796 | #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled' |
| 797 | ############################################################################### | 797 | ############################################################################### |
| 798 | #·BEGIN·fix·(17·/·94)·for·'dconf_gnome_screensaver_ | 798 | #·BEGIN·fix·(17·/·94)·for·'dconf_gnome_screensaver_mode_blank' |
| 799 | ############################################################################### | 799 | ############################################################################### |
| 800 | (>&2·echo·"Remediating·rule·17/94:·'dconf_gnome_screensaver_ | 800 | (>&2·echo·"Remediating·rule·17/94:·'dconf_gnome_screensaver_mode_blank'") |
| 801 | inactivity_timeout_value="900" | ||
| 802 | function·include_dconf_settings·{ | 801 | function·include_dconf_settings·{ |
| 803 | » : | 802 | » : |
| 804 | } | 803 | } |
| 805 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. | 804 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. |
| 806 | # | 805 | # |
| 807 | #·Example·Call(s): | 806 | #·Example·Call(s): |
| Offset 873, 22 lines modified | Offset 871, 24 lines modified | ||
| 873 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" | 871 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" |
| 874 | » fi | 872 | » fi |
| 875 | } | 873 | } |
| 876 | include_dconf_settings | 874 | include_dconf_settings |
| 877 | dconf_settings·'org/gnome/desktop/s | 875 | dconf_settings·'org/gnome/desktop/screensaver'·'picture-uri'·"string·''"·'local.d'·'00-security-settings' |
| 878 | dconf_lock·'org/gnome/desktop/ses | 876 | dconf_lock·'org/gnome/desktop/screensaver'·'picture-uri'·'local.d'·'00-security-settings-lock' |
| 879 | #·END·fix·for·'dconf_gnome_screensaver_ | 877 | #·END·fix·for·'dconf_gnome_screensaver_mode_blank' |
| 880 | ############################################################################### | 878 | ############################################################################### |
| 881 | #·BEGIN·fix·(18·/·94)·for·'dconf_gnome_screensaver_ | 879 | #·BEGIN·fix·(18·/·94)·for·'dconf_gnome_screensaver_idle_delay' |
| 882 | ############################################################################### | 880 | ############################################################################### |
| 883 | (>&2·echo·"Remediating·rule·18/94:·'dconf_gnome_screensaver_ | 881 | (>&2·echo·"Remediating·rule·18/94:·'dconf_gnome_screensaver_idle_delay'") |
| 882 | inactivity_timeout_value="900" | ||
| 884 | function·include_dconf_settings·{ | 883 | function·include_dconf_settings·{ |
| 885 | » : | 884 | » : |
| 886 | } | 885 | } |
| 887 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. | 886 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. |
| 888 | # | 887 | # |
| 889 | #·Example·Call(s): | 888 | #·Example·Call(s): |
| Offset 956, 17 lines modified | Offset 956, 17 lines modified | ||
| 956 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" | 956 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" |
| 957 | » fi | 957 | » fi |
| 958 | } | 958 | } |
| 959 | include_dconf_settings | 959 | include_dconf_settings |
| 960 | dconf_settings·'org/gnome/desktop/s | 960 | dconf_settings·'org/gnome/desktop/session'·'idle-delay'·"uint32·${inactivity_timeout_value}"·'local.d'·'00-security-settings' |
| 961 | dconf_lock·'org/gnome/desktop/s | 961 | dconf_lock·'org/gnome/desktop/session'·'idle-delay'·'local.d'·'00-security-settings-lock' |
| 962 | #·END·fix·for·'dconf_gnome_screensaver_ | 962 | #·END·fix·for·'dconf_gnome_screensaver_idle_delay' |
| 963 | ############################################################################### | 963 | ############################################################################### |
| 964 | #·BEGIN·fix·(19·/·94)·for·'dconf_gnome_screensaver_lock_enabled' | 964 | #·BEGIN·fix·(19·/·94)·for·'dconf_gnome_screensaver_lock_enabled' |
| 965 | ############################################################################### | 965 | ############################################################################### |
| 966 | (>&2·echo·"Remediating·rule·19/94:·'dconf_gnome_screensaver_lock_enabled'") | 966 | (>&2·echo·"Remediating·rule·19/94:·'dconf_gnome_screensaver_lock_enabled'") |
| 967 | function·include_dconf_settings·{ | 967 | function·include_dconf_settings·{ |
| 968 | » : | 968 | » : |
| Offset 2117, 72 lines modified | Offset 2117, 72 lines modified | ||
| 2117 | ··sed·-i·'s/^action_mail_acct.*/action_mail_acct·=·'"$var_auditd_action_mail_acct"'/g'·$AUDITCONFIG | 2117 | ··sed·-i·'s/^action_mail_acct.*/action_mail_acct·=·'"$var_auditd_action_mail_acct"'/g'·$AUDITCONFIG |
| 2118 | if·!·[·$?·-eq·0·];·then | 2118 | if·!·[·$?·-eq·0·];·then |
| 2119 | ··echo·"action_mail_acct·=·$var_auditd_action_mail_acct"·>>·$AUDITCONFIG | 2119 | ··echo·"action_mail_acct·=·$var_auditd_action_mail_acct"·>>·$AUDITCONFIG |
| 2120 | fi | 2120 | fi |
| 2121 | #·END·fix·for·'auditd_data_retention_action_mail_acct' | 2121 | #·END·fix·for·'auditd_data_retention_action_mail_acct' |
| 2122 | ############################################################################### | 2122 | ############################################################################### |
| 2123 | #·BEGIN·fix·(48·/·94)·for·'auditd_data_retention_space_left_action' | 2123 | #·BEGIN·fix·(48·/·94)·for·'auditd_data_retention_admin_space_left_action' |
| 2124 | ############################################################################### | 2124 | ############################################################################### |
| 2125 | (>&2·echo·"Remediating·rule·48/94:·'auditd_data_retention_space_left_action'") | 2125 | (>&2·echo·"Remediating·rule·48/94:·'auditd_data_retention_admin_space_left_action'") |
| 2126 | var_auditd_space_left_action="suspend" | ||
| 2127 | grep·-q·^space_left_action·/etc/audit/auditd.conf·&&·\ | ||
| 2128 | ··sed·-i·"s/space_left_action.*/space_left_action·=·$var_auditd_space_left_action/g"·/etc/audit/auditd.conf | ||
| 2129 | if·!·[·$?·-eq·0·];·then | ||
| 2130 | ····echo·"space_left_action·=·$var_auditd_space_left_action"·>>·/etc/audit/auditd.conf | ||
| 2131 | fi | ||
| 2132 | #·END·fix·for·'auditd_data_retention_space_left_action' | ||
| 2133 | ############################################################################### | ||
| 2134 | #·BEGIN·fix·(49·/·94)·for·'auditd_data_retention_admin_space_left_action' | ||
| 2135 | ############################################################################### | ||
| 2136 | (>&2·echo·"Remediating·rule·49/94:·'auditd_data_retention_admin_space_left_action'") | ||
| 2137 | var_auditd_admin_space_left_action="suspend" | 2126 | var_auditd_admin_space_left_action="suspend" |
| 2138 | grep·-q·^admin_space_left_action·/etc/audit/auditd.conf·&&·\ | 2127 | grep·-q·^admin_space_left_action·/etc/audit/auditd.conf·&&·\ |
| 2139 | ··sed·-i·"s/admin_space_left_action.*/admin_space_left_action·=·$var_auditd_admin_space_left_action/g"·/etc/audit/auditd.conf | 2128 | ··sed·-i·"s/admin_space_left_action.*/admin_space_left_action·=·$var_auditd_admin_space_left_action/g"·/etc/audit/auditd.conf |
| 2140 | if·!·[·$?·-eq·0·];·then | 2129 | if·!·[·$?·-eq·0·];·then |
| 2141 | ····echo·"admin_space_left_action·=·$var_auditd_admin_space_left_action"·>>·/etc/audit/auditd.conf | 2130 | ····echo·"admin_space_left_action·=·$var_auditd_admin_space_left_action"·>>·/etc/audit/auditd.conf |
| 2142 | fi | 2131 | fi |
| 2143 | #·END·fix·for·'auditd_data_retention_admin_space_left_action' | 2132 | #·END·fix·for·'auditd_data_retention_admin_space_left_action' |
| 2144 | ############################################################################### | 2133 | ############################################################################### |
| 2145 | #·BEGIN·fix·( | 2134 | #·BEGIN·fix·(49·/·94)·for·'auditd_data_retention_max_log_file_action' |
| 2146 | ############################################################################### | 2135 | ############################################################################### |
| 2147 | (>&2·echo·"Remediating·rule· | 2136 | (>&2·echo·"Remediating·rule·49/94:·'auditd_data_retention_max_log_file_action'") |
| 2148 | var_auditd_ | 2137 | var_auditd_max_log_file_action="rotate" |
| 2149 | AUDITCONFIG=/etc/audit/auditd.conf | 2138 | AUDITCONFIG=/etc/audit/auditd.conf |
| 2150 | grep·-q·^ | 2139 | grep·-q·^max_log_file_action·$AUDITCONFIG·&&·\ |
| 2151 | ··sed·-i·'s/^ | 2140 | ··sed·-i·'s/^max_log_file_action.*/max_log_file_action·=·'"$var_auditd_max_log_file_action"'/g'·$AUDITCONFIG |
| 2152 | if·!·[·$?·-eq·0·];·then | 2141 | if·!·[·$?·-eq·0·];·then |
| 2153 | ··echo·" | 2142 | ··echo·"max_log_file_action·=·$var_auditd_max_log_file_action"·>>·$AUDITCONFIG |
| 2154 | fi | 2143 | fi |
| 2155 | #·END·fix·for·'auditd_data_retention_ | 2144 | #·END·fix·for·'auditd_data_retention_max_log_file_action' |
| 2156 | ############################################################################### | 2145 | ############################################################################### |
| 2157 | #·BEGIN·fix·(5 | 2146 | #·BEGIN·fix·(50·/·94)·for·'auditd_data_retention_space_left_action' |
| 2158 | ############################################################################### | 2147 | ############################################################################### |
| 2159 | (>&2·echo·"Remediating·rule·5 | 2148 | (>&2·echo·"Remediating·rule·50/94:·'auditd_data_retention_space_left_action'") |
| 2160 | var_auditd_ | 2149 | var_auditd_space_left_action="suspend" |
| 2150 | grep·-q·^space_left_action·/etc/audit/auditd.conf·&&·\ | ||
| 2151 | ··sed·-i·"s/space_left_action.*/space_left_action·=·$var_auditd_space_left_action/g"·/etc/audit/auditd.conf | ||
| 2152 | if·!·[·$?·-eq·0·];·then | ||
| 2153 | ····echo·"space_left_action·=·$var_auditd_space_left_action"·>>·/etc/audit/auditd.conf | ||
| 2154 | fi | ||
| 2155 | #·END·fix·for·'auditd_data_retention_space_left_action' | ||
| Max diff block lines reached; 54266/61706 bytes (87.94%) of diff not shown. | |||
| Offset 376, 17 lines modified | Offset 376, 19 lines modified | ||
| 376 | ··fi | 376 | ··fi |
| 377 | } | 377 | } |
| 378 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' | 378 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' |
| 379 | #·END·fix·for·'sshd_set_keepalive' | 379 | #·END·fix·for·'sshd_set_keepalive' |
| 380 | ############################################################################### | 380 | ############################################################################### |
| 381 | #·BEGIN·fix·(7·/·70)·for·'sshd_e | 381 | #·BEGIN·fix·(7·/·70)·for·'sshd_set_idle_timeout' |
| 382 | ############################################################################### | 382 | ############################################################################### |
| 383 | (>&2·echo·"Remediating·rule·7/70:·'sshd_e | 383 | (>&2·echo·"Remediating·rule·7/70:·'sshd_set_idle_timeout'") |
| 384 | sshd_idle_timeout_value="300" | ||
| 384 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 385 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 385 | #·it·does·not·exist. | 386 | #·it·does·not·exist. |
| 386 | # | 387 | # |
| 387 | #·Expects·arguments: | 388 | #·Expects·arguments: |
| 388 | # | 389 | # |
| 389 | #·config_file:» » Configuration·file·that·will·be·modified | 390 | #·config_file:» » Configuration·file·that·will·be·modified |
| 390 | #·key:» » » Configuration·option·to·change | 391 | #·key:» » » Configuration·option·to·change |
| Offset 457, 21 lines modified | Offset 459, 21 lines modified | ||
| 457 | ··else | 459 | ··else |
| 458 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 460 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 459 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 461 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 460 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 462 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 461 | ··fi | 463 | ··fi |
| 462 | } | 464 | } |
| 463 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 465 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s' |
| 464 | #·END·fix·for·'sshd_e | 466 | #·END·fix·for·'sshd_set_idle_timeout' |
| 465 | ############################################################################### | 467 | ############################################################################### |
| 466 | #·BEGIN·fix·(8·/·70)·for·'sshd_ | 468 | #·BEGIN·fix·(8·/·70)·for·'sshd_enable_warning_banner' |
| 467 | ############################################################################### | 469 | ############################################################################### |
| 468 | (>&2·echo·"Remediating·rule·8/70:·'sshd_ | 470 | (>&2·echo·"Remediating·rule·8/70:·'sshd_enable_warning_banner'") |
| 469 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 471 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 470 | #·it·does·not·exist. | 472 | #·it·does·not·exist. |
| 471 | # | 473 | # |
| 472 | #·Expects·arguments: | 474 | #·Expects·arguments: |
| 473 | # | 475 | # |
| 474 | #·config_file:» » Configuration·file·that·will·be·modified | 476 | #·config_file:» » Configuration·file·that·will·be·modified |
| 475 | #·key:» » » Configuration·option·to·change | 477 | #·key:» » » Configuration·option·to·change |
| Offset 542, 16 lines modified | Offset 544, 16 lines modified | ||
| 542 | ··else | 544 | ··else |
| 543 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 545 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 544 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 546 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 545 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 547 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 546 | ··fi | 548 | ··fi |
| 547 | } | 549 | } |
| 548 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 550 | replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s' |
| 549 | #·END·fix·for·'sshd_ | 551 | #·END·fix·for·'sshd_enable_warning_banner' |
| 550 | ############################################################################### | 552 | ############################################################################### |
| 551 | #·BEGIN·fix·(9·/·70)·for·'sshd_allow_only_protocol2' | 553 | #·BEGIN·fix·(9·/·70)·for·'sshd_allow_only_protocol2' |
| 552 | ############################################################################### | 554 | ############################################################################### |
| 553 | (>&2·echo·"Remediating·rule·9/70:·'sshd_allow_only_protocol2'") | 555 | (>&2·echo·"Remediating·rule·9/70:·'sshd_allow_only_protocol2'") |
| 554 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 556 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 555 | #·it·does·not·exist. | 557 | #·it·does·not·exist. |
| Offset 716, 19 lines modified | Offset 718, 17 lines modified | ||
| 716 | ··fi | 718 | ··fi |
| 717 | } | 719 | } |
| 718 | replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s' | 720 | replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s' |
| 719 | #·END·fix·for·'sshd_disable_rhosts' | 721 | #·END·fix·for·'sshd_disable_rhosts' |
| 720 | ############################################################################### | 722 | ############################################################################### |
| 721 | #·BEGIN·fix·(11·/·70)·for·'sshd_ | 723 | #·BEGIN·fix·(11·/·70)·for·'sshd_do_not_permit_user_env' |
| 722 | ############################################################################### | 724 | ############################################################################### |
| 723 | (>&2·echo·"Remediating·rule·11/70:·'sshd_ | 725 | (>&2·echo·"Remediating·rule·11/70:·'sshd_do_not_permit_user_env'") |
| 724 | sshd_idle_timeout_value="300" | ||
| 725 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 726 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 726 | #·it·does·not·exist. | 727 | #·it·does·not·exist. |
| 727 | # | 728 | # |
| 728 | #·Expects·arguments: | 729 | #·Expects·arguments: |
| 729 | # | 730 | # |
| 730 | #·config_file:» » Configuration·file·that·will·be·modified | 731 | #·config_file:» » Configuration·file·that·will·be·modified |
| 731 | #·key:» » » Configuration·option·to·change | 732 | #·key:» » » Configuration·option·to·change |
| Offset 799, 16 lines modified | Offset 799, 16 lines modified | ||
| 799 | ··else | 799 | ··else |
| 800 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 800 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 801 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 801 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 802 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 802 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 803 | ··fi | 803 | ··fi |
| 804 | } | 804 | } |
| 805 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 805 | replace_or_append·'/etc/ssh/sshd_config'·'^PermitUserEnvironment'·'no'·'CCE-27363-1'·'%s·%s' |
| 806 | #·END·fix·for·'sshd_ | 806 | #·END·fix·for·'sshd_do_not_permit_user_env' |
| 807 | ############################################################################### | 807 | ############################################################################### |
| 808 | #·BEGIN·fix·(12·/·70)·for·'sshd_use_approved_ciphers' | 808 | #·BEGIN·fix·(12·/·70)·for·'sshd_use_approved_ciphers' |
| 809 | ############################################################################### | 809 | ############################################################################### |
| 810 | (>&2·echo·"Remediating·rule·12/70:·'sshd_use_approved_ciphers'") | 810 | (>&2·echo·"Remediating·rule·12/70:·'sshd_use_approved_ciphers'") |
| 811 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 811 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 812 | #·it·does·not·exist. | 812 | #·it·does·not·exist. |
| Offset 1502, 26 lines modified | Offset 1502, 26 lines modified | ||
| 1502 | ··sed·-i·"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS·····$var_accounts_minimum_age_login_defs/g"·/etc/login.defs | 1502 | ··sed·-i·"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS·····$var_accounts_minimum_age_login_defs/g"·/etc/login.defs |
| 1503 | if·!·[·$?·-eq·0·];·then | 1503 | if·!·[·$?·-eq·0·];·then |
| 1504 | ····echo·"PASS_MIN_DAYS······$var_accounts_minimum_age_login_defs"·>>·/etc/login.defs | 1504 | ····echo·"PASS_MIN_DAYS······$var_accounts_minimum_age_login_defs"·>>·/etc/login.defs |
| 1505 | fi | 1505 | fi |
| 1506 | #·END·fix·for·'accounts_minimum_age_login_defs' | 1506 | #·END·fix·for·'accounts_minimum_age_login_defs' |
| 1507 | ############################################################################### | 1507 | ############################################################################### |
| 1508 | #·BEGIN·fix·(34·/·70)·for·' | 1508 | #·BEGIN·fix·(34·/·70)·for·'no_shelllogin_for_systemaccounts' |
| 1509 | ############################################################################### | 1509 | ############################################################################### |
| 1510 | (>&2·echo·"Remediating·rule·34/70:·' | 1510 | (>&2·echo·"Remediating·rule·34/70:·'no_shelllogin_for_systemaccounts'") |
| 1511 | 1511 | #·FIX·FOR·THIS·RULE·IS·MISSING | |
| 1512 | #·END·fix·for·' | 1512 | #·END·fix·for·'no_shelllogin_for_systemaccounts' |
| 1513 | ############################################################################### | 1513 | ############################################################################### |
| 1514 | #·BEGIN·fix·(35·/·70)·for·' | 1514 | #·BEGIN·fix·(35·/·70)·for·'accounts_no_uid_except_zero' |
| 1515 | ############################################################################### | 1515 | ############################################################################### |
| 1516 | (>&2·echo·"Remediating·rule·35/70:·' | 1516 | (>&2·echo·"Remediating·rule·35/70:·'accounts_no_uid_except_zero'") |
| 1517 | 1517 | awk·-F:·'$3·==·0·&&·$1·!=·"root"·{·print·$1·}'·/etc/passwd·|·xargs·passwd·-l | |
| 1518 | #·END·fix·for·' | 1518 | #·END·fix·for·'accounts_no_uid_except_zero' |
| 1519 | ############################################################################### | 1519 | ############################################################################### |
| 1520 | #·BEGIN·fix·(36·/·70)·for·'accounts_password_all_shadowed' | 1520 | #·BEGIN·fix·(36·/·70)·for·'accounts_password_all_shadowed' |
| 1521 | ############################################################################### | 1521 | ############################################################################### |
| 1522 | (>&2·echo·"Remediating·rule·36/70:·'accounts_password_all_shadowed'") | 1522 | (>&2·echo·"Remediating·rule·36/70:·'accounts_password_all_shadowed'") |
| 1523 | #·FIX·FOR·THIS·RULE·IS·MISSING | 1523 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 1524 | #·END·fix·for·'accounts_password_all_shadowed' | 1524 | #·END·fix·for·'accounts_password_all_shadowed' |
| Offset 2267, 37 lines modified | Offset 2267, 37 lines modified | ||
| 2267 | ############################################################################### | 2267 | ############################################################################### |
| 2268 | (>&2·echo·"Remediating·rule·66/70:·'file_permissions_etc_passwd'") | 2268 | (>&2·echo·"Remediating·rule·66/70:·'file_permissions_etc_passwd'") |
| 2269 | chmod·0644·/etc/passwd | 2269 | chmod·0644·/etc/passwd |
| Max diff block lines reached; 1963/8920 bytes (22.01%) of diff not shown. | |||
| Offset 1476, 158 lines modified | Offset 1476, 17 lines modified | ||
| 1476 | } | 1476 | } |
| 1477 | fix_audit_watch_rule·"auditctl"·"/usr/sbin/modprobe"·"x"·"modules" | 1477 | fix_audit_watch_rule·"auditctl"·"/usr/sbin/modprobe"·"x"·"modules" |
| 1478 | fix_audit_watch_rule·"augenrules"·"/usr/sbin/modprobe"·"x"·"modules" | 1478 | fix_audit_watch_rule·"augenrules"·"/usr/sbin/modprobe"·"x"·"modules" |
| 1479 | #·END·fix·for·'audit_rules_kernel_module_loading' | 1479 | #·END·fix·for·'audit_rules_kernel_module_loading' |
| 1480 | ############################################################################### | 1480 | ############################################################################### |
| 1481 | #·BEGIN·fix·(19·/·51)·for·'audit_rules_time_ | 1481 | #·BEGIN·fix·(19·/·51)·for·'audit_rules_time_stime' |
| 1482 | ############################################################################### | 1482 | ############################################################################### |
| 1483 | (>&2·echo·"Remediating·rule·19/51:·'audit_rules_time_ | 1483 | (>&2·echo·"Remediating·rule·19/51:·'audit_rules_time_stime'") |
| 1484 | #·Perform·the·remediation·for·both·possible·tools:·'auditctl'·and·'augenrules' | ||
| 1485 | #·Function·to·fix·audit·file·system·object·watch·rule·for·given·path: | ||
| 1486 | #·*·if·rule·exists,·also·verifies·the·-w·bits·match·the·requirements | ||
| 1487 | #·*·if·rule·doesn't·exist·yet,·appends·expected·rule·form·to·$files_to_inspect | ||
| 1488 | #···audit·rules·file,·depending·on·the·tool·which·was·used·to·load·audit·rules | ||
| 1489 | # | ||
| 1490 | #·Expects·four·arguments·(each·of·them·is·required)·in·the·form·of: | ||
| 1491 | #·*·audit·tool» » » » tool·used·to·load·audit·rules, | ||
| 1492 | #·» » » » » either·'auditctl',·or·'augenrules' | ||
| 1493 | #·*·path························» value·of·-w·audit·rule's·argument | ||
| 1494 | #·*·required·access·bits········» value·of·-p·audit·rule's·argument | ||
| 1495 | #·*·key·························» value·of·-k·audit·rule's·argument | ||
| 1496 | # | ||
| 1497 | #·Example·call: | ||
| 1498 | # | ||
| 1499 | #·······fix_audit_watch_rule·"auditctl"·"/etc/localtime"·"wa"·"audit_time_rules" | ||
| 1500 | # | ||
| 1501 | function·fix_audit_watch_rule·{ | ||
| 1502 | #·Load·function·arguments·into·local·variables | ||
| 1503 | local·tool="$1" | ||
| 1504 | local·path="$2" | ||
| 1505 | local·required_access_bits="$3" | ||
| 1506 | local·key="$4" | ||
| 1507 | #·Check·sanity·of·the·input | ||
| 1508 | if·[·$#·-ne·"4"·] | ||
| 1509 | then | ||
| 1510 | » echo·"Usage:·fix_audit_watch_rule·'tool'·'path'·'bits'·'key'" | ||
| 1511 | » echo·"Aborting." | ||
| 1512 | » exit·1 | ||
| 1513 | fi | ||
| 1514 | #·Create·a·list·of·audit·*.rules·files·that·should·be·inspected·for·presence·and·correctness | ||
| 1515 | #·of·a·particular·audit·rule.·The·scheme·is·as·follows: | ||
| 1516 | # | ||
| 1517 | #·----------------------------------------------------------------------------------------- | ||
| 1518 | #·Tool·used·to·load·audit·rules» |·Rule·already·defined» |··Audit·rules·file·to·inspect» ··| | ||
| 1519 | #·----------------------------------------------------------------------------------------- | ||
| 1520 | #» auditctl» » |·····Doesn't·matter»|··/etc/audit/audit.rules» ··| | ||
| 1521 | #·----------------------------------------------------------------------------------------- | ||
| 1522 | #·» augenrules» » |··········Yes»»|··/etc/audit/rules.d/*.rules» ··| | ||
| 1523 | #·» augenrules» » |··········No» » |··/etc/audit/rules.d/$key.rules··| | ||
| 1524 | #·----------------------------------------------------------------------------------------- | ||
| 1525 | declare·-a·files_to_inspect | ||
| 1526 | #·Check·sanity·of·the·specified·audit·tool | ||
| 1527 | if·[·"$tool"·!=·'auditctl'·]·&&·[·"$tool"·!=·'augenrules'·] | ||
| 1528 | then | ||
| 1529 | » echo·"Unknown·audit·rules·loading·tool:·$1.·Aborting." | ||
| 1530 | » echo·"Use·either·'auditctl'·or·'augenrules'!" | ||
| 1531 | » exit·1 | ||
| 1532 | #·If·the·audit·tool·is·'auditctl',·then·add·'/etc/audit/audit.rules' | ||
| 1533 | #·into·the·list·of·files·to·be·inspected | ||
| 1534 | elif·[·"$tool"·==·'auditctl'·] | ||
| 1535 | then | ||
| 1536 | » files_to_inspect=("${files_to_inspect[@]}"·'/etc/audit/audit.rules') | ||
| 1537 | #·If·the·audit·is·'augenrules',·then·check·if·rule·is·already·defined | ||
| 1538 | #·If·rule·is·defined,·add·'/etc/audit/rules.d/*.rules'·to·list·of·files·for·inspection. | ||
| 1539 | #·If·rule·isn't·defined,·add·'/etc/audit/rules.d/$key.rules'·to·list·of·files·for·inspection. | ||
| 1540 | elif·[·"$tool"·==·'augenrules'·] | ||
| 1541 | then | ||
| 1542 | » #·Case·when·particular·audit·rule·is·already·defined·in·some·of·/etc/audit/rules.d/*.rules·file | ||
| 1543 | » #·Get·pair·--·filepath·:·matching_row·into·@matches·array | ||
| 1544 | » IFS=$'\n'·matches=($(grep·-P·"[\s]*-w[\s]+$path"·/etc/audit/rules.d/*.rules)) | ||
| 1545 | » #·Reset·IFS·back·to·default | ||
| 1546 | » unset·IFS | ||
| 1547 | » #·For·each·of·the·matched·entries | ||
| 1548 | » for·match·in·"${matches[@]}" | ||
| 1549 | » do | ||
| 1550 | » » #·Extract·filepath·from·the·match | ||
| 1551 | » » rulesd_audit_file=$(echo·$match·|·cut·-f1·-d·':') | ||
| 1552 | » » #·Append·that·path·into·list·of·files·for·inspection | ||
| 1553 | » » files_to_inspect=("${files_to_inspect[@]}"·"$rulesd_audit_file") | ||
| 1554 | » done | ||
| 1555 | » #·Case·when·particular·audit·rule·isn't·defined·yet | ||
| 1556 | » if·[·${#files_to_inspect[@]}·-eq·"0"·] | ||
| 1557 | » then | ||
| 1558 | » » #·Append·'/etc/audit/rules.d/$key.rules'·into·list·of·files·for·inspection | ||
| 1559 | » » files_to_inspect="/etc/audit/rules.d/$key.rules" | ||
| 1560 | » » #·If·the·$key.rules·file·doesn't·exist·yet,·create·it·with·correct·permissions | ||
| 1561 | » » if·[·!·-e·"$files_to_inspect"·] | ||
| 1562 | » » then | ||
| 1563 | » » » touch·"$files_to_inspect" | ||
| 1564 | » » » chmod·0640·"$files_to_inspect" | ||
| 1565 | » » fi | ||
| 1566 | » fi | ||
| 1567 | fi | ||
| 1568 | #·Finally·perform·the·inspection·and·possible·subsequent·audit·rule | ||
| 1569 | #·correction·for·each·of·the·files·previously·identified·for·inspection | ||
| 1570 | for·audit_rules_file·in·"${files_to_inspect[@]}" | ||
| 1571 | do | ||
| 1572 | » #·Check·if·audit·watch·file·system·object·rule·for·given·path·already·present | ||
| 1573 | » if·grep·-q·-P·--·"[\s]*-w[\s]+$path"·"$audit_rules_file" | ||
| 1574 | » then | ||
| 1575 | » » #·Rule·is·found·=>·verify·yet·if·existing·rule·definition·contains | ||
| 1576 | » » #·all·of·the·required·access·type·bits | ||
| 1577 | » » #·Escape·slashes·in·path·for·use·in·sed·pattern·below | ||
| 1578 | » » local·esc_path=${path//$'/'/$'\/'} | ||
| 1579 | » » #·Define·BRE·whitespace·class·shortcut | ||
| 1580 | » » local·sp="[[:space:]]" | ||
| 1581 | » » #·Extract·current·permission·access·types·(e.g.·-p·[r|w|x|a]·values)·from·audit·rule | ||
| 1582 | » » current_access_bits=$(sed·-ne·"s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p"·"$audit_rules_file") | ||
| 1583 | » » #·Split·required·access·bits·string·into·characters·array | ||
| 1584 | » » #·(to·check·bit's·presence·for·one·bit·at·a·time) | ||
| 1585 | » » for·access_bit·in·$(echo·"$required_access_bits"·|·grep·-o·.) | ||
| 1586 | » » do | ||
| 1587 | » » » #·For·each·from·the·required·access·bits·(e.g.·'w',·'a')·check | ||
| 1588 | » » » #·if·they·are·already·present·in·current·access·bits·for·rule. | ||
| 1589 | » » » #·If·not,·append·that·bit·at·the·end | ||
| 1590 | » » » if·!·grep·-q·"$access_bit"·<<<·"$current_access_bits" | ||
| 1591 | » » » then | ||
| Max diff block lines reached; 47569/54366 bytes (87.50%) of diff not shown. | |||
| Offset 496, 17 lines modified | Offset 496, 17 lines modified | ||
| 496 | #·BEGIN·fix·(22·/·243)·for·'mount_option_nosuid_remote_filesystems' | 496 | #·BEGIN·fix·(22·/·243)·for·'mount_option_nosuid_remote_filesystems' |
| 497 | ############################################################################### | 497 | ############################################################################### |
| 498 | (>&2·echo·"Remediating·rule·22/243:·'mount_option_nosuid_remote_filesystems'") | 498 | (>&2·echo·"Remediating·rule·22/243:·'mount_option_nosuid_remote_filesystems'") |
| 499 | #·FIX·FOR·THIS·RULE·IS·MISSING | 499 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 500 | #·END·fix·for·'mount_option_nosuid_remote_filesystems' | 500 | #·END·fix·for·'mount_option_nosuid_remote_filesystems' |
| 501 | ############################################################################### | 501 | ############################################################################### |
| 502 | #·BEGIN·fix·(23·/·243)·for·'sshd_ | 502 | #·BEGIN·fix·(23·/·243)·for·'sshd_enable_strictmodes' |
| 503 | ############################################################################### | 503 | ############################################################################### |
| 504 | (>&2·echo·"Remediating·rule·23/243:·'sshd_ | 504 | (>&2·echo·"Remediating·rule·23/243:·'sshd_enable_strictmodes'") |
| 505 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 505 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 506 | #·it·does·not·exist. | 506 | #·it·does·not·exist. |
| 507 | # | 507 | # |
| 508 | #·Expects·arguments: | 508 | #·Expects·arguments: |
| 509 | # | 509 | # |
| 510 | #·config_file:» » Configuration·file·that·will·be·modified | 510 | #·config_file:» » Configuration·file·that·will·be·modified |
| 511 | #·key:» » » Configuration·option·to·change | 511 | #·key:» » » Configuration·option·to·change |
| Offset 577, 21 lines modified | Offset 577, 21 lines modified | ||
| 577 | ··else | 577 | ··else |
| 578 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 578 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 579 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 579 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 580 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 580 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 581 | ··fi | 581 | ··fi |
| 582 | } | 582 | } |
| 583 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 583 | replace_or_append·'/etc/ssh/sshd_config'·'^StrictModes'·'yes'·'CCE-80222-3'·'%s·%s' |
| 584 | #·END·fix·for·'sshd_ | 584 | #·END·fix·for·'sshd_enable_strictmodes' |
| 585 | ############################################################################### | 585 | ############################################################################### |
| 586 | #·BEGIN·fix·(24·/·243)·for·'sshd_disable_ | 586 | #·BEGIN·fix·(24·/·243)·for·'sshd_disable_user_known_hosts' |
| 587 | ############################################################################### | 587 | ############################################################################### |
| 588 | (>&2·echo·"Remediating·rule·24/243:·'sshd_disable_ | 588 | (>&2·echo·"Remediating·rule·24/243:·'sshd_disable_user_known_hosts'") |
| 589 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 589 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 590 | #·it·does·not·exist. | 590 | #·it·does·not·exist. |
| 591 | # | 591 | # |
| 592 | #·Expects·arguments: | 592 | #·Expects·arguments: |
| 593 | # | 593 | # |
| 594 | #·config_file:» » Configuration·file·that·will·be·modified | 594 | #·config_file:» » Configuration·file·that·will·be·modified |
| 595 | #·key:» » » Configuration·option·to·change | 595 | #·key:» » » Configuration·option·to·change |
| Offset 662, 21 lines modified | Offset 662, 21 lines modified | ||
| 662 | ··else | 662 | ··else |
| 663 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 663 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 664 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 664 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 665 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 665 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 666 | ··fi | 666 | ··fi |
| 667 | } | 667 | } |
| 668 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 668 | replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreUserKnownHosts'·'yes'·'CCE-80372-6'·'%s·%s' |
| 669 | #·END·fix·for·'sshd_disable_ | 669 | #·END·fix·for·'sshd_disable_user_known_hosts' |
| 670 | ############################################################################### | 670 | ############################################################################### |
| 671 | #·BEGIN·fix·(25·/·243)·for·'sshd_set_ | 671 | #·BEGIN·fix·(25·/·243)·for·'sshd_disable_empty_passwords' |
| 672 | ############################################################################### | 672 | ############################################################################### |
| 673 | (>&2·echo·"Remediating·rule·25/243:·'sshd_set_ | 673 | (>&2·echo·"Remediating·rule·25/243:·'sshd_disable_empty_passwords'") |
| 674 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 674 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 675 | #·it·does·not·exist. | 675 | #·it·does·not·exist. |
| 676 | # | 676 | # |
| 677 | #·Expects·arguments: | 677 | #·Expects·arguments: |
| 678 | # | 678 | # |
| 679 | #·config_file:» » Configuration·file·that·will·be·modified | 679 | #·config_file:» » Configuration·file·that·will·be·modified |
| 680 | #·key:» » » Configuration·option·to·change | 680 | #·key:» » » Configuration·option·to·change |
| Offset 747, 21 lines modified | Offset 747, 21 lines modified | ||
| 747 | ··else | 747 | ··else |
| 748 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 748 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 749 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 749 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 750 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 750 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 751 | ··fi | 751 | ··fi |
| 752 | } | 752 | } |
| 753 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 753 | replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s' |
| 754 | #·END·fix·for·'sshd_set_ | 754 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 755 | ############################################################################### | 755 | ############################################################################### |
| 756 | #·BEGIN·fix·(26·/·243)·for·'sshd_ | 756 | #·BEGIN·fix·(26·/·243)·for·'sshd_set_keepalive' |
| 757 | ############################################################################### | 757 | ############################################################################### |
| 758 | (>&2·echo·"Remediating·rule·26/243:·'sshd_ | 758 | (>&2·echo·"Remediating·rule·26/243:·'sshd_set_keepalive'") |
| 759 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 759 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 760 | #·it·does·not·exist. | 760 | #·it·does·not·exist. |
| 761 | # | 761 | # |
| 762 | #·Expects·arguments: | 762 | #·Expects·arguments: |
| 763 | # | 763 | # |
| 764 | #·config_file:» » Configuration·file·that·will·be·modified | 764 | #·config_file:» » Configuration·file·that·will·be·modified |
| 765 | #·key:» » » Configuration·option·to·change | 765 | #·key:» » » Configuration·option·to·change |
| Offset 832, 21 lines modified | Offset 832, 23 lines modified | ||
| 832 | ··else | 832 | ··else |
| 833 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 833 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 834 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 834 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 835 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 835 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 836 | ··fi | 836 | ··fi |
| 837 | } | 837 | } |
| 838 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 838 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' |
| 839 | #·END·fix·for·'sshd_ | 839 | #·END·fix·for·'sshd_set_keepalive' |
| 840 | ############################################################################### | 840 | ############################################################################### |
| 841 | #·BEGIN·fix·(27·/·243)·for·'sshd_e | 841 | #·BEGIN·fix·(27·/·243)·for·'sshd_set_idle_timeout' |
| 842 | ############################################################################### | 842 | ############################################################################### |
| 843 | (>&2·echo·"Remediating·rule·27/243:·'sshd_e | 843 | (>&2·echo·"Remediating·rule·27/243:·'sshd_set_idle_timeout'") |
| 844 | sshd_idle_timeout_value="600" | ||
| 844 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 845 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 845 | #·it·does·not·exist. | 846 | #·it·does·not·exist. |
| 846 | # | 847 | # |
| 847 | #·Expects·arguments: | 848 | #·Expects·arguments: |
| 848 | # | 849 | # |
| 849 | #·config_file:» » Configuration·file·that·will·be·modified | 850 | #·config_file:» » Configuration·file·that·will·be·modified |
| 850 | #·key:» » » Configuration·option·to·change | 851 | #·key:» » » Configuration·option·to·change |
| Offset 917, 23 lines modified | Offset 919, 21 lines modified | ||
| 917 | ··else | 919 | ··else |
| 918 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 920 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 919 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 921 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 920 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 922 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 921 | ··fi | 923 | ··fi |
| 922 | } | 924 | } |
| 923 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 925 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s' |
| 924 | #·END·fix·for·'sshd_e | 926 | #·END·fix·for·'sshd_set_idle_timeout' |
| 925 | ############################################################################### | 927 | ############################################################################### |
| 926 | #·BEGIN·fix·(28·/·243)·for·'sshd_ | 928 | #·BEGIN·fix·(28·/·243)·for·'sshd_enable_warning_banner' |
| 927 | ############################################################################### | 929 | ############################################################################### |
| 928 | (>&2·echo·"Remediating·rule·28/243:·'sshd_ | 930 | (>&2·echo·"Remediating·rule·28/243:·'sshd_enable_warning_banner'") |
| 929 | sshd_approved_macs="hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com" | ||
| 930 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 931 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 931 | #·it·does·not·exist. | 932 | #·it·does·not·exist. |
| 932 | # | 933 | # |
| Max diff block lines reached; 122126/129181 bytes (94.54%) of diff not shown. | |||
| Offset 39, 44 lines modified | Offset 39, 44 lines modified | ||
| 39 | #·BEGIN·fix·(3·/·32)·for·'cinder_using_keystone' | 39 | #·BEGIN·fix·(3·/·32)·for·'cinder_using_keystone' |
| 40 | ############################################################################### | 40 | ############################################################################### |
| 41 | (>&2·echo·"Remediating·rule·3/32:·'cinder_using_keystone'") | 41 | (>&2·echo·"Remediating·rule·3/32:·'cinder_using_keystone'") |
| 42 | openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·auth_strategy·keystone | 42 | openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·auth_strategy·keystone |
| 43 | #·END·fix·for·'cinder_using_keystone' | 43 | #·END·fix·for·'cinder_using_keystone' |
| 44 | ############################################################################### | 44 | ############################################################################### |
| 45 | #·BEGIN·fix·(4·/·32)·for·'cinder_ | 45 | #·BEGIN·fix·(4·/·32)·for·'cinder_nova_tls' |
| 46 | ############################################################################### | 46 | ############################################################################### |
| 47 | (>&2·echo·"Remediating·rule·4/32:·'cinder_ | 47 | (>&2·echo·"Remediating·rule·4/32:·'cinder_nova_tls'") |
| 48 | openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·nova_api_insecure·False | ||
| 49 | #·END·fix·for·'cinder_nova_tls' | ||
| 50 | ############################################################################### | ||
| 51 | #·BEGIN·fix·(5·/·32)·for·'cinder_tls_enabled' | ||
| 52 | ############################################################################### | ||
| 53 | (>&2·echo·"Remediating·rule·5/32:·'cinder_tls_enabled'") | ||
| 48 | OLD_IDENTITY_URL=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri) | 54 | OLD_IDENTITY_URL=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri) |
| 49 | NEW_IDENTITY_URI="${OLD_IDENTITY_URI:0:4}s${OLD_IDENTITY_URI:4:-1}" | 55 | NEW_IDENTITY_URI="${OLD_IDENTITY_URI:0:4}s${OLD_IDENTITY_URI:4:-1}" |
| 50 | openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri·$NEW_IDENTIY_URI | 56 | openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri·$NEW_IDENTIY_URI |
| 51 | OLD_AUTH_URI=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri) | 57 | OLD_AUTH_URI=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri) |
| 52 | NEW_AUTH_URI="${OLD_AUTH_URI:0:4}s${OLD_AUTH_URI:4:-1}" | 58 | NEW_AUTH_URI="${OLD_AUTH_URI:0:4}s${OLD_AUTH_URI:4:-1}" |
| 53 | openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri·$NEW_AUTH_URI | 59 | openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri·$NEW_AUTH_URI |
| 54 | #·END·fix·for·'cinder_tls_enabled' | 60 | #·END·fix·for·'cinder_tls_enabled' |
| 55 | ############################################################################### | 61 | ############################################################################### |
| 56 | #·BEGIN·fix·( | 62 | #·BEGIN·fix·(6·/·32)·for·'cinder_file_perms' |
| 57 | ############################################################################### | 63 | ############################################################################### |
| 58 | (>&2·echo·"Remediating·rule· | 64 | (>&2·echo·"Remediating·rule·6/32:·'cinder_file_perms'") |
| 59 | chmod·640·/etc/cinder/cinder.conf | 65 | chmod·640·/etc/cinder/cinder.conf |
| 60 | chmod·640·/etc/cinder/api-paste.ini | 66 | chmod·640·/etc/cinder/api-paste.ini |
| 61 | chmod·640·/etc/cinder/policy.json | 67 | chmod·640·/etc/cinder/policy.json |
| 62 | chmod·640·/etc/cinder/rootwrap.conf | 68 | chmod·640·/etc/cinder/rootwrap.conf |
| 63 | #·END·fix·for·'cinder_file_perms' | 69 | #·END·fix·for·'cinder_file_perms' |
| 64 | ############################################################################### | 70 | ############################################################################### |
| 65 | #·BEGIN·fix·(6·/·32)·for·'cinder_nova_tls' | ||
| 66 | ############################################################################### | ||
| 67 | (>&2·echo·"Remediating·rule·6/32:·'cinder_nova_tls'") | ||
| 68 | openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·nova_api_insecure·False | ||
| 69 | #·END·fix·for·'cinder_nova_tls' | ||
| 70 | ############################################################################### | ||
| 71 | #·BEGIN·fix·(7·/·32)·for·'cinder_file_ownership' | 71 | #·BEGIN·fix·(7·/·32)·for·'cinder_file_ownership' |
| 72 | ############################################################################### | 72 | ############################################################################### |
| 73 | (>&2·echo·"Remediating·rule·7/32:·'cinder_file_ownership'") | 73 | (>&2·echo·"Remediating·rule·7/32:·'cinder_file_ownership'") |
| 74 | for·file·in·/etc/cinder/cinder.conf·\ | 74 | for·file·in·/etc/cinder/cinder.conf·\ |
| 75 | » » /etc/cinder/api-paste.ini·\ | 75 | » » /etc/cinder/api-paste.ini·\ |
| 76 | » » /etc/cinder/policy.json·\ | 76 | » » /etc/cinder/policy.json·\ |
| 77 | » » /etc/cinder/rootwrap.conf;·do | 77 | » » /etc/cinder/rootwrap.conf;·do |
| Offset 239, 31 lines modified | Offset 239, 31 lines modified | ||
| 239 | #·BEGIN·fix·(27·/·32)·for·'horizon_session_cookie_secure' | 239 | #·BEGIN·fix·(27·/·32)·for·'horizon_session_cookie_secure' |
| 240 | ############################################################################### | 240 | ############################################################################### |
| 241 | (>&2·echo·"Remediating·rule·27/32:·'horizon_session_cookie_secure'") | 241 | (>&2·echo·"Remediating·rule·27/32:·'horizon_session_cookie_secure'") |
| 242 | openstack-config·--set·/etc/openstack-dashboard/local_settings·DEFAULT·SESSION_COOKIE_SECURE·True | 242 | openstack-config·--set·/etc/openstack-dashboard/local_settings·DEFAULT·SESSION_COOKIE_SECURE·True |
| 243 | #·END·fix·for·'horizon_session_cookie_secure' | 243 | #·END·fix·for·'horizon_session_cookie_secure' |
| 244 | ############################################################################### | 244 | ############################################################################### |
| 245 | #·BEGIN·fix·(28·/·32)·for·'neutron_ | 245 | #·BEGIN·fix·(28·/·32)·for·'neutron_use_keystone' |
| 246 | ############################################################################### | 246 | ############################################################################### |
| 247 | (>&2·echo·"Remediating·rule·28/32:·'neutron_ | 247 | (>&2·echo·"Remediating·rule·28/32:·'neutron_use_keystone'") |
| 248 | openstack-config·--set·/etc/neutron/neutron.conf·DEFAULT·auth_strategy·keystone | ||
| 249 | #·END·fix·for·'neutron_use_keystone' | ||
| 250 | ############################################################################### | ||
| 251 | #·BEGIN·fix·(29·/·32)·for·'neutron_file_perms' | ||
| 252 | ############################################################################### | ||
| 253 | (>&2·echo·"Remediating·rule·29/32:·'neutron_file_perms'") | ||
| 248 | chmod·640·/etc/neutron/neutron.conf | 254 | chmod·640·/etc/neutron/neutron.conf |
| 249 | chmod·640·/etc/neutron/api-paste.ini | 255 | chmod·640·/etc/neutron/api-paste.ini |
| 250 | chmod·640·/etc/neutron/policy.json | 256 | chmod·640·/etc/neutron/policy.json |
| 251 | chmod·640·/etc/neutron/rootwrap.conf | 257 | chmod·640·/etc/neutron/rootwrap.conf |
| 252 | #·END·fix·for·'neutron_file_perms' | 258 | #·END·fix·for·'neutron_file_perms' |
| 253 | ############################################################################### | 259 | ############################################################################### |
| 254 | #·BEGIN·fix·(29·/·32)·for·'neutron_use_keystone' | ||
| 255 | ############################################################################### | ||
| 256 | (>&2·echo·"Remediating·rule·29/32:·'neutron_use_keystone'") | ||
| 257 | openstack-config·--set·/etc/neutron/neutron.conf·DEFAULT·auth_strategy·keystone | ||
| 258 | #·END·fix·for·'neutron_use_keystone' | ||
| 259 | ############################################################################### | ||
| 260 | #·BEGIN·fix·(30·/·32)·for·'neutron_use_https' | 260 | #·BEGIN·fix·(30·/·32)·for·'neutron_use_https' |
| 261 | ############################################################################### | 261 | ############################################################################### |
| 262 | (>&2·echo·"Remediating·rule·30/32:·'neutron_use_https'") | 262 | (>&2·echo·"Remediating·rule·30/32:·'neutron_use_https'") |
| 263 | STR_IDENTITY_URI=$(openstack-config·--get·/etc/neutron/neutron.conf·keystone_authtoken·identity_uri) | 263 | STR_IDENTITY_URI=$(openstack-config·--get·/etc/neutron/neutron.conf·keystone_authtoken·identity_uri) |
| 264 | NEW_IDENTITY_URI=${STR_IDENTITY_URI:0:4}s${STR_IDENTITY_URI:4:-1} | 264 | NEW_IDENTITY_URI=${STR_IDENTITY_URI:0:4}s${STR_IDENTITY_URI:4:-1} |
| 265 | openstack-config·--set·/etc/neutron/neutron.conf·keystone_authtoken·identity_uri·$NEW_IDENTITY_URI | 265 | openstack-config·--set·/etc/neutron/neutron.conf·keystone_authtoken·identity_uri·$NEW_IDENTITY_URI |
| Offset 27, 17 lines modified | Offset 27, 17 lines modified | ||
| 27 | # | 27 | # |
| 28 | #·How·to·apply·this·remediation·role: | 28 | #·How·to·apply·this·remediation·role: |
| 29 | #·$·sudo·./remediation-role.sh | 29 | #·$·sudo·./remediation-role.sh |
| 30 | # | 30 | # |
| 31 | ############################################################################### | 31 | ############################################################################### |
| 32 | ############################################################################### | 32 | ############################################################################### |
| 33 | #·BEGIN·fix·(1·/·188)·for·'package_s | 33 | #·BEGIN·fix·(1·/·188)·for·'package_vsftpd_removed' |
| 34 | ############################################################################### | 34 | ############################################################################### |
| 35 | (>&2·echo·"Remediating·rule·1/188:·'package_s | 35 | (>&2·echo·"Remediating·rule·1/188:·'package_vsftpd_removed'") |
| 36 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 36 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 37 | # | 37 | # |
| 38 | #·Example·Call(s): | 38 | #·Example·Call(s): |
| 39 | # | 39 | # |
| 40 | #·····package_remove·telnet-server | 40 | #·····package_remove·telnet-server |
| 41 | # | 41 | # |
| 42 | function·package_remove·{ | 42 | function·package_remove·{ |
| Offset 67, 16 lines modified | Offset 67, 16 lines modified | ||
| 67 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 67 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 68 | ··echo·"Aborting." | 68 | ··echo·"Aborting." |
| 69 | ··exit·1 | 69 | ··exit·1 |
| 70 | fi | 70 | fi |
| 71 | } | 71 | } |
| 72 | package_remove·s | 72 | package_remove·vsftpd |
| 73 | #·END·fix·for·'package_s | 73 | #·END·fix·for·'package_vsftpd_removed' |
| 74 | ############################################################################### | 74 | ############################################################################### |
| 75 | #·BEGIN·fix·(2·/·188)·for·'package_httpd_removed' | 75 | #·BEGIN·fix·(2·/·188)·for·'package_httpd_removed' |
| 76 | ############################################################################### | 76 | ############################################################################### |
| 77 | (>&2·echo·"Remediating·rule·2/188:·'package_httpd_removed'") | 77 | (>&2·echo·"Remediating·rule·2/188:·'package_httpd_removed'") |
| 78 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 78 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 79 | # | 79 | # |
| Offset 115, 24 lines modified | Offset 115, 61 lines modified | ||
| 115 | } | 115 | } |
| 116 | package_remove·httpd | 116 | package_remove·httpd |
| 117 | #·END·fix·for·'package_httpd_removed' | 117 | #·END·fix·for·'package_httpd_removed' |
| 118 | ############################################################################### | 118 | ############################################################################### |
| 119 | #·BEGIN·fix·(3·/·188)·for·'p | 119 | #·BEGIN·fix·(3·/·188)·for·'package_bind_removed' |
| 120 | ############################################################################### | 120 | ############################################################################### |
| 121 | (>&2·echo·"Remediating·rule·3/188:·'p | 121 | (>&2·echo·"Remediating·rule·3/188:·'package_bind_removed'") |
| 122 | #·F | 122 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 123 | # | 123 | # |
| 124 | #·Example·Call(s): | ||
| 125 | # | ||
| 126 | #·····package_remove·telnet-server | ||
| 127 | # | ||
| 128 | function·package_remove·{ | ||
| 129 | #·Load·function·arguments·into·local·variables | ||
| 130 | local·package="$1" | ||
| 131 | #·Check·sanity·of·the·input | ||
| 132 | if·[·$#·-ne·"1"·] | ||
| 133 | then | ||
| 134 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 135 | ··echo·"Aborting." | ||
| 136 | ··exit·1 | ||
| 137 | fi | ||
| 138 | if·which·dnf·;·then | ||
| 139 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 140 | ····dnf·remove·-y·"$package" | ||
| 141 | ··fi | ||
| 142 | elif·which·yum·;·then | ||
| 143 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 144 | ····yum·remove·-y·"$package" | ||
| 145 | ··fi | ||
| 146 | elif·which·apt-get·;·then | ||
| 147 | ··apt-get·remove·-y·"$package" | ||
| 148 | else | ||
| 149 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 150 | ··echo·"Aborting." | ||
| 151 | ··exit·1 | ||
| 152 | fi | ||
| 153 | } | ||
| 154 | package_remove·bind | ||
| 155 | #·END·fix·for·'package_bind_removed' | ||
| 124 | ############################################################################### | 156 | ############################################################################### |
| 125 | #·BEGIN·fix·(4·/·188)·for·'package_ | 157 | #·BEGIN·fix·(4·/·188)·for·'package_samba_removed' |
| 126 | ############################################################################### | 158 | ############################################################################### |
| 127 | (>&2·echo·"Remediating·rule·4/188:·'package_ | 159 | (>&2·echo·"Remediating·rule·4/188:·'package_samba_removed'") |
| 128 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 160 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 129 | # | 161 | # |
| 130 | #·Example·Call(s): | 162 | #·Example·Call(s): |
| 131 | # | 163 | # |
| 132 | #·····package_remove·telnet-server | 164 | #·····package_remove·telnet-server |
| 133 | # | 165 | # |
| 134 | function·package_remove·{ | 166 | function·package_remove·{ |
| Offset 162, 16 lines modified | Offset 199, 16 lines modified | ||
| 162 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 199 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 163 | ··echo·"Aborting." | 200 | ··echo·"Aborting." |
| 164 | ··exit·1 | 201 | ··exit·1 |
| 165 | fi | 202 | fi |
| 166 | } | 203 | } |
| 167 | package_remove· | 204 | package_remove·samba |
| 168 | #·END·fix·for·'package_ | 205 | #·END·fix·for·'package_samba_removed' |
| 169 | ############################################################################### | 206 | ############################################################################### |
| 170 | #·BEGIN·fix·(5·/·188)·for·'service_ntpd_enabled' | 207 | #·BEGIN·fix·(5·/·188)·for·'service_ntpd_enabled' |
| 171 | ############################################################################### | 208 | ############################################################################### |
| 172 | (>&2·echo·"Remediating·rule·5/188:·'service_ntpd_enabled'") | 209 | (>&2·echo·"Remediating·rule·5/188:·'service_ntpd_enabled'") |
| 173 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 210 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 174 | # | 211 | # |
| Offset 262, 17 lines modified | Offset 299, 105 lines modified | ||
| 262 | #·BEGIN·fix·(7·/·188)·for·'ntpd_specify_remote_server' | 299 | #·BEGIN·fix·(7·/·188)·for·'ntpd_specify_remote_server' |
| 263 | ############################################################################### | 300 | ############################################################################### |
| 264 | (>&2·echo·"Remediating·rule·7/188:·'ntpd_specify_remote_server'") | 301 | (>&2·echo·"Remediating·rule·7/188:·'ntpd_specify_remote_server'") |
| 265 | #·FIX·FOR·THIS·RULE·IS·MISSING | 302 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 266 | #·END·fix·for·'ntpd_specify_remote_server' | 303 | #·END·fix·for·'ntpd_specify_remote_server' |
| 267 | ############################################################################### | 304 | ############################################################################### |
| 268 | #·BEGIN·fix·(8·/·188)·for·' | 305 | #·BEGIN·fix·(8·/·188)·for·'package_openldap-servers_removed' |
| 269 | ############################################################################### | 306 | ############################################################################### |
| 270 | (>&2·echo·"Remediating·rule·8/188:·' | 307 | (>&2·echo·"Remediating·rule·8/188:·'package_openldap-servers_removed'") |
| 308 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 309 | # | ||
| 310 | #·Example·Call(s): | ||
| Max diff block lines reached; 329997/337019 bytes (97.92%) of diff not shown. | |||
| Offset 18, 17 lines modified | Offset 18, 31 lines modified | ||
| 18 | # | 18 | # |
| 19 | #·How·to·apply·this·remediation·role: | 19 | #·How·to·apply·this·remediation·role: |
| 20 | #·$·sudo·./remediation-role.sh | 20 | #·$·sudo·./remediation-role.sh |
| 21 | # | 21 | # |
| 22 | ############################################################################### | 22 | ############################################################################### |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | #·BEGIN·fix·(1·/·313)·for·' | 24 | #·BEGIN·fix·(1·/·313)·for·'ftp_log_transactions' |
| 25 | ############################################################################### | 25 | ############################################################################### |
| 26 | (>&2·echo·"Remediating·rule·1/313:·' | 26 | (>&2·echo·"Remediating·rule·1/313:·'ftp_log_transactions'") |
| 27 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 28 | #·END·fix·for·'ftp_log_transactions' | ||
| 29 | ############################################################################### | ||
| 30 | #·BEGIN·fix·(2·/·313)·for·'ftp_present_banner' | ||
| 31 | ############################################################################### | ||
| 32 | (>&2·echo·"Remediating·rule·2/313:·'ftp_present_banner'") | ||
| 33 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 34 | #·END·fix·for·'ftp_present_banner' | ||
| 35 | ############################################################################### | ||
| 36 | #·BEGIN·fix·(3·/·313)·for·'service_vsftpd_disabled' | ||
| 37 | ############################################################################### | ||
| 38 | (>&2·echo·"Remediating·rule·3/313:·'service_vsftpd_disabled'") | ||
| 27 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 39 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 28 | # | 40 | # |
| 29 | #·Example·Call(s): | 41 | #·Example·Call(s): |
| 30 | # | 42 | # |
| 31 | #·····service_command·enable·bluetooth | 43 | #·····service_command·enable·bluetooth |
| 32 | #·····service_command·disable·bluetooth.service | 44 | #·····service_command·disable·bluetooth.service |
| 33 | # | 45 | # |
| Offset 96, 49 lines modified | Offset 110, 60 lines modified | ||
| 96 | ··else | 110 | ··else |
| 97 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 111 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 98 | ··fi | 112 | ··fi |
| 99 | fi | 113 | fi |
| 100 | } | 114 | } |
| 101 | service_command·disable·s | 115 | service_command·disable·vsftpd |
| 102 | #·END·fix·for·'service_s | 116 | #·END·fix·for·'service_vsftpd_disabled' |
| 103 | ############################################################################### | 117 | ############################################################################### |
| 104 | #·BEGIN·fix·( | 118 | #·BEGIN·fix·(4·/·313)·for·'package_vsftpd_removed' |
| 105 | ############################################################################### | 119 | ############################################################################### |
| 106 | (>&2·echo·"Remediating·rule· | 120 | (>&2·echo·"Remediating·rule·4/313:·'package_vsftpd_removed'") |
| 107 | #·F | 121 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 108 | # | 122 | # |
| 123 | #·Example·Call(s): | ||
| 124 | # | ||
| 125 | #·····package_remove·telnet-server | ||
| 126 | # | ||
| 127 | function·package_remove·{ | ||
| 109 | # | 128 | #·Load·function·arguments·into·local·variables |
| 110 | 129 | local·package="$1" | |
| 111 | ############################################################################### | ||
| 112 | (>&2·echo·"Remediating·rule·3/313:·'require_smb_client_signing'") | ||
| 113 | ###################################################################### | ||
| 114 | #By·Luke·"Brisk-OH"·Brisk | ||
| 115 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com | ||
| 116 | ###################################################################### | ||
| 117 | 130 | #·Check·sanity·of·the·input | |
| 131 | if·[·$#·-ne·"1"·] | ||
| 132 | then | ||
| 133 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 134 | ··echo·"Aborting." | ||
| 135 | ··exit·1 | ||
| 136 | fi | ||
| 118 | if· | 137 | if·which·dnf·;·then |
| 119 | 138 | ··if·rpm·-q·--quiet·"$package";·then | |
| 120 | 139 | ····dnf·remove·-y·"$package" | |
| 140 | ··fi | ||
| 141 | elif·which·yum·;·then | ||
| 142 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 143 | ····yum·remove·-y·"$package" | ||
| 144 | ··fi | ||
| 145 | elif·which·apt-get·;·then | ||
| 146 | ··apt-get·remove·-y·"$package" | ||
| 121 | else | 147 | else |
| 122 | 148 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 149 | ··echo·"Aborting." | ||
| 150 | ··exit·1 | ||
| 123 | fi | 151 | fi |
| 124 | #·END·fix·for·'require_smb_client_signing' | ||
| 125 | 152 | } | |
| 126 | #·BEGIN·fix·(4·/·313)·for·'mount_option_smb_client_signing' | ||
| 127 | 153 | package_remove·vsftpd | |
| 128 | 154 | #·END·fix·for·'package_vsftpd_removed' | |
| 129 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 130 | #·END·fix·for·'mount_option_smb_client_signing' | ||
| 131 | ############################################################################### | 155 | ############################################################################### |
| 132 | #·BEGIN·fix·(5·/·313)·for·'package_httpd_removed' | 156 | #·BEGIN·fix·(5·/·313)·for·'package_httpd_removed' |
| 133 | ############################################################################### | 157 | ############################################################################### |
| 134 | (>&2·echo·"Remediating·rule·5/313:·'package_httpd_removed'") | 158 | (>&2·echo·"Remediating·rule·5/313:·'package_httpd_removed'") |
| 135 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 159 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 136 | # | 160 | # |
| Offset 248, 94 lines modified | Offset 273, 183 lines modified | ||
| 248 | #·BEGIN·fix·(15·/·313)·for·'httpd_ldap_support' | 273 | #·BEGIN·fix·(15·/·313)·for·'httpd_ldap_support' |
| 249 | ############################################################################### | 274 | ############################################################################### |
| 250 | (>&2·echo·"Remediating·rule·15/313:·'httpd_ldap_support'") | 275 | (>&2·echo·"Remediating·rule·15/313:·'httpd_ldap_support'") |
| 251 | #·FIX·FOR·THIS·RULE·IS·MISSING | 276 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 252 | #·END·fix·for·'httpd_ldap_support' | 277 | #·END·fix·for·'httpd_ldap_support' |
| 253 | ############################################################################### | 278 | ############################################################################### |
| 254 | #·BEGIN·fix·(16·/·313)·for·'httpd_ | 279 | #·BEGIN·fix·(16·/·313)·for·'httpd_cgi_support' |
| 255 | ############################################################################### | 280 | ############################################################################### |
| 256 | (>&2·echo·"Remediating·rule·16/313:·'httpd_ | 281 | (>&2·echo·"Remediating·rule·16/313:·'httpd_cgi_support'") |
| 257 | #·FIX·FOR·THIS·RULE·IS·MISSING | 282 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 258 | #·END·fix·for·'httpd_ | 283 | #·END·fix·for·'httpd_cgi_support' |
| 259 | ############################################################################### | 284 | ############################################################################### |
| 260 | #·BEGIN·fix·(17·/·313)·for·'httpd_ | 285 | #·BEGIN·fix·(17·/·313)·for·'httpd_url_correction' |
| 261 | ############################################################################### | 286 | ############################################################################### |
| 262 | (>&2·echo·"Remediating·rule·17/313:·'httpd_ | 287 | (>&2·echo·"Remediating·rule·17/313:·'httpd_url_correction'") |
| 263 | #·FIX·FOR·THIS·RULE·IS·MISSING | 288 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 264 | #·END·fix·for·'httpd_ | 289 | #·END·fix·for·'httpd_url_correction' |
| 265 | ############################################################################### | 290 | ############################################################################### |
| 266 | #·BEGIN·fix·(18·/·313)·for·'httpd_server_activity_status' | 291 | #·BEGIN·fix·(18·/·313)·for·'httpd_server_activity_status' |
| 267 | ############################################################################### | 292 | ############################################################################### |
| 268 | (>&2·echo·"Remediating·rule·18/313:·'httpd_server_activity_status'") | 293 | (>&2·echo·"Remediating·rule·18/313:·'httpd_server_activity_status'") |
| 269 | #·FIX·FOR·THIS·RULE·IS·MISSING | 294 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| Max diff block lines reached; 441404/447704 bytes (98.59%) of diff not shown. | |||
| Offset 23, 46 lines modified | Offset 23, 99 lines modified | ||
| 23 | # | 23 | # |
| 24 | #·How·to·apply·this·remediation·role: | 24 | #·How·to·apply·this·remediation·role: |
| 25 | #·$·sudo·./remediation-role.sh | 25 | #·$·sudo·./remediation-role.sh |
| 26 | # | 26 | # |
| 27 | ############################################################################### | 27 | ############################################################################### |
| 28 | ############################################################################### | 28 | ############################################################################### |
| 29 | #·BEGIN·fix·(1·/·215)·for·' | 29 | #·BEGIN·fix·(1·/·215)·for·'service_vsftpd_disabled' |
| 30 | ############################################################################### | 30 | ############################################################################### |
| 31 | (>&2·echo·"Remediating·rule·1/215:·' | 31 | (>&2·echo·"Remediating·rule·1/215:·'service_vsftpd_disabled'") |
| 32 | #·F | 32 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 33 | # | 33 | # |
| 34 | #·Example·Call(s): | ||
| 35 | # | ||
| 36 | #·····service_command·enable·bluetooth | ||
| 37 | #·····service_command·disable·bluetooth.service | ||
| 38 | # | ||
| 39 | #·····Using·xinetd: | ||
| 40 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 41 | # | ||
| 42 | function·service_command·{ | ||
| 34 | # | 43 | #·Load·function·arguments·into·local·variables |
| 35 | 44 | local·service_state=$1 | |
| 36 | 45 | local·service=$2 | |
| 37 | 46 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | |
| 38 | 47 | #·Check·sanity·of·the·input | |
| 39 | 48 | if·[·$#·-lt·"2"·] | |
| 49 | then | ||
| 50 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 51 | ··echo | ||
| 52 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 53 | ··echo·"as·the·last·argument"·· | ||
| 54 | ··echo·"Aborting." | ||
| 55 | ··exit·1 | ||
| 56 | fi | ||
| 40 | # | 57 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands |
| 41 | 58 | if·[·-f·"/usr/bin/systemctl"·]·;·then | |
| 42 | 59 | ··service_util="/usr/bin/systemctl" | |
| 43 | 60 | else | |
| 44 | 61 | ··service_util="/sbin/service" | |
| 45 | 62 | ··chkconfig_util="/sbin/chkconfig" | |
| 63 | fi | ||
| 46 | # | 64 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. |
| 47 | #· | 65 | #·Otherwise,·variables·are·to·be·set·to·disable·services. |
| 48 | 66 | if·[·"$service_state"·!=·'disable'·]·;·then | |
| 49 | 67 | ··service_state="enable" | |
| 50 | 68 | ··service_operation="start" | |
| 51 | 69 | ··chkconfig_state="on" | |
| 70 | else | ||
| 71 | ··service_state="disable" | ||
| 72 | ··service_operation="stop" | ||
| 73 | ··chkconfig_state="off" | ||
| 74 | fi | ||
| 75 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 76 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 77 | ··$service_util·$service·$service_operation | ||
| 78 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 79 | else | ||
| 80 | ··$service_util·$service_operation·$service | ||
| 81 | ··$service_util·$service_state·$service | ||
| 82 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 83 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 84 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 85 | ··$service_util·reset-failed·$service | ||
| 86 | fi | ||
| 87 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 88 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 89 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 90 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 91 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 92 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 93 | ··else | ||
| 94 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 95 | ··fi | ||
| 96 | fi | ||
| 97 | } | ||
| 98 | service_command·disable·vsftpd | ||
| 99 | #·END·fix·for·'service_vsftpd_disabled' | ||
| 52 | ############################################################################### | 100 | ############################################################################### |
| 53 | #·BEGIN·fix·( | 101 | #·BEGIN·fix·(2·/·215)·for·'package_vsftpd_removed' |
| 54 | ############################################################################### | 102 | ############################################################################### |
| 55 | (>&2·echo·"Remediating·rule· | 103 | (>&2·echo·"Remediating·rule·2/215:·'package_vsftpd_removed'") |
| 56 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 104 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 57 | # | 105 | # |
| 58 | #·Example·Call(s): | 106 | #·Example·Call(s): |
| 59 | # | 107 | # |
| 60 | #·····package_remove·telnet-server | 108 | #·····package_remove·telnet-server |
| 61 | # | 109 | # |
| 62 | function·package_remove·{ | 110 | function·package_remove·{ |
| Offset 92, 49 lines modified | Offset 145, 132 lines modified | ||
| 92 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 145 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 93 | ··echo·"Aborting." | 146 | ··echo·"Aborting." |
| 94 | ··exit·1 | 147 | ··exit·1 |
| 95 | fi | 148 | fi |
| 96 | } | 149 | } |
| 97 | package_remove· | 150 | package_remove·vsftpd |
| 98 | #·END·fix·for·'package_ | 151 | #·END·fix·for·'package_vsftpd_removed' |
| 99 | ############################################################################### | 152 | ############################################################################### |
| 100 | #·BEGIN·fix·( | 153 | #·BEGIN·fix·(3·/·215)·for·'httpd_servertokens_prod' |
| 101 | ############################################################################### | 154 | ############################################################################### |
| 102 | (>&2·echo·"Remediating·rule· | 155 | (>&2·echo·"Remediating·rule·3/215:·'httpd_servertokens_prod'") |
| 103 | #·FIX·FOR·THIS·RULE·IS·MISSING | 156 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 104 | #·END·fix·for·' | 157 | #·END·fix·for·'httpd_servertokens_prod' |
| 105 | ############################################################################### | 158 | ############################################################################### |
| 106 | #·BEGIN·fix·( | 159 | #·BEGIN·fix·(4·/·215)·for·'file_permissions_httpd_server_conf_files' |
| 107 | ############################################################################### | 160 | ############################################################################### |
| 108 | (>&2·echo·"Remediating·rule· | 161 | (>&2·echo·"Remediating·rule·4/215:·'file_permissions_httpd_server_conf_files'") |
| 109 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 110 | 162 | chmod·0640·/etc/httpd/conf/* | |
| 163 | #·END·fix·for·'file_permissions_httpd_server_conf_files' | ||
| 111 | ############################################################################### | 164 | ############################################################################### |
| 112 | #·BEGIN·fix·( | 165 | #·BEGIN·fix·(5·/·215)·for·'dir_perms_var_log_httpd' |
| Max diff block lines reached; 292875/299278 bytes (97.86%) of diff not shown. | |||
| Offset 19, 17 lines modified | Offset 19, 17 lines modified | ||
| 19 | # | 19 | # |
| 20 | #·How·to·apply·this·remediation·role: | 20 | #·How·to·apply·this·remediation·role: |
| 21 | #·$·sudo·./remediation-role.sh | 21 | #·$·sudo·./remediation-role.sh |
| 22 | # | 22 | # |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | ############################################################################### | 24 | ############################################################################### |
| 25 | #·BEGIN·fix·(1·/·206)·for·'service_s | 25 | #·BEGIN·fix·(1·/·206)·for·'service_vsftpd_disabled' |
| 26 | ############################################################################### | 26 | ############################################################################### |
| 27 | (>&2·echo·"Remediating·rule·1/206:·'service_s | 27 | (>&2·echo·"Remediating·rule·1/206:·'service_vsftpd_disabled'") |
| 28 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 28 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 29 | # | 29 | # |
| 30 | #·Example·Call(s): | 30 | #·Example·Call(s): |
| 31 | # | 31 | # |
| 32 | #·····service_command·enable·bluetooth | 32 | #·····service_command·enable·bluetooth |
| 33 | #·····service_command·disable·bluetooth.service | 33 | #·····service_command·disable·bluetooth.service |
| 34 | # | 34 | # |
| Offset 97, 47 lines modified | Offset 97, 65 lines modified | ||
| 97 | ··else | 97 | ··else |
| 98 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 98 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 99 | ··fi | 99 | ··fi |
| 100 | fi | 100 | fi |
| 101 | } | 101 | } |
| 102 | service_command·disable·s | 102 | service_command·disable·vsftpd |
| 103 | #·END·fix·for·'service_s | 103 | #·END·fix·for·'service_vsftpd_disabled' |
| 104 | ############################################################################### | 104 | ############################################################################### |
| 105 | #·BEGIN·fix·(2·/·206)·for·' | 105 | #·BEGIN·fix·(2·/·206)·for·'package_vsftpd_removed' |
| 106 | ############################################################################### | 106 | ############################################################################### |
| 107 | (>&2·echo·"Remediating·rule·2/206:·' | 107 | (>&2·echo·"Remediating·rule·2/206:·'package_vsftpd_removed'") |
| 108 | # | 108 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 109 | # | 109 | # |
| 110 | # | 110 | #·Example·Call(s): |
| 111 | # | 111 | # |
| 112 | #·····package_remove·telnet-server | ||
| 113 | # | ||
| 114 | function·package_remove·{ | ||
| 112 | 115 | #·Load·function·arguments·into·local·variables | |
| 116 | local·package="$1" | ||
| 113 | 117 | #·Check·sanity·of·the·input | |
| 114 | 118 | if·[·$#·-ne·"1"·] | |
| 115 | 119 | then | |
| 120 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 121 | ··echo·"Aborting." | ||
| 122 | ··exit·1 | ||
| 123 | fi | ||
| 124 | if·which·dnf·;·then | ||
| 125 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 126 | ····dnf·remove·-y·"$package" | ||
| 127 | ··fi | ||
| 128 | elif·which·yum·;·then | ||
| 129 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 130 | ····yum·remove·-y·"$package" | ||
| 131 | ··fi | ||
| 132 | elif·which·apt-get·;·then | ||
| 133 | ··apt-get·remove·-y·"$package" | ||
| 116 | else | 134 | else |
| 117 | 135 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 136 | ··echo·"Aborting." | ||
| 137 | ··exit·1 | ||
| 118 | fi | 138 | fi |
| 119 | #·END·fix·for·'require_smb_client_signing' | ||
| 120 | 139 | } | |
| 121 | #·BEGIN·fix·(3·/·206)·for·'mount_option_smb_client_signing' | ||
| 122 | 140 | package_remove·vsftpd | |
| 123 | 141 | #·END·fix·for·'package_vsftpd_removed' | |
| 124 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 125 | #·END·fix·for·'mount_option_smb_client_signing' | ||
| 126 | ############################################################################### | 142 | ############################################################################### |
| 127 | #·BEGIN·fix·( | 143 | #·BEGIN·fix·(3·/·206)·for·'service_httpd_disabled' |
| 128 | ############################################################################### | 144 | ############################################################################### |
| 129 | (>&2·echo·"Remediating·rule· | 145 | (>&2·echo·"Remediating·rule·3/206:·'service_httpd_disabled'") |
| 130 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 146 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 131 | # | 147 | # |
| 132 | #·Example·Call(s): | 148 | #·Example·Call(s): |
| 133 | # | 149 | # |
| 134 | #·····service_command·enable·bluetooth | 150 | #·····service_command·enable·bluetooth |
| 135 | #·····service_command·disable·bluetooth.service | 151 | #·····service_command·disable·bluetooth.service |
| 136 | # | 152 | # |
| Offset 209, 17 lines modified | Offset 227, 17 lines modified | ||
| 209 | } | 227 | } |
| 210 | service_command·disable·httpd | 228 | service_command·disable·httpd |
| 211 | #·END·fix·for·'service_httpd_disabled' | 229 | #·END·fix·for·'service_httpd_disabled' |
| 212 | ############################################################################### | 230 | ############################################################################### |
| 213 | #·BEGIN·fix·( | 231 | #·BEGIN·fix·(4·/·206)·for·'package_httpd_removed' |
| 214 | ############################################################################### | 232 | ############################################################################### |
| 215 | (>&2·echo·"Remediating·rule· | 233 | (>&2·echo·"Remediating·rule·4/206:·'package_httpd_removed'") |
| 216 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 234 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 217 | # | 235 | # |
| 218 | #·Example·Call(s): | 236 | #·Example·Call(s): |
| 219 | # | 237 | # |
| 220 | #·····package_remove·telnet-server | 238 | #·····package_remove·telnet-server |
| 221 | # | 239 | # |
| 222 | function·package_remove·{ | 240 | function·package_remove·{ |
| Offset 253, 24 lines modified | Offset 271, 99 lines modified | ||
| 253 | } | 271 | } |
| 254 | package_remove·httpd | 272 | package_remove·httpd |
| 255 | #·END·fix·for·'package_httpd_removed' | 273 | #·END·fix·for·'package_httpd_removed' |
| 256 | ############################################################################### | 274 | ############################################################################### |
| 257 | #·BEGIN·fix·( | 275 | #·BEGIN·fix·(5·/·206)·for·'service_named_disabled' |
| 258 | ############################################################################### | 276 | ############################################################################### |
| 259 | (>&2·echo·"Remediating·rule· | 277 | (>&2·echo·"Remediating·rule·5/206:·'service_named_disabled'") |
| 260 | #·F | 278 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 261 | # | 279 | # |
| 280 | #·Example·Call(s): | ||
| 281 | # | ||
| 282 | #·····service_command·enable·bluetooth | ||
| 283 | #·····service_command·disable·bluetooth.service | ||
| 284 | # | ||
| 285 | #·····Using·xinetd: | ||
| 286 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 287 | # | ||
| 288 | function·service_command·{ | ||
| Max diff block lines reached; 321323/328772 bytes (97.73%) of diff not shown. | |||
| Offset 114, 17 lines modified | Offset 114, 181 lines modified | ||
| 114 | #·BEGIN·fix·(3·/·211)·for·'ntpd_specify_remote_server' | 114 | #·BEGIN·fix·(3·/·211)·for·'ntpd_specify_remote_server' |
| 115 | ############################################################################### | 115 | ############################################################################### |
| 116 | (>&2·echo·"Remediating·rule·3/211:·'ntpd_specify_remote_server'") | 116 | (>&2·echo·"Remediating·rule·3/211:·'ntpd_specify_remote_server'") |
| 117 | #·FIX·FOR·THIS·RULE·IS·MISSING | 117 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 118 | #·END·fix·for·'ntpd_specify_remote_server' | 118 | #·END·fix·for·'ntpd_specify_remote_server' |
| 119 | ############################################################################### | 119 | ############################################################################### |
| 120 | #·BEGIN·fix·(4·/·211)·for·' | 120 | #·BEGIN·fix·(4·/·211)·for·'service_crond_enabled' |
| 121 | ############################################################################### | 121 | ############################################################################### |
| 122 | (>&2·echo·"Remediating·rule·4/211:·' | 122 | (>&2·echo·"Remediating·rule·4/211:·'service_crond_enabled'") |
| 123 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 124 | # | ||
| 125 | #·Example·Call(s): | ||
| 126 | # | ||
| 127 | #·····service_command·enable·bluetooth | ||
| 128 | #·····service_command·disable·bluetooth.service | ||
| 129 | # | ||
| 130 | #·····Using·xinetd: | ||
| 131 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 132 | # | ||
| 133 | function·service_command·{ | ||
| 134 | #·Load·function·arguments·into·local·variables | ||
| 135 | local·service_state=$1 | ||
| 136 | local·service=$2 | ||
| 137 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 138 | #·Check·sanity·of·the·input | ||
| 139 | if·[·$#·-lt·"2"·] | ||
| 140 | then | ||
| 141 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 142 | ··echo | ||
| 143 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 144 | ··echo·"as·the·last·argument"·· | ||
| 145 | ··echo·"Aborting." | ||
| 146 | ··exit·1 | ||
| 147 | fi | ||
| 148 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 149 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 150 | ··service_util="/usr/bin/systemctl" | ||
| 151 | else | ||
| 152 | ··service_util="/sbin/service" | ||
| 153 | ··chkconfig_util="/sbin/chkconfig" | ||
| 154 | fi | ||
| 155 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 156 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 157 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 158 | ··service_state="enable" | ||
| 159 | ··service_operation="start" | ||
| 160 | ··chkconfig_state="on" | ||
| 161 | else | ||
| 162 | ··service_state="disable" | ||
| 163 | ··service_operation="stop" | ||
| 164 | ··chkconfig_state="off" | ||
| 165 | fi | ||
| 166 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 167 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 168 | ··$service_util·$service·$service_operation | ||
| 169 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 170 | else | ||
| 171 | ··$service_util·$service_operation·$service | ||
| 172 | ··$service_util·$service_state·$service | ||
| 173 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 174 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 175 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 176 | ··$service_util·reset-failed·$service | ||
| 177 | fi | ||
| 178 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 179 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 180 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 181 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 182 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 183 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 184 | ··else | ||
| 185 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 186 | ··fi | ||
| 187 | fi | ||
| 188 | } | ||
| 189 | service_command·enable·crond | ||
| 190 | #·END·fix·for·'service_crond_enabled' | ||
| 191 | ############################################################################### | ||
| 192 | #·BEGIN·fix·(5·/·211)·for·'service_atd_disabled' | ||
| 193 | ############################################################################### | ||
| 194 | (>&2·echo·"Remediating·rule·5/211:·'service_atd_disabled'") | ||
| 195 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 196 | # | ||
| 197 | #·Example·Call(s): | ||
| 198 | # | ||
| 199 | #·····service_command·enable·bluetooth | ||
| 200 | #·····service_command·disable·bluetooth.service | ||
| 201 | # | ||
| 202 | #·····Using·xinetd: | ||
| 203 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 204 | # | ||
| 205 | function·service_command·{ | ||
| 206 | #·Load·function·arguments·into·local·variables | ||
| 207 | local·service_state=$1 | ||
| 208 | local·service=$2 | ||
| 209 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 210 | #·Check·sanity·of·the·input | ||
| 211 | if·[·$#·-lt·"2"·] | ||
| 212 | then | ||
| 213 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 214 | ··echo | ||
| 215 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 216 | ··echo·"as·the·last·argument"·· | ||
| 217 | ··echo·"Aborting." | ||
| 218 | ··exit·1 | ||
| 219 | fi | ||
| 220 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 221 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 222 | ··service_util="/usr/bin/systemctl" | ||
| 223 | else | ||
| 224 | ··service_util="/sbin/service" | ||
| 225 | ··chkconfig_util="/sbin/chkconfig" | ||
| 226 | fi | ||
| Max diff block lines reached; 326691/332694 bytes (98.20%) of diff not shown. | |||
| Offset 18, 17 lines modified | Offset 18, 96 lines modified | ||
| 18 | # | 18 | # |
| 19 | #·How·to·apply·this·remediation·role: | 19 | #·How·to·apply·this·remediation·role: |
| 20 | #·$·sudo·./remediation-role.sh | 20 | #·$·sudo·./remediation-role.sh |
| 21 | # | 21 | # |
| 22 | ############################################################################### | 22 | ############################################################################### |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | #·BEGIN·fix·(1·/·192)·for·' | 24 | #·BEGIN·fix·(1·/·192)·for·'ftp_restrict_to_anon' |
| 25 | ############################################################################### | 25 | ############################################################################### |
| 26 | (>&2·echo·"Remediating·rule·1/192:·' | 26 | (>&2·echo·"Remediating·rule·1/192:·'ftp_restrict_to_anon'") |
| 27 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 28 | #·END·fix·for·'ftp_restrict_to_anon' | ||
| 29 | ############################################################################### | ||
| 30 | #·BEGIN·fix·(2·/·192)·for·'ftp_home_partition' | ||
| 31 | ############################################################################### | ||
| 32 | (>&2·echo·"Remediating·rule·2/192:·'ftp_home_partition'") | ||
| 33 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 34 | #·END·fix·for·'ftp_home_partition' | ||
| 35 | ############################################################################### | ||
| 36 | #·BEGIN·fix·(3·/·192)·for·'ftp_log_transactions' | ||
| 37 | ############################################################################### | ||
| 38 | (>&2·echo·"Remediating·rule·3/192:·'ftp_log_transactions'") | ||
| 39 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 40 | #·END·fix·for·'ftp_log_transactions' | ||
| 41 | ############################################################################### | ||
| 42 | #·BEGIN·fix·(4·/·192)·for·'ftp_disable_uploads' | ||
| 43 | ############################################################################### | ||
| 44 | (>&2·echo·"Remediating·rule·4/192:·'ftp_disable_uploads'") | ||
| 45 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 46 | #·END·fix·for·'ftp_disable_uploads' | ||
| 47 | ############################################################################### | ||
| 48 | #·BEGIN·fix·(5·/·192)·for·'ftp_present_banner' | ||
| 49 | ############################################################################### | ||
| 50 | (>&2·echo·"Remediating·rule·5/192:·'ftp_present_banner'") | ||
| 51 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 52 | #·END·fix·for·'ftp_present_banner' | ||
| 53 | ############################################################################### | ||
| 54 | #·BEGIN·fix·(6·/·192)·for·'package_vsftpd_installed' | ||
| 55 | ############################################################################### | ||
| 56 | (>&2·echo·"Remediating·rule·6/192:·'package_vsftpd_installed'") | ||
| 57 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 58 | # | ||
| 59 | #·Example·Call(s): | ||
| 60 | # | ||
| 61 | #·····package_install·aide | ||
| 62 | # | ||
| 63 | function·package_install·{ | ||
| 64 | #·Load·function·arguments·into·local·variables | ||
| 65 | local·package="$1" | ||
| 66 | #·Check·sanity·of·the·input | ||
| 67 | if·[·$#·-ne·"1"·] | ||
| 68 | then | ||
| 69 | ··echo·"Usage:·package_install·'package_name'" | ||
| 70 | ··echo·"Aborting." | ||
| 71 | ··exit·1 | ||
| 72 | fi | ||
| 73 | if·which·dnf·;·then | ||
| 74 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 75 | ····dnf·install·-y·"$package" | ||
| 76 | ··fi | ||
| 77 | elif·which·yum·;·then | ||
| 78 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 79 | ····yum·install·-y·"$package" | ||
| 80 | ··fi | ||
| 81 | elif·which·apt-get·;·then | ||
| 82 | ··apt-get·install·-y·"$package" | ||
| 83 | else | ||
| 84 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 85 | ··echo·"Aborting." | ||
| 86 | ··exit·1 | ||
| 87 | fi | ||
| 88 | } | ||
| 89 | package_install·vsftpd | ||
| 90 | #·END·fix·for·'package_vsftpd_installed' | ||
| 91 | ############################################################################### | ||
| 92 | #·BEGIN·fix·(7·/·192)·for·'require_smb_client_signing' | ||
| 93 | ############################################################################### | ||
| 94 | (>&2·echo·"Remediating·rule·7/192:·'require_smb_client_signing'") | ||
| 27 | ###################################################################### | 95 | ###################################################################### |
| 28 | #By·Luke·"Brisk-OH"·Brisk | 96 | #By·Luke·"Brisk-OH"·Brisk |
| 29 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com | 97 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com |
| 30 | ###################################################################### | 98 | ###################################################################### |
| 31 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) | 99 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) |
| Offset 37, 38 lines modified | Offset 116, 24 lines modified | ||
| 37 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf | 116 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 38 | else | 117 | else |
| 39 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf | 118 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 40 | fi | 119 | fi |
| 41 | #·END·fix·for·'require_smb_client_signing' | 120 | #·END·fix·for·'require_smb_client_signing' |
| 42 | ############################################################################### | 121 | ############################################################################### |
| 43 | #·BEGIN·fix·( | 122 | #·BEGIN·fix·(8·/·192)·for·'mount_option_smb_client_signing' |
| 44 | ############################################################################### | 123 | ############################################################################### |
| 45 | (>&2·echo·"Remediating·rule· | 124 | (>&2·echo·"Remediating·rule·8/192:·'mount_option_smb_client_signing'") |
| 46 | #·FIX·FOR·THIS·RULE·IS·MISSING | 125 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 47 | #·END·fix·for·'mount_option_smb_client_signing' | 126 | #·END·fix·for·'mount_option_smb_client_signing' |
| 48 | ############################################################################### | 127 | ############################################################################### |
| 49 | #·BEGIN·fix·( | 128 | #·BEGIN·fix·(9·/·192)·for·'service_ntpd_enabled' |
| 50 | ############################################################################### | ||
| 51 | (>&2·echo·"Remediating·rule·3/192:·'postfix_network_listening_disabled'") | ||
| 52 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 53 | #·END·fix·for·'postfix_network_listening_disabled' | ||
| 54 | ############################################################################### | ||
| 55 | #·BEGIN·fix·(4·/·192)·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 56 | ############################################################################### | ||
| 57 | (>&2·echo·"Remediating·rule·4/192:·'sysconfig_networking_bootproto_ifcfg'") | ||
| 58 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 59 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 60 | ############################################################################### | ||
| 61 | #·BEGIN·fix·(5·/·192)·for·'service_ntpd_enabled' | ||
| 62 | ############################################################################### | 129 | ############################################################################### |
| Max diff block lines reached; 286922/292683 bytes (98.03%) of diff not shown. | |||
| Offset 22, 43 lines modified | Offset 22, 61 lines modified | ||
| 22 | # | 22 | # |
| 23 | #·How·to·apply·this·remediation·role: | 23 | #·How·to·apply·this·remediation·role: |
| 24 | #·$·sudo·./remediation-role.sh | 24 | #·$·sudo·./remediation-role.sh |
| 25 | # | 25 | # |
| 26 | ############################################################################### | 26 | ############################################################################### |
| 27 | ############################################################################### | 27 | ############################################################################### |
| 28 | #·BEGIN·fix·(1·/·270)·for·' | 28 | #·BEGIN·fix·(1·/·270)·for·'package_vsftpd_removed' |
| 29 | ############################################################################### | 29 | ############################################################################### |
| 30 | (>&2·echo·"Remediating·rule·1/270:·' | 30 | (>&2·echo·"Remediating·rule·1/270:·'package_vsftpd_removed'") |
| 31 | # | 31 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 32 | # | 32 | # |
| 33 | # | 33 | #·Example·Call(s): |
| 34 | # | 34 | # |
| 35 | #·····package_remove·telnet-server | ||
| 36 | # | ||
| 37 | function·package_remove·{ | ||
| 35 | 38 | #·Load·function·arguments·into·local·variables | |
| 39 | local·package="$1" | ||
| 36 | 40 | #·Check·sanity·of·the·input | |
| 37 | 41 | if·[·$#·-ne·"1"·] | |
| 38 | 42 | then | |
| 43 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 44 | ··echo·"Aborting." | ||
| 45 | ··exit·1 | ||
| 46 | fi | ||
| 47 | if·which·dnf·;·then | ||
| 48 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 49 | ····dnf·remove·-y·"$package" | ||
| 50 | ··fi | ||
| 51 | elif·which·yum·;·then | ||
| 52 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 53 | ····yum·remove·-y·"$package" | ||
| 54 | ··fi | ||
| 55 | elif·which·apt-get·;·then | ||
| 56 | ··apt-get·remove·-y·"$package" | ||
| 39 | else | 57 | else |
| 40 | 58 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 59 | ··echo·"Aborting." | ||
| 60 | ··exit·1 | ||
| 41 | fi | 61 | fi |
| 42 | #·END·fix·for·'require_smb_client_signing' | ||
| 43 | 62 | } | |
| 44 | #·BEGIN·fix·(2·/·270)·for·'mount_option_smb_client_signing' | ||
| 45 | 63 | package_remove·vsftpd | |
| 46 | 64 | #·END·fix·for·'package_vsftpd_removed' | |
| 47 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 48 | #·END·fix·for·'mount_option_smb_client_signing' | ||
| 49 | ############################################################################### | 65 | ############################################################################### |
| 50 | #·BEGIN·fix·( | 66 | #·BEGIN·fix·(2·/·270)·for·'service_httpd_disabled' |
| 51 | ############################################################################### | 67 | ############################################################################### |
| 52 | (>&2·echo·"Remediating·rule· | 68 | (>&2·echo·"Remediating·rule·2/270:·'service_httpd_disabled'") |
| 53 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 69 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 54 | # | 70 | # |
| 55 | #·Example·Call(s): | 71 | #·Example·Call(s): |
| 56 | # | 72 | # |
| 57 | #·····service_command·enable·bluetooth | 73 | #·····service_command·enable·bluetooth |
| 58 | #·····service_command·disable·bluetooth.service | 74 | #·····service_command·disable·bluetooth.service |
| 59 | # | 75 | # |
| Offset 130, 17 lines modified | Offset 148, 17 lines modified | ||
| 130 | } | 148 | } |
| 131 | service_command·disable·httpd | 149 | service_command·disable·httpd |
| 132 | #·END·fix·for·'service_httpd_disabled' | 150 | #·END·fix·for·'service_httpd_disabled' |
| 133 | ############################################################################### | 151 | ############################################################################### |
| 134 | #·BEGIN·fix·( | 152 | #·BEGIN·fix·(3·/·270)·for·'package_httpd_removed' |
| 135 | ############################################################################### | 153 | ############################################################################### |
| 136 | (>&2·echo·"Remediating·rule· | 154 | (>&2·echo·"Remediating·rule·3/270:·'package_httpd_removed'") |
| 137 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 155 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 138 | # | 156 | # |
| 139 | #·Example·Call(s): | 157 | #·Example·Call(s): |
| 140 | # | 158 | # |
| 141 | #·····package_remove·telnet-server | 159 | #·····package_remove·telnet-server |
| 142 | # | 160 | # |
| 143 | function·package_remove·{ | 161 | function·package_remove·{ |
| Offset 174, 75 lines modified | Offset 192, 99 lines modified | ||
| 174 | } | 192 | } |
| 175 | package_remove·httpd | 193 | package_remove·httpd |
| 176 | #·END·fix·for·'package_httpd_removed' | 194 | #·END·fix·for·'package_httpd_removed' |
| 177 | ############################################################################### | 195 | ############################################################################### |
| 178 | #·BEGIN·fix·( | 196 | #·BEGIN·fix·(4·/·270)·for·'service_named_disabled' |
| 179 | ############################################################################### | 197 | ############################################################################### |
| 180 | (>&2·echo·"Remediating·rule· | 198 | (>&2·echo·"Remediating·rule·4/270:·'service_named_disabled'") |
| 181 | #·F | 199 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 182 | #·END·fix·for·'postfix_network_listening_disabled' | ||
| 183 | ############################################################################### | ||
| 184 | #·BEGIN·fix·(6·/·270)·for·'package_sendmail_removed' | ||
| 185 | ############################################################################### | ||
| 186 | (>&2·echo·"Remediating·rule·6/270:·'package_sendmail_removed'") | ||
| 187 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 188 | # | 200 | # |
| 189 | #·Example·Call(s): | 201 | #·Example·Call(s): |
| 190 | # | 202 | # |
| 191 | #····· | 203 | #·····service_command·enable·bluetooth |
| 204 | #·····service_command·disable·bluetooth.service | ||
| 192 | # | 205 | # |
| 193 | 206 | #·····Using·xinetd: | |
| 207 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 208 | # | ||
| 209 | function·service_command·{ | ||
| 194 | #·Load·function·arguments·into·local·variables | 210 | #·Load·function·arguments·into·local·variables |
| 195 | local· | 211 | local·service_state=$1 |
| 212 | local·service=$2 | ||
| 213 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 196 | #·Check·sanity·of·the·input | 214 | #·Check·sanity·of·the·input |
| 197 | if·[·$#·- | 215 | if·[·$#·-lt·"2"·] |
| 198 | then | 216 | then |
| 199 | ··echo·"Usage:· | 217 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" |
| 218 | ··echo | ||
| 219 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 220 | ··echo·"as·the·last·argument"·· | ||
| 200 | ··echo·"Aborting." | 221 | ··echo·"Aborting." |
| 201 | ··exit·1 | 222 | ··exit·1 |
| 202 | fi | 223 | fi |
| Max diff block lines reached; 415516/421004 bytes (98.70%) of diff not shown. | |||
| Offset 128, 424 lines modified | Offset 128, 17 lines modified | ||
| 128 | ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config | 128 | ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config |
| 129 | if·!·[·$?·-eq·0·];·then | 129 | if·!·[·$?·-eq·0·];·then |
| 130 | ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config | 130 | ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config |
| 131 | fi | 131 | fi |
| 132 | #·END·fix·for·'sshd_set_idle_timeout' | 132 | #·END·fix·for·'sshd_set_idle_timeout' |
| 133 | ############################################################################### | 133 | ############################################################################### |
| 134 | #·BEGIN·fix·(5·/·94)·for·'r | 134 | #·BEGIN·fix·(5·/·94)·for·'rsyslog_files_permissions' |
| 135 | ############################################################################### | 135 | ############################################################################### |
| 136 | (>&2·echo·"Remediating·rule·5/94:·'r | 136 | (>&2·echo·"Remediating·rule·5/94:·'rsyslog_files_permissions'") |
| 137 | #·Declare·array·to·hold·list·of·RPM·packages·we·need·to·correct·permissions·for | ||
| 138 | declare·-a·SETPERMS_RPM_LIST | ||
| 139 | #·Create·a·list·of·files·on·the·system·having·permissions·different·from·what | ||
| 140 | #·is·expected·by·the·RPM·database | ||
| 141 | FILES_WITH_INCORRECT_PERMS=($(rpm·-Va·--nofiledigest·|·grep·'^.M'·|·cut·-d·'·'·-f4-)) | ||
| 142 | #·For·each·file·path·from·that·list: | ||
| 143 | #·*·Determine·the·RPM·package·the·file·path·is·shipped·by, | ||
| 144 | #·*·Include·it·into·SETPERMS_RPM_LIST·array | ||
| 145 | for·FILE_PATH·in·"${FILES_WITH_INCORRECT_PERMS[@]}" | ||
| 146 | do | ||
| 147 | » RPM_PACKAGE=$(rpm·-qf·"$FILE_PATH") | ||
| 148 | » SETPERMS_RPM_LIST=("${SETPERMS_RPM_LIST[@]}"·"$RPM_PACKAGE") | ||
| 149 | done | ||
| 150 | #·Remove·duplicate·mention·of·same·RPM·in·$SETPERMS_RPM_LIST·(if·any) | ||
| 151 | SETPERMS_RPM_LIST=(·$(echo·"${SETPERMS_RPM_LIST[@]}"·|·tr·'·'·'\n'·|·sort·-u·|·tr·'\n'·'·')·) | ||
| 152 | #·For·each·of·the·RPM·packages·left·in·the·list·--·reset·its·permissions·to·the | ||
| 153 | #·correct·values | ||
| 154 | for·RPM_PACKAGE·in·"${SETPERMS_RPM_LIST[@]}" | ||
| 155 | do | ||
| 156 | » rpm·--setperms·"${RPM_PACKAGE}" | ||
| 157 | done | ||
| 158 | #·END·fix·for·'rpm_verify_permissions' | ||
| 159 | ############################################################################### | ||
| 160 | #·BEGIN·fix·(6·/·94)·for·'rpm_verify_hashes' | ||
| 161 | ############################################################################### | ||
| 162 | (>&2·echo·"Remediating·rule·6/94:·'rpm_verify_hashes'") | ||
| 163 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 164 | #·END·fix·for·'rpm_verify_hashes' | ||
| 165 | ############################################################################### | ||
| 166 | #·BEGIN·fix·(7·/·94)·for·'install_hids' | ||
| 167 | ############################################################################### | ||
| 168 | (>&2·echo·"Remediating·rule·7/94:·'install_hids'") | ||
| 169 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 170 | #·END·fix·for·'install_hids' | ||
| 171 | ############################################################################### | ||
| 172 | #·BEGIN·fix·(8·/·94)·for·'package_aide_installed' | ||
| 173 | ############################################################################### | ||
| 174 | (>&2·echo·"Remediating·rule·8/94:·'package_aide_installed'") | ||
| 175 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 176 | # | ||
| 177 | #·Example·Call(s): | ||
| 178 | # | ||
| 179 | #·····package_install·aide | ||
| 180 | # | ||
| 181 | function·package_install·{ | ||
| 182 | #·Load·function·arguments·into·local·variables | ||
| 183 | local·package="$1" | ||
| 184 | #·Check·sanity·of·the·input | ||
| 185 | if·[·$#·-ne·"1"·] | ||
| 186 | then | ||
| 187 | ··echo·"Usage:·package_install·'package_name'" | ||
| 188 | ··echo·"Aborting." | ||
| 189 | ··exit·1 | ||
| 190 | fi | ||
| 191 | if·which·dnf·;·then | ||
| 192 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 193 | ····dnf·install·-y·"$package" | ||
| 194 | ··fi | ||
| 195 | elif·which·yum·;·then | ||
| 196 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 197 | ····yum·install·-y·"$package" | ||
| 198 | ··fi | ||
| 199 | elif·which·apt-get·;·then | ||
| 200 | ··apt-get·install·-y·"$package" | ||
| 201 | else | ||
| 202 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 203 | ··echo·"Aborting." | ||
| 204 | ··exit·1 | ||
| 205 | fi | ||
| 206 | } | ||
| 207 | package_install·aide | ||
| 208 | #·END·fix·for·'package_aide_installed' | ||
| 209 | ############################################################################### | ||
| 210 | #·BEGIN·fix·(9·/·94)·for·'aide_periodic_cron_checking' | ||
| 211 | ############################################################################### | ||
| 212 | (>&2·echo·"Remediating·rule·9/94:·'aide_periodic_cron_checking'") | ||
| 213 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 214 | # | ||
| 215 | #·Example·Call(s): | ||
| 216 | # | ||
| 217 | #·····package_install·aide | ||
| 218 | # | ||
| 219 | function·package_install·{ | ||
| 220 | #·Load·function·arguments·into·local·variables | ||
| 221 | local·package="$1" | ||
| 222 | #·Check·sanity·of·the·input | ||
| 223 | if·[·$#·-ne·"1"·] | ||
| 224 | then | ||
| 225 | ··echo·"Usage:·package_install·'package_name'" | ||
| 226 | ··echo·"Aborting." | ||
| 227 | ··exit·1 | ||
| 228 | fi | ||
| 229 | if·which·dnf·;·then | ||
| 230 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 231 | ····dnf·install·-y·"$package" | ||
| 232 | ··fi | ||
| 233 | elif·which·yum·;·then | ||
| 234 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 235 | ····yum·install·-y·"$package" | ||
| Max diff block lines reached; 176223/192119 bytes (91.73%) of diff not shown. | |||
| Offset 18, 38 lines modified | Offset 18, 120 lines modified | ||
| 18 | # | 18 | # |
| 19 | #·How·to·apply·this·remediation·role: | 19 | #·How·to·apply·this·remediation·role: |
| 20 | #·$·sudo·./remediation-role.sh | 20 | #·$·sudo·./remediation-role.sh |
| 21 | # | 21 | # |
| 22 | ############################################################################### | 22 | ############################################################################### |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | #·BEGIN·fix·(1·/·94)·for·'service_ | 24 | #·BEGIN·fix·(1·/·94)·for·'service_atd_disabled' |
| 25 | ############################################################################### | 25 | ############################################################################### |
| 26 | (>&2·echo·"Remediating·rule·1/94:·'service_ | 26 | (>&2·echo·"Remediating·rule·1/94:·'service_atd_disabled'") |
| 27 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 28 | # | ||
| 29 | #·Example·Call(s): | ||
| 30 | # | ||
| 31 | #·····service_command·enable·bluetooth | ||
| 32 | #·····service_command·disable·bluetooth.service | ||
| 33 | # | ||
| 34 | #·····Using·xinetd: | ||
| 35 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 36 | # | ||
| 37 | function·service_command·{ | ||
| 38 | #·Load·function·arguments·into·local·variables | ||
| 39 | local·service_state=$1 | ||
| 40 | local·service=$2 | ||
| 41 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 42 | #·Check·sanity·of·the·input | ||
| 43 | if·[·$#·-lt·"2"·] | ||
| 44 | then | ||
| 45 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 46 | ··echo | ||
| 47 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 48 | ··echo·"as·the·last·argument"·· | ||
| 49 | ··echo·"Aborting." | ||
| 50 | ··exit·1 | ||
| 51 | fi | ||
| 52 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 53 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 54 | ··service_util="/usr/bin/systemctl" | ||
| 55 | else | ||
| 56 | ··service_util="/sbin/service" | ||
| 57 | ··chkconfig_util="/sbin/chkconfig" | ||
| 58 | fi | ||
| 59 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 60 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 61 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 62 | ··service_state="enable" | ||
| 63 | ··service_operation="start" | ||
| 64 | ··chkconfig_state="on" | ||
| 65 | else | ||
| 66 | ··service_state="disable" | ||
| 67 | ··service_operation="stop" | ||
| 68 | ··chkconfig_state="off" | ||
| 69 | fi | ||
| 70 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 71 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 72 | ··$service_util·$service·$service_operation | ||
| 73 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 74 | else | ||
| 75 | ··$service_util·$service_operation·$service | ||
| 76 | ··$service_util·$service_state·$service | ||
| 77 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 78 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 79 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 80 | ··$service_util·reset-failed·$service | ||
| 81 | fi | ||
| 82 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 83 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 84 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 85 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 86 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 87 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 88 | ··else | ||
| 89 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 90 | ··fi | ||
| 91 | fi | ||
| 92 | } | ||
| 93 | service_command·disable·atd | ||
| 94 | #·END·fix·for·'service_atd_disabled' | ||
| 95 | ############################################################################### | ||
| 96 | #·BEGIN·fix·(2·/·94)·for·'service_rlogin_disabled' | ||
| 97 | ############################################################################### | ||
| 98 | (>&2·echo·"Remediating·rule·2/94:·'service_rlogin_disabled'") | ||
| 27 | #·FIX·FOR·THIS·RULE·IS·MISSING | 99 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 28 | #·END·fix·for·'service_rlogin_disabled' | 100 | #·END·fix·for·'service_rlogin_disabled' |
| 29 | ############################################################################### | 101 | ############################################################################### |
| 30 | #·BEGIN·fix·( | 102 | #·BEGIN·fix·(3·/·94)·for·'service_rexec_disabled' |
| 31 | ############################################################################### | 103 | ############################################################################### |
| 32 | (>&2·echo·"Remediating·rule· | 104 | (>&2·echo·"Remediating·rule·3/94:·'service_rexec_disabled'") |
| 33 | #·FIX·FOR·THIS·RULE·IS·MISSING | 105 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 34 | #·END·fix·for·'service_rexec_disabled' | 106 | #·END·fix·for·'service_rexec_disabled' |
| 35 | ############################################################################### | 107 | ############################################################################### |
| 36 | #·BEGIN·fix·( | 108 | #·BEGIN·fix·(4·/·94)·for·'service_rsh_disabled' |
| 37 | ############################################################################### | 109 | ############################################################################### |
| 38 | (>&2·echo·"Remediating·rule· | 110 | (>&2·echo·"Remediating·rule·4/94:·'service_rsh_disabled'") |
| 39 | #·FIX·FOR·THIS·RULE·IS·MISSING | 111 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 40 | #·END·fix·for·'service_rsh_disabled' | 112 | #·END·fix·for·'service_rsh_disabled' |
| 41 | ############################################################################### | 113 | ############################################################################### |
| 42 | #·BEGIN·fix·( | 114 | #·BEGIN·fix·(5·/·94)·for·'package_rsh-server_removed' |
| 43 | ############################################################################### | 115 | ############################################################################### |
| 44 | (>&2·echo·"Remediating·rule· | 116 | (>&2·echo·"Remediating·rule·5/94:·'package_rsh-server_removed'") |
| 45 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 117 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 46 | # | 118 | # |
| 47 | #·Example·Call(s): | 119 | #·Example·Call(s): |
| 48 | # | 120 | # |
| 49 | #·····package_remove·telnet-server | 121 | #·····package_remove·telnet-server |
| 50 | # | 122 | # |
| 51 | function·package_remove·{ | 123 | function·package_remove·{ |
| Offset 83, 17 lines modified | Offset 165, 17 lines modified | ||
| 83 | } | 165 | } |
| 84 | package_remove·rsh-server | 166 | package_remove·rsh-server |
| 85 | #·END·fix·for·'package_rsh-server_removed' | 167 | #·END·fix·for·'package_rsh-server_removed' |
| Max diff block lines reached; 79730/84667 bytes (94.17%) of diff not shown. | |||
| Offset 45, 31 lines modified | Offset 45, 17 lines modified | ||
| 45 | #·BEGIN·fix·(2·/·186)·for·'mount_option_smb_client_signing' | 45 | #·BEGIN·fix·(2·/·186)·for·'mount_option_smb_client_signing' |
| 46 | ############################################################################### | 46 | ############################################################################### |
| 47 | (>&2·echo·"Remediating·rule·2/186:·'mount_option_smb_client_signing'") | 47 | (>&2·echo·"Remediating·rule·2/186:·'mount_option_smb_client_signing'") |
| 48 | #·FIX·FOR·THIS·RULE·IS·MISSING | 48 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 49 | #·END·fix·for·'mount_option_smb_client_signing' | 49 | #·END·fix·for·'mount_option_smb_client_signing' |
| 50 | ############################################################################### | 50 | ############################################################################### |
| 51 | #·BEGIN·fix·(3·/·186)·for·' | 51 | #·BEGIN·fix·(3·/·186)·for·'service_ntpd_enabled' |
| 52 | ############################################################################### | 52 | ############################################################################### |
| 53 | (>&2·echo·"Remediating·rule·3/186:·' | 53 | (>&2·echo·"Remediating·rule·3/186:·'service_ntpd_enabled'") |
| 54 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 55 | #·END·fix·for·'postfix_network_listening_disabled' | ||
| 56 | ############################################################################### | ||
| 57 | #·BEGIN·fix·(4·/·186)·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 58 | ############################################################################### | ||
| 59 | (>&2·echo·"Remediating·rule·4/186:·'sysconfig_networking_bootproto_ifcfg'") | ||
| 60 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 61 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 62 | ############################################################################### | ||
| 63 | #·BEGIN·fix·(5·/·186)·for·'service_ntpd_enabled' | ||
| 64 | ############################################################################### | ||
| 65 | (>&2·echo·"Remediating·rule·5/186:·'service_ntpd_enabled'") | ||
| 66 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 54 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 67 | # | 55 | # |
| 68 | #·Example·Call(s): | 56 | #·Example·Call(s): |
| 69 | # | 57 | # |
| 70 | #·····service_command·enable·bluetooth | 58 | #·····service_command·enable·bluetooth |
| 71 | #·····service_command·disable·bluetooth.service | 59 | #·····service_command·disable·bluetooth.service |
| 72 | # | 60 | # |
| Offset 141, 45 lines modified | Offset 127, 24 lines modified | ||
| 141 | } | 127 | } |
| 142 | service_command·enable·ntpd | 128 | service_command·enable·ntpd |
| 143 | #·END·fix·for·'service_ntpd_enabled' | 129 | #·END·fix·for·'service_ntpd_enabled' |
| 144 | ############################################################################### | 130 | ############################################################################### |
| 145 | #·BEGIN·fix·( | 131 | #·BEGIN·fix·(4·/·186)·for·'ntpd_specify_remote_server' |
| 146 | ############################################################################### | 132 | ############################################################################### |
| 147 | (>&2·echo·"Remediating·rule· | 133 | (>&2·echo·"Remediating·rule·4/186:·'ntpd_specify_remote_server'") |
| 148 | #·FIX·FOR·THIS·RULE·IS·MISSING | 134 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 149 | #·END·fix·for·'ntpd_specify_remote_server' | 135 | #·END·fix·for·'ntpd_specify_remote_server' |
| 150 | ############################################################################### | 136 | ############################################################################### |
| 151 | #·BEGIN·fix·( | 137 | #·BEGIN·fix·(5·/·186)·for·'package_openldap-servers_removed' |
| 152 | ############################################################################### | ||
| 153 | (>&2·echo·"Remediating·rule·7/186:·'service_rlogin_disabled'") | ||
| 154 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 155 | #·END·fix·for·'service_rlogin_disabled' | ||
| 156 | ############################################################################### | ||
| 157 | #·BEGIN·fix·(8·/·186)·for·'service_rexec_disabled' | ||
| 158 | ############################################################################### | 138 | ############################################################################### |
| 159 | (>&2·echo·"Remediating·rule· | 139 | (>&2·echo·"Remediating·rule·5/186:·'package_openldap-servers_removed'") |
| 160 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 161 | #·END·fix·for·'service_rexec_disabled' | ||
| 162 | ############################################################################### | ||
| 163 | #·BEGIN·fix·(9·/·186)·for·'service_rsh_disabled' | ||
| 164 | ############################################################################### | ||
| 165 | (>&2·echo·"Remediating·rule·9/186:·'service_rsh_disabled'") | ||
| 166 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 167 | #·END·fix·for·'service_rsh_disabled' | ||
| 168 | ############################################################################### | ||
| 169 | #·BEGIN·fix·(10·/·186)·for·'package_rsh-server_removed' | ||
| 170 | ############################################################################### | ||
| 171 | (>&2·echo·"Remediating·rule·10/186:·'package_rsh-server_removed'") | ||
| 172 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 140 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 173 | # | 141 | # |
| 174 | #·Example·Call(s): | 142 | #·Example·Call(s): |
| 175 | # | 143 | # |
| 176 | #·····package_remove·telnet-server | 144 | #·····package_remove·telnet-server |
| 177 | # | 145 | # |
| 178 | function·package_remove·{ | 146 | function·package_remove·{ |
| Offset 209, 83 lines modified | Offset 174, 279 lines modified | ||
| 209 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 174 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 210 | ··echo·"Aborting." | 175 | ··echo·"Aborting." |
| 211 | ··exit·1 | 176 | ··exit·1 |
| 212 | fi | 177 | fi |
| 213 | } | 178 | } |
| 214 | package_remove· | 179 | package_remove·openldap-servers |
| 215 | #·END·fix·for·'package_ | 180 | #·END·fix·for·'package_openldap-servers_removed' |
| 216 | ############################################################################### | 181 | ############################################################################### |
| 217 | #·BEGIN·fix·( | 182 | #·BEGIN·fix·(6·/·186)·for·'ldap_client_start_tls' |
| 218 | ############################################################################### | 183 | ############################################################################### |
| 219 | (>&2·echo·"Remediating·rule· | 184 | (>&2·echo·"Remediating·rule·6/186:·'ldap_client_start_tls'") |
| 220 | find·/home·-maxdepth·2·-type·f·-name·.rhosts·-exec·rm·-f·'{}'·\; | ||
| 221 | if·[·-f·/etc/hosts.equiv·];·then | ||
| 222 | 185 | #·Use·LDAP·for·authentication | |
| 223 | fi | 186 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 224 | #· | 187 | #·it·does·not·exist. |
| 188 | # | ||
| 189 | #·Expects·arguments: | ||
| 190 | # | ||
| 191 | #·config_file:» » Configuration·file·that·will·be·modified | ||
| 192 | #·key:» » » Configuration·option·to·change | ||
| 193 | #·value:»»Value·of·the·configuration·option·to·change | ||
| 194 | #·cce:» » » The·CCE·identifier·or·'@CCENUM@'·if·no·CCE·identifier·exists | ||
| 195 | #·format:» » The·printf-like·format·string·that·will·be·given·stripped·key·and·value·as·arguments, | ||
| 196 | #» » » so·e.g.·'%s=%s'·will·result·in·key=value·subsitution·(i.e.·without·spaces·around·=) | ||
| 197 | # | ||
| 198 | #·Optional·arugments: | ||
| 199 | # | ||
| 200 | #·format:» » Optional·argument·to·specify·the·format·of·how·key/value·should·be | ||
| 201 | #·» » » modified/appended·in·the·configuration·file.·The·default·is·key·=·value. | ||
| 202 | # | ||
| 203 | #·Example·Call(s): | ||
| 204 | # | ||
| 205 | #·····With·default·format·of·'key·=·value': | ||
| 206 | #·····replace_or_append·'/etc/sysctl.conf'·'^kernel.randomize_va_space'·'2'·'@CCENUM@' | ||
| 207 | # | ||
| 208 | #·····With·custom·key/value·format: | ||
| 209 | #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·'disabled'·'@CCENUM@'·'%s=%s' | ||
| 210 | # | ||
| 211 | #·····With·a·variable: | ||
| 212 | #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·$var_selinux_state·'@CCENUM@'·'%s=%s' | ||
| 213 | # | ||
| 214 | function·replace_or_append·{ | ||
| 215 | ··local·default_format='%s·=·%s'·case_insensitive_mode=yes·sed_case_insensitive_option=''·grep_case_insensitive_option='' | ||
| 216 | ··local·config_file=$1 | ||
| Max diff block lines reached; 274005/285608 bytes (95.94%) of diff not shown. | |||
| Offset 46, 24 lines modified | Offset 46, 17 lines modified | ||
| 46 | #·BEGIN·fix·(2·/·182)·for·'mount_option_smb_client_signing' | 46 | #·BEGIN·fix·(2·/·182)·for·'mount_option_smb_client_signing' |
| 47 | ############################################################################### | 47 | ############################################################################### |
| 48 | (>&2·echo·"Remediating·rule·2/182:·'mount_option_smb_client_signing'") | 48 | (>&2·echo·"Remediating·rule·2/182:·'mount_option_smb_client_signing'") |
| 49 | #·FIX·FOR·THIS·RULE·IS·MISSING | 49 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 50 | #·END·fix·for·'mount_option_smb_client_signing' | 50 | #·END·fix·for·'mount_option_smb_client_signing' |
| 51 | ############################################################################### | 51 | ############################################################################### |
| 52 | #·BEGIN·fix·(3·/·182)·for·' | 52 | #·BEGIN·fix·(3·/·182)·for·'service_ntpd_enabled' |
| 53 | ############################################################################### | 53 | ############################################################################### |
| 54 | (>&2·echo·"Remediating·rule·3/182:·' | 54 | (>&2·echo·"Remediating·rule·3/182:·'service_ntpd_enabled'") |
| 55 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 56 | #·END·fix·for·'postfix_network_listening_disabled' | ||
| 57 | ############################################################################### | ||
| 58 | #·BEGIN·fix·(4·/·182)·for·'service_ntpd_enabled' | ||
| 59 | ############################################################################### | ||
| 60 | (>&2·echo·"Remediating·rule·4/182:·'service_ntpd_enabled'") | ||
| 61 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 55 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 62 | # | 56 | # |
| 63 | #·Example·Call(s): | 57 | #·Example·Call(s): |
| 64 | # | 58 | # |
| 65 | #·····service_command·enable·bluetooth | 59 | #·····service_command·enable·bluetooth |
| 66 | #·····service_command·disable·bluetooth.service | 60 | #·····service_command·disable·bluetooth.service |
| 67 | # | 61 | # |
| Offset 135, 45 lines modified | Offset 128, 24 lines modified | ||
| 135 | } | 128 | } |
| 136 | service_command·enable·ntpd | 129 | service_command·enable·ntpd |
| 137 | #·END·fix·for·'service_ntpd_enabled' | 130 | #·END·fix·for·'service_ntpd_enabled' |
| 138 | ############################################################################### | 131 | ############################################################################### |
| 139 | #·BEGIN·fix·( | 132 | #·BEGIN·fix·(4·/·182)·for·'ntpd_specify_remote_server' |
| 140 | ############################################################################### | 133 | ############################################################################### |
| 141 | (>&2·echo·"Remediating·rule· | 134 | (>&2·echo·"Remediating·rule·4/182:·'ntpd_specify_remote_server'") |
| 142 | #·FIX·FOR·THIS·RULE·IS·MISSING | 135 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 143 | #·END·fix·for·'ntpd_specify_remote_server' | 136 | #·END·fix·for·'ntpd_specify_remote_server' |
| 144 | ############################################################################### | 137 | ############################################################################### |
| 145 | #·BEGIN·fix·( | 138 | #·BEGIN·fix·(5·/·182)·for·'package_openldap-servers_removed' |
| 146 | ############################################################################### | ||
| 147 | (>&2·echo·"Remediating·rule·6/182:·'service_rlogin_disabled'") | ||
| 148 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 149 | #·END·fix·for·'service_rlogin_disabled' | ||
| 150 | ############################################################################### | ||
| 151 | #·BEGIN·fix·(7·/·182)·for·'service_rexec_disabled' | ||
| 152 | ############################################################################### | ||
| 153 | (>&2·echo·"Remediating·rule·7/182:·'service_rexec_disabled'") | ||
| 154 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 155 | #·END·fix·for·'service_rexec_disabled' | ||
| 156 | ############################################################################### | ||
| 157 | #·BEGIN·fix·(8·/·182)·for·'service_rsh_disabled' | ||
| 158 | ############################################################################### | 139 | ############################################################################### |
| 159 | (>&2·echo·"Remediating·rule· | 140 | (>&2·echo·"Remediating·rule·5/182:·'package_openldap-servers_removed'") |
| 160 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 161 | #·END·fix·for·'service_rsh_disabled' | ||
| 162 | ############################################################################### | ||
| 163 | #·BEGIN·fix·(9·/·182)·for·'package_rsh-server_removed' | ||
| 164 | ############################################################################### | ||
| 165 | (>&2·echo·"Remediating·rule·9/182:·'package_rsh-server_removed'") | ||
| 166 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 141 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 167 | # | 142 | # |
| 168 | #·Example·Call(s): | 143 | #·Example·Call(s): |
| 169 | # | 144 | # |
| 170 | #·····package_remove·telnet-server | 145 | #·····package_remove·telnet-server |
| 171 | # | 146 | # |
| 172 | function·package_remove·{ | 147 | function·package_remove·{ |
| Offset 203, 83 lines modified | Offset 175, 279 lines modified | ||
| 203 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 175 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 204 | ··echo·"Aborting." | 176 | ··echo·"Aborting." |
| 205 | ··exit·1 | 177 | ··exit·1 |
| 206 | fi | 178 | fi |
| 207 | } | 179 | } |
| 208 | package_remove· | 180 | package_remove·openldap-servers |
| 209 | #·END·fix·for·'package_ | 181 | #·END·fix·for·'package_openldap-servers_removed' |
| 210 | ############################################################################### | 182 | ############################################################################### |
| 211 | #·BEGIN·fix·( | 183 | #·BEGIN·fix·(6·/·182)·for·'ldap_client_start_tls' |
| 212 | ############################################################################### | 184 | ############################################################################### |
| 213 | (>&2·echo·"Remediating·rule· | 185 | (>&2·echo·"Remediating·rule·6/182:·'ldap_client_start_tls'") |
| 214 | find·/home·-maxdepth·2·-type·f·-name·.rhosts·-exec·rm·-f·'{}'·\; | ||
| 215 | if·[·-f·/etc/hosts.equiv·];·then | ||
| 216 | 186 | #·Use·LDAP·for·authentication | |
| 217 | fi | 187 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 218 | #· | 188 | #·it·does·not·exist. |
| 189 | # | ||
| 190 | #·Expects·arguments: | ||
| 191 | # | ||
| 192 | #·config_file:» » Configuration·file·that·will·be·modified | ||
| 193 | #·key:» » » Configuration·option·to·change | ||
| 194 | #·value:»»Value·of·the·configuration·option·to·change | ||
| 195 | #·cce:» » » The·CCE·identifier·or·'@CCENUM@'·if·no·CCE·identifier·exists | ||
| 196 | #·format:» » The·printf-like·format·string·that·will·be·given·stripped·key·and·value·as·arguments, | ||
| 197 | #» » » so·e.g.·'%s=%s'·will·result·in·key=value·subsitution·(i.e.·without·spaces·around·=) | ||
| 198 | # | ||
| 199 | #·Optional·arugments: | ||
| 200 | # | ||
| 201 | #·format:» » Optional·argument·to·specify·the·format·of·how·key/value·should·be | ||
| 202 | #·» » » modified/appended·in·the·configuration·file.·The·default·is·key·=·value. | ||
| 203 | # | ||
| 204 | #·Example·Call(s): | ||
| 205 | # | ||
| 206 | #·····With·default·format·of·'key·=·value': | ||
| 207 | #·····replace_or_append·'/etc/sysctl.conf'·'^kernel.randomize_va_space'·'2'·'@CCENUM@' | ||
| 208 | # | ||
| 209 | #·····With·custom·key/value·format: | ||
| 210 | #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·'disabled'·'@CCENUM@'·'%s=%s' | ||
| 211 | # | ||
| 212 | #·····With·a·variable: | ||
| 213 | #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·$var_selinux_state·'@CCENUM@'·'%s=%s' | ||
| 214 | # | ||
| 215 | function·replace_or_append·{ | ||
| 216 | ··local·default_format='%s·=·%s'·case_insensitive_mode=yes·sed_case_insensitive_option=''·grep_case_insensitive_option='' | ||
| 217 | ··local·config_file=$1 | ||
| 218 | ··local·key=$2 | ||
| 219 | ··local·value=$3 | ||
| 220 | ··local·cce=$4 | ||
| 221 | ··local·format=$5 | ||
| 222 | ··if·[·"$case_insensitive_mode"·=·yes·];·then | ||
| 223 | ····sed_case_insensitive_option="i" | ||
| Max diff block lines reached; 270022/281230 bytes (96.01%) of diff not shown. | |||
| Offset 25, 17 lines modified | Offset 25, 31 lines modified | ||
| 25 | # | 25 | # |
| 26 | #·How·to·apply·this·remediation·role: | 26 | #·How·to·apply·this·remediation·role: |
| 27 | #·$·sudo·./remediation-role.sh | 27 | #·$·sudo·./remediation-role.sh |
| 28 | # | 28 | # |
| 29 | ############################################################################### | 29 | ############################################################################### |
| 30 | ############################################################################### | 30 | ############################################################################### |
| 31 | #·BEGIN·fix·(1·/·250)·for·' | 31 | #·BEGIN·fix·(1·/·250)·for·'ftp_log_transactions' |
| 32 | ############################################################################### | 32 | ############################################################################### |
| 33 | (>&2·echo·"Remediating·rule·1/250:·' | 33 | (>&2·echo·"Remediating·rule·1/250:·'ftp_log_transactions'") |
| 34 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 35 | #·END·fix·for·'ftp_log_transactions' | ||
| 36 | ############################################################################### | ||
| 37 | #·BEGIN·fix·(2·/·250)·for·'ftp_present_banner' | ||
| 38 | ############################################################################### | ||
| 39 | (>&2·echo·"Remediating·rule·2/250:·'ftp_present_banner'") | ||
| 40 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 41 | #·END·fix·for·'ftp_present_banner' | ||
| 42 | ############################################################################### | ||
| 43 | #·BEGIN·fix·(3·/·250)·for·'require_smb_client_signing' | ||
| 44 | ############################################################################### | ||
| 45 | (>&2·echo·"Remediating·rule·3/250:·'require_smb_client_signing'") | ||
| 34 | ###################################################################### | 46 | ###################################################################### |
| 35 | #By·Luke·"Brisk-OH"·Brisk | 47 | #By·Luke·"Brisk-OH"·Brisk |
| 36 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com | 48 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com |
| 37 | ###################################################################### | 49 | ###################################################################### |
| 38 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) | 50 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) |
| Offset 44, 38 lines modified | Offset 58, 113 lines modified | ||
| 44 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf | 58 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 45 | else | 59 | else |
| 46 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf | 60 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 47 | fi | 61 | fi |
| 48 | #·END·fix·for·'require_smb_client_signing' | 62 | #·END·fix·for·'require_smb_client_signing' |
| 49 | ############################################################################### | 63 | ############################################################################### |
| 50 | #·BEGIN·fix·( | 64 | #·BEGIN·fix·(4·/·250)·for·'mount_option_smb_client_signing' |
| 51 | ############################################################################### | 65 | ############################################################################### |
| 52 | (>&2·echo·"Remediating·rule· | 66 | (>&2·echo·"Remediating·rule·4/250:·'mount_option_smb_client_signing'") |
| 53 | #·FIX·FOR·THIS·RULE·IS·MISSING | 67 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 54 | #·END·fix·for·'mount_option_smb_client_signing' | 68 | #·END·fix·for·'mount_option_smb_client_signing' |
| 55 | ############################################################################### | 69 | ############################################################################### |
| 56 | #·BEGIN·fix·( | 70 | #·BEGIN·fix·(5·/·250)·for·'service_ntpd_enabled' |
| 57 | ############################################################################### | 71 | ############################################################################### |
| 58 | (>&2·echo·"Remediating·rule· | 72 | (>&2·echo·"Remediating·rule·5/250:·'service_ntpd_enabled'") |
| 59 | #·F | 73 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 60 | # | 74 | # |
| 75 | #·Example·Call(s): | ||
| 76 | # | ||
| 77 | #·····service_command·enable·bluetooth | ||
| 78 | #·····service_command·disable·bluetooth.service | ||
| 79 | # | ||
| 80 | #·····Using·xinetd: | ||
| 81 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 82 | # | ||
| 83 | function·service_command·{ | ||
| 84 | #·Load·function·arguments·into·local·variables | ||
| 85 | local·service_state=$1 | ||
| 86 | local·service=$2 | ||
| 87 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 88 | #·Check·sanity·of·the·input | ||
| 89 | if·[·$#·-lt·"2"·] | ||
| 90 | then | ||
| 91 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 92 | ··echo | ||
| 93 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 94 | ··echo·"as·the·last·argument"·· | ||
| 95 | ··echo·"Aborting." | ||
| 96 | ··exit·1 | ||
| 97 | fi | ||
| 98 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 99 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 100 | ··service_util="/usr/bin/systemctl" | ||
| 101 | else | ||
| 102 | ··service_util="/sbin/service" | ||
| 103 | ··chkconfig_util="/sbin/chkconfig" | ||
| 104 | fi | ||
| 105 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 106 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 107 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 108 | ··service_state="enable" | ||
| 109 | ··service_operation="start" | ||
| 110 | ··chkconfig_state="on" | ||
| 111 | else | ||
| 112 | ··service_state="disable" | ||
| 113 | ··service_operation="stop" | ||
| 114 | ··chkconfig_state="off" | ||
| 115 | fi | ||
| 116 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 117 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 118 | ··$service_util·$service·$service_operation | ||
| 119 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 120 | else | ||
| 121 | ··$service_util·$service_operation·$service | ||
| 122 | ··$service_util·$service_state·$service | ||
| 123 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 124 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 125 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 126 | ··$service_util·reset-failed·$service | ||
| 127 | fi | ||
| 128 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 129 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 130 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 131 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 132 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 133 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 134 | ··else | ||
| 135 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 136 | ··fi | ||
| 137 | fi | ||
| 138 | } | ||
| 139 | service_command·enable·ntpd | ||
| 140 | #·END·fix·for·'service_ntpd_enabled' | ||
| Max diff block lines reached; 353872/359166 bytes (98.53%) of diff not shown. | |||
| Offset 19, 17 lines modified | Offset 19, 17 lines modified | ||
| 19 | # | 19 | # |
| 20 | #·How·to·apply·this·remediation·role: | 20 | #·How·to·apply·this·remediation·role: |
| 21 | #·$·sudo·./remediation-role.sh | 21 | #·$·sudo·./remediation-role.sh |
| 22 | # | 22 | # |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | ############################################################################### | 24 | ############################################################################### |
| 25 | #·BEGIN·fix·(1·/·223)·for·'service_s | 25 | #·BEGIN·fix·(1·/·223)·for·'service_vsftpd_disabled' |
| 26 | ############################################################################### | 26 | ############################################################################### |
| 27 | (>&2·echo·"Remediating·rule·1/223:·'service_s | 27 | (>&2·echo·"Remediating·rule·1/223:·'service_vsftpd_disabled'") |
| 28 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 28 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 29 | # | 29 | # |
| 30 | #·Example·Call(s): | 30 | #·Example·Call(s): |
| 31 | # | 31 | # |
| 32 | #·····service_command·enable·bluetooth | 32 | #·····service_command·enable·bluetooth |
| 33 | #·····service_command·disable·bluetooth.service | 33 | #·····service_command·disable·bluetooth.service |
| 34 | # | 34 | # |
| Offset 97, 47 lines modified | Offset 97, 65 lines modified | ||
| 97 | ··else | 97 | ··else |
| 98 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 98 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 99 | ··fi | 99 | ··fi |
| 100 | fi | 100 | fi |
| 101 | } | 101 | } |
| 102 | service_command·disable·s | 102 | service_command·disable·vsftpd |
| 103 | #·END·fix·for·'service_s | 103 | #·END·fix·for·'service_vsftpd_disabled' |
| 104 | ############################################################################### | 104 | ############################################################################### |
| 105 | #·BEGIN·fix·(2·/·223)·for·' | 105 | #·BEGIN·fix·(2·/·223)·for·'package_vsftpd_removed' |
| 106 | ############################################################################### | 106 | ############################################################################### |
| 107 | (>&2·echo·"Remediating·rule·2/223:·' | 107 | (>&2·echo·"Remediating·rule·2/223:·'package_vsftpd_removed'") |
| 108 | # | 108 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 109 | # | 109 | # |
| 110 | # | 110 | #·Example·Call(s): |
| 111 | # | 111 | # |
| 112 | #·····package_remove·telnet-server | ||
| 113 | # | ||
| 114 | function·package_remove·{ | ||
| 112 | 115 | #·Load·function·arguments·into·local·variables | |
| 116 | local·package="$1" | ||
| 113 | 117 | #·Check·sanity·of·the·input | |
| 114 | 118 | if·[·$#·-ne·"1"·] | |
| 115 | 119 | then | |
| 120 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 121 | ··echo·"Aborting." | ||
| 122 | ··exit·1 | ||
| 123 | fi | ||
| 124 | if·which·dnf·;·then | ||
| 125 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 126 | ····dnf·remove·-y·"$package" | ||
| 127 | ··fi | ||
| 128 | elif·which·yum·;·then | ||
| 129 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 130 | ····yum·remove·-y·"$package" | ||
| 131 | ··fi | ||
| 132 | elif·which·apt-get·;·then | ||
| 133 | ··apt-get·remove·-y·"$package" | ||
| 116 | else | 134 | else |
| 117 | 135 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 136 | ··echo·"Aborting." | ||
| 137 | ··exit·1 | ||
| 118 | fi | 138 | fi |
| 119 | #·END·fix·for·'require_smb_client_signing' | ||
| 120 | 139 | } | |
| 121 | #·BEGIN·fix·(3·/·223)·for·'mount_option_smb_client_signing' | ||
| 122 | 140 | package_remove·vsftpd | |
| 123 | 141 | #·END·fix·for·'package_vsftpd_removed' | |
| 124 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 125 | #·END·fix·for·'mount_option_smb_client_signing' | ||
| 126 | ############################################################################### | 142 | ############################################################################### |
| 127 | #·BEGIN·fix·( | 143 | #·BEGIN·fix·(3·/·223)·for·'service_httpd_disabled' |
| 128 | ############################################################################### | 144 | ############################################################################### |
| 129 | (>&2·echo·"Remediating·rule· | 145 | (>&2·echo·"Remediating·rule·3/223:·'service_httpd_disabled'") |
| 130 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 146 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 131 | # | 147 | # |
| 132 | #·Example·Call(s): | 148 | #·Example·Call(s): |
| 133 | # | 149 | # |
| 134 | #·····service_command·enable·bluetooth | 150 | #·····service_command·enable·bluetooth |
| 135 | #·····service_command·disable·bluetooth.service | 151 | #·····service_command·disable·bluetooth.service |
| 136 | # | 152 | # |
| Offset 209, 17 lines modified | Offset 227, 17 lines modified | ||
| 209 | } | 227 | } |
| 210 | service_command·disable·httpd | 228 | service_command·disable·httpd |
| 211 | #·END·fix·for·'service_httpd_disabled' | 229 | #·END·fix·for·'service_httpd_disabled' |
| 212 | ############################################################################### | 230 | ############################################################################### |
| 213 | #·BEGIN·fix·( | 231 | #·BEGIN·fix·(4·/·223)·for·'package_httpd_removed' |
| 214 | ############################################################################### | 232 | ############################################################################### |
| 215 | (>&2·echo·"Remediating·rule· | 233 | (>&2·echo·"Remediating·rule·4/223:·'package_httpd_removed'") |
| 216 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 234 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 217 | # | 235 | # |
| 218 | #·Example·Call(s): | 236 | #·Example·Call(s): |
| 219 | # | 237 | # |
| 220 | #·····package_remove·telnet-server | 238 | #·····package_remove·telnet-server |
| 221 | # | 239 | # |
| 222 | function·package_remove·{ | 240 | function·package_remove·{ |
| Offset 253, 68 lines modified | Offset 271, 99 lines modified | ||
| 253 | } | 271 | } |
| 254 | package_remove·httpd | 272 | package_remove·httpd |
| 255 | #·END·fix·for·'package_httpd_removed' | 273 | #·END·fix·for·'package_httpd_removed' |
| 256 | ############################################################################### | 274 | ############################################################################### |
| 257 | #·BEGIN·fix·( | 275 | #·BEGIN·fix·(5·/·223)·for·'service_named_disabled' |
| 258 | ############################################################################### | ||
| 259 | (>&2·echo·"Remediating·rule·6/223:·'postfix_network_listening_disabled'") | ||
| 260 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 261 | #·END·fix·for·'postfix_network_listening_disabled' | ||
| 262 | ############################################################################### | ||
| 263 | #·BEGIN·fix·(7·/·223)·for·'package_sendmail_removed' | ||
| 264 | ############################################################################### | 276 | ############################################################################### |
| 265 | (>&2·echo·"Remediating·rule· | 277 | (>&2·echo·"Remediating·rule·5/223:·'service_named_disabled'") |
| 266 | #·Function·to· | 278 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 267 | # | 279 | # |
| 268 | #·Example·Call(s): | 280 | #·Example·Call(s): |
| 269 | # | 281 | # |
| 270 | #····· | 282 | #·····service_command·enable·bluetooth |
| Max diff block lines reached; 388953/394659 bytes (98.55%) of diff not shown. | |||
| Offset 369, 17 lines modified | Offset 369, 61 lines modified | ||
| 369 | } | 369 | } |
| 370 | service_command·disable·tftp | 370 | service_command·disable·tftp |
| 371 | #·END·fix·for·'service_tftp_disabled' | 371 | #·END·fix·for·'service_tftp_disabled' |
| 372 | ############################################################################### | 372 | ############################################################################### |
| 373 | #·BEGIN·fix·(11·/·213)·for·' | 373 | #·BEGIN·fix·(11·/·213)·for·'package_tcp_wrappers_installed' |
| 374 | ############################################################################### | 374 | ############################################################################### |
| 375 | (>&2·echo·"Remediating·rule·11/213:·' | 375 | (>&2·echo·"Remediating·rule·11/213:·'package_tcp_wrappers_installed'") |
| 376 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 377 | # | ||
| 378 | #·Example·Call(s): | ||
| 379 | # | ||
| 380 | #·····package_install·aide | ||
| 381 | # | ||
| 382 | function·package_install·{ | ||
| 383 | #·Load·function·arguments·into·local·variables | ||
| 384 | local·package="$1" | ||
| 385 | #·Check·sanity·of·the·input | ||
| 386 | if·[·$#·-ne·"1"·] | ||
| 387 | then | ||
| 388 | ··echo·"Usage:·package_install·'package_name'" | ||
| 389 | ··echo·"Aborting." | ||
| 390 | ··exit·1 | ||
| 391 | fi | ||
| 392 | if·which·dnf·;·then | ||
| 393 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 394 | ····dnf·install·-y·"$package" | ||
| 395 | ··fi | ||
| 396 | elif·which·yum·;·then | ||
| 397 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 398 | ····yum·install·-y·"$package" | ||
| 399 | ··fi | ||
| 400 | elif·which·apt-get·;·then | ||
| 401 | ··apt-get·install·-y·"$package" | ||
| 402 | else | ||
| 403 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 404 | ··echo·"Aborting." | ||
| 405 | ··exit·1 | ||
| 406 | fi | ||
| 407 | } | ||
| 408 | package_install·tcp_wrappers | ||
| 409 | #·END·fix·for·'package_tcp_wrappers_installed' | ||
| 410 | ############################################################################### | ||
| 411 | #·BEGIN·fix·(12·/·213)·for·'service_xinetd_disabled' | ||
| 412 | ############################################################################### | ||
| 413 | (>&2·echo·"Remediating·rule·12/213:·'service_xinetd_disabled'") | ||
| 376 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 414 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 377 | # | 415 | # |
| 378 | #·Example·Call(s): | 416 | #·Example·Call(s): |
| 379 | # | 417 | # |
| 380 | #·····service_command·enable·bluetooth | 418 | #·····service_command·enable·bluetooth |
| 381 | #·····service_command·disable·bluetooth.service | 419 | #·····service_command·disable·bluetooth.service |
| 382 | # | 420 | # |
| Offset 451, 61 lines modified | Offset 495, 61 lines modified | ||
| 451 | } | 495 | } |
| 452 | service_command·disable·xinetd | 496 | service_command·disable·xinetd |
| 453 | #·END·fix·for·'service_xinetd_disabled' | 497 | #·END·fix·for·'service_xinetd_disabled' |
| 454 | ############################################################################### | 498 | ############################################################################### |
| 455 | #·BEGIN·fix·(1 | 499 | #·BEGIN·fix·(13·/·213)·for·'package_talk_removed' |
| 456 | ############################################################################### | 500 | ############################################################################### |
| 457 | (>&2·echo·"Remediating·rule·1 | 501 | (>&2·echo·"Remediating·rule·13/213:·'package_talk_removed'") |
| 458 | #·Function·to· | 502 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 459 | # | 503 | # |
| 460 | #·Example·Call(s): | 504 | #·Example·Call(s): |
| 461 | # | 505 | # |
| 462 | #·····package_ | 506 | #·····package_remove·telnet-server |
| 463 | # | 507 | # |
| 464 | function·package_ | 508 | function·package_remove·{ |
| 465 | #·Load·function·arguments·into·local·variables | 509 | #·Load·function·arguments·into·local·variables |
| 466 | local·package="$1" | 510 | local·package="$1" |
| 467 | #·Check·sanity·of·the·input | 511 | #·Check·sanity·of·the·input |
| 468 | if·[·$#·-ne·"1"·] | 512 | if·[·$#·-ne·"1"·] |
| 469 | then | 513 | then |
| 470 | ··echo·"Usage:·package_ | 514 | ··echo·"Usage:·package_remove·'package_name'" |
| 471 | ··echo·"Aborting." | 515 | ··echo·"Aborting." |
| 472 | ··exit·1 | 516 | ··exit·1 |
| 473 | fi | 517 | fi |
| 474 | if·which·dnf·;·then | 518 | if·which·dnf·;·then |
| 475 | ··if· | 519 | ··if·rpm·-q·--quiet·"$package";·then |
| 476 | ····dnf· | 520 | ····dnf·remove·-y·"$package" |
| 477 | ··fi | 521 | ··fi |
| 478 | elif·which·yum·;·then | 522 | elif·which·yum·;·then |
| 479 | ··if· | 523 | ··if·rpm·-q·--quiet·"$package";·then |
| 480 | ····yum· | 524 | ····yum·remove·-y·"$package" |
| 481 | ··fi | 525 | ··fi |
| 482 | elif·which·apt-get·;·then | 526 | elif·which·apt-get·;·then |
| 483 | ··apt-get· | 527 | ··apt-get·remove·-y·"$package" |
| 484 | else | 528 | else |
| 485 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 529 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 486 | ··echo·"Aborting." | 530 | ··echo·"Aborting." |
| 487 | ··exit·1 | 531 | ··exit·1 |
| 488 | fi | 532 | fi |
| 489 | } | 533 | } |
| 490 | package_ | 534 | package_remove·talk |
| 491 | #·END·fix·for·'package_t | 535 | #·END·fix·for·'package_talk_removed' |
| 492 | ############################################################################### | 536 | ############################################################################### |
| 493 | #·BEGIN·fix·(1 | 537 | #·BEGIN·fix·(14·/·213)·for·'package_talk-server_removed' |
| 494 | ############################################################################### | 538 | ############################################################################### |
| 495 | (>&2·echo·"Remediating·rule·1 | 539 | (>&2·echo·"Remediating·rule·14/213:·'package_talk-server_removed'") |
| 496 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 540 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 497 | # | 541 | # |
| 498 | #·Example·Call(s): | 542 | #·Example·Call(s): |
| 499 | # | 543 | # |
| 500 | #·····package_remove·telnet-server | 544 | #·····package_remove·telnet-server |
| 501 | # | 545 | # |
| 502 | function·package_remove·{ | 546 | function·package_remove·{ |
| Offset 535, 65 lines modified | Offset 579, 103 lines modified | ||
| 535 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 579 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 536 | ··echo·"Aborting." | 580 | ··echo·"Aborting." |
| 537 | ··exit·1 | 581 | ··exit·1 |
| Max diff block lines reached; 132822/137164 bytes (96.83%) of diff not shown. | |||
| Offset 192, 17 lines modified | Offset 192, 19 lines modified | ||
| 192 | ··fi | 192 | ··fi |
| 193 | } | 193 | } |
| 194 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' | 194 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' |
| 195 | #·END·fix·for·'sshd_set_keepalive' | 195 | #·END·fix·for·'sshd_set_keepalive' |
| 196 | ############################################################################### | 196 | ############################################################################### |
| 197 | #·BEGIN·fix·(3·/·102)·for·'sshd_e | 197 | #·BEGIN·fix·(3·/·102)·for·'sshd_set_idle_timeout' |
| 198 | ############################################################################### | 198 | ############################################################################### |
| 199 | (>&2·echo·"Remediating·rule·3/102:·'sshd_e | 199 | (>&2·echo·"Remediating·rule·3/102:·'sshd_set_idle_timeout'") |
| 200 | sshd_idle_timeout_value="1800" | ||
| 200 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 201 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 201 | #·it·does·not·exist. | 202 | #·it·does·not·exist. |
| 202 | # | 203 | # |
| 203 | #·Expects·arguments: | 204 | #·Expects·arguments: |
| 204 | # | 205 | # |
| 205 | #·config_file:» » Configuration·file·that·will·be·modified | 206 | #·config_file:» » Configuration·file·that·will·be·modified |
| 206 | #·key:» » » Configuration·option·to·change | 207 | #·key:» » » Configuration·option·to·change |
| Offset 273, 21 lines modified | Offset 275, 21 lines modified | ||
| 273 | ··else | 275 | ··else |
| 274 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 276 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 275 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 277 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 276 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 278 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 277 | ··fi | 279 | ··fi |
| 278 | } | 280 | } |
| 279 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 281 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s' |
| 280 | #·END·fix·for·'sshd_e | 282 | #·END·fix·for·'sshd_set_idle_timeout' |
| 281 | ############################################################################### | 283 | ############################################################################### |
| 282 | #·BEGIN·fix·(4·/·102)·for·'sshd_ | 284 | #·BEGIN·fix·(4·/·102)·for·'sshd_enable_warning_banner' |
| 283 | ############################################################################### | 285 | ############################################################################### |
| 284 | (>&2·echo·"Remediating·rule·4/102:·'sshd_ | 286 | (>&2·echo·"Remediating·rule·4/102:·'sshd_enable_warning_banner'") |
| 285 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 287 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 286 | #·it·does·not·exist. | 288 | #·it·does·not·exist. |
| 287 | # | 289 | # |
| 288 | #·Expects·arguments: | 290 | #·Expects·arguments: |
| 289 | # | 291 | # |
| 290 | #·config_file:» » Configuration·file·that·will·be·modified | 292 | #·config_file:» » Configuration·file·that·will·be·modified |
| 291 | #·key:» » » Configuration·option·to·change | 293 | #·key:» » » Configuration·option·to·change |
| Offset 358, 16 lines modified | Offset 360, 16 lines modified | ||
| 358 | ··else | 360 | ··else |
| 359 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 361 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 360 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 362 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 361 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 363 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 362 | ··fi | 364 | ··fi |
| 363 | } | 365 | } |
| 364 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 366 | replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s' |
| 365 | #·END·fix·for·'sshd_ | 367 | #·END·fix·for·'sshd_enable_warning_banner' |
| 366 | ############################################################################### | 368 | ############################################################################### |
| 367 | #·BEGIN·fix·(5·/·102)·for·'sshd_allow_only_protocol2' | 369 | #·BEGIN·fix·(5·/·102)·for·'sshd_allow_only_protocol2' |
| 368 | ############################################################################### | 370 | ############################################################################### |
| 369 | (>&2·echo·"Remediating·rule·5/102:·'sshd_allow_only_protocol2'") | 371 | (>&2·echo·"Remediating·rule·5/102:·'sshd_allow_only_protocol2'") |
| 370 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 372 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 371 | #·it·does·not·exist. | 373 | #·it·does·not·exist. |
| Offset 532, 19 lines modified | Offset 534, 17 lines modified | ||
| 532 | ··fi | 534 | ··fi |
| 533 | } | 535 | } |
| 534 | replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s' | 536 | replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s' |
| 535 | #·END·fix·for·'sshd_disable_rhosts' | 537 | #·END·fix·for·'sshd_disable_rhosts' |
| 536 | ############################################################################### | 538 | ############################################################################### |
| 537 | #·BEGIN·fix·(7·/·102)·for·'sshd_ | 539 | #·BEGIN·fix·(7·/·102)·for·'sshd_do_not_permit_user_env' |
| 538 | ############################################################################### | 540 | ############################################################################### |
| 539 | (>&2·echo·"Remediating·rule·7/102:·'sshd_ | 541 | (>&2·echo·"Remediating·rule·7/102:·'sshd_do_not_permit_user_env'") |
| 540 | sshd_idle_timeout_value="1800" | ||
| 541 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 542 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 542 | #·it·does·not·exist. | 543 | #·it·does·not·exist. |
| 543 | # | 544 | # |
| 544 | #·Expects·arguments: | 545 | #·Expects·arguments: |
| 545 | # | 546 | # |
| 546 | #·config_file:» » Configuration·file·that·will·be·modified | 547 | #·config_file:» » Configuration·file·that·will·be·modified |
| 547 | #·key:» » » Configuration·option·to·change | 548 | #·key:» » » Configuration·option·to·change |
| Offset 615, 16 lines modified | Offset 615, 16 lines modified | ||
| 615 | ··else | 615 | ··else |
| 616 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 616 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 617 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 617 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 618 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 618 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 619 | ··fi | 619 | ··fi |
| 620 | } | 620 | } |
| 621 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 621 | replace_or_append·'/etc/ssh/sshd_config'·'^PermitUserEnvironment'·'no'·'CCE-27363-1'·'%s·%s' |
| 622 | #·END·fix·for·'sshd_ | 622 | #·END·fix·for·'sshd_do_not_permit_user_env' |
| 623 | ############################################################################### | 623 | ############################################################################### |
| 624 | #·BEGIN·fix·(8·/·102)·for·'sshd_use_approved_ciphers' | 624 | #·BEGIN·fix·(8·/·102)·for·'sshd_use_approved_ciphers' |
| 625 | ############################################################################### | 625 | ############################################################################### |
| 626 | (>&2·echo·"Remediating·rule·8/102:·'sshd_use_approved_ciphers'") | 626 | (>&2·echo·"Remediating·rule·8/102:·'sshd_use_approved_ciphers'") |
| 627 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 627 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 628 | #·it·does·not·exist. | 628 | #·it·does·not·exist. |
| Offset 1193, 19 lines modified | Offset 1193, 17 lines modified | ||
| 1193 | include_dconf_settings | 1193 | include_dconf_settings |
| 1194 | dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings' | 1194 | dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings' |
| 1195 | dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock' | 1195 | dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock' |
| 1196 | #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled' | 1196 | #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled' |
| 1197 | ############################################################################### | 1197 | ############################################################################### |
| 1198 | #·BEGIN·fix·(23·/·102)·for·'dconf_gnome_screensaver_ | 1198 | #·BEGIN·fix·(23·/·102)·for·'dconf_gnome_screensaver_mode_blank' |
| 1199 | ############################################################################### | 1199 | ############################################################################### |
| 1200 | (>&2·echo·"Remediating·rule·23/102:·'dconf_gnome_screensaver_ | 1200 | (>&2·echo·"Remediating·rule·23/102:·'dconf_gnome_screensaver_mode_blank'") |
| 1201 | inactivity_timeout_value="1800" | ||
| 1202 | function·include_dconf_settings·{ | 1201 | function·include_dconf_settings·{ |
| 1203 | » : | 1202 | » : |
| 1204 | } | 1203 | } |
| 1205 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. | 1204 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. |
| 1206 | # | 1205 | # |
| 1207 | #·Example·Call(s): | 1206 | #·Example·Call(s): |
| Offset 1273, 22 lines modified | Offset 1271, 24 lines modified | ||
| 1273 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" | 1271 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" |
| 1274 | » fi | 1272 | » fi |
| 1275 | } | 1273 | } |
| 1276 | include_dconf_settings | 1274 | include_dconf_settings |
| 1277 | dconf_settings·'org/gnome/desktop/s | 1275 | dconf_settings·'org/gnome/desktop/screensaver'·'picture-uri'·"string·''"·'local.d'·'00-security-settings' |
| 1278 | dconf_lock·'org/gnome/desktop/ses | 1276 | dconf_lock·'org/gnome/desktop/screensaver'·'picture-uri'·'local.d'·'00-security-settings-lock' |
| 1279 | #·END·fix·for·'dconf_gnome_screensaver_ | 1277 | #·END·fix·for·'dconf_gnome_screensaver_mode_blank' |
| Max diff block lines reached; 69231/75731 bytes (91.42%) of diff not shown. | |||
| Offset 285, 17 lines modified | Offset 285, 61 lines modified | ||
| 285 | } | 285 | } |
| 286 | package_remove·telnet-server | 286 | package_remove·telnet-server |
| 287 | #·END·fix·for·'package_telnet-server_removed' | 287 | #·END·fix·for·'package_telnet-server_removed' |
| 288 | ############################################################################### | 288 | ############################################################################### |
| 289 | #·BEGIN·fix·(10·/·149)·for·' | 289 | #·BEGIN·fix·(10·/·149)·for·'package_ypbind_removed' |
| 290 | ############################################################################### | 290 | ############################################################################### |
| 291 | (>&2·echo·"Remediating·rule·10/149:·' | 291 | (>&2·echo·"Remediating·rule·10/149:·'package_ypbind_removed'") |
| 292 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 293 | # | ||
| 294 | #·Example·Call(s): | ||
| 295 | # | ||
| 296 | #·····package_remove·telnet-server | ||
| 297 | # | ||
| 298 | function·package_remove·{ | ||
| 299 | #·Load·function·arguments·into·local·variables | ||
| 300 | local·package="$1" | ||
| 301 | #·Check·sanity·of·the·input | ||
| 302 | if·[·$#·-ne·"1"·] | ||
| 303 | then | ||
| 304 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 305 | ··echo·"Aborting." | ||
| 306 | ··exit·1 | ||
| 307 | fi | ||
| 308 | if·which·dnf·;·then | ||
| 309 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 310 | ····dnf·remove·-y·"$package" | ||
| 311 | ··fi | ||
| 312 | elif·which·yum·;·then | ||
| 313 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 314 | ····yum·remove·-y·"$package" | ||
| 315 | ··fi | ||
| 316 | elif·which·apt-get·;·then | ||
| 317 | ··apt-get·remove·-y·"$package" | ||
| 318 | else | ||
| 319 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 320 | ··echo·"Aborting." | ||
| 321 | ··exit·1 | ||
| 322 | fi | ||
| 323 | } | ||
| 324 | package_remove·ypbind | ||
| 325 | #·END·fix·for·'package_ypbind_removed' | ||
| 326 | ############################################################################### | ||
| 327 | #·BEGIN·fix·(11·/·149)·for·'service_ypbind_disabled' | ||
| 328 | ############################################################################### | ||
| 329 | (>&2·echo·"Remediating·rule·11/149:·'service_ypbind_disabled'") | ||
| 292 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 330 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 293 | # | 331 | # |
| 294 | #·Example·Call(s): | 332 | #·Example·Call(s): |
| 295 | # | 333 | # |
| 296 | #·····service_command·enable·bluetooth | 334 | #·····service_command·enable·bluetooth |
| 297 | #·····service_command·disable·bluetooth.service | 335 | #·····service_command·disable·bluetooth.service |
| 298 | # | 336 | # |
| Offset 367, 58 lines modified | Offset 411, 14 lines modified | ||
| 367 | } | 411 | } |
| 368 | service_command·disable·ypbind | 412 | service_command·disable·ypbind |
| 369 | #·END·fix·for·'service_ypbind_disabled' | 413 | #·END·fix·for·'service_ypbind_disabled' |
| 370 | ############################################################################### | 414 | ############################################################################### |
| 371 | #·BEGIN·fix·(11·/·149)·for·'package_ypbind_removed' | ||
| 372 | ############################################################################### | ||
| 373 | (>&2·echo·"Remediating·rule·11/149:·'package_ypbind_removed'") | ||
| 374 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 375 | # | ||
| 376 | #·Example·Call(s): | ||
| 377 | # | ||
| 378 | #·····package_remove·telnet-server | ||
| 379 | # | ||
| 380 | function·package_remove·{ | ||
| 381 | #·Load·function·arguments·into·local·variables | ||
| 382 | local·package="$1" | ||
| 383 | #·Check·sanity·of·the·input | ||
| 384 | if·[·$#·-ne·"1"·] | ||
| 385 | then | ||
| 386 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 387 | ··echo·"Aborting." | ||
| 388 | ··exit·1 | ||
| 389 | fi | ||
| 390 | if·which·dnf·;·then | ||
| 391 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 392 | ····dnf·remove·-y·"$package" | ||
| 393 | ··fi | ||
| 394 | elif·which·yum·;·then | ||
| 395 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 396 | ····yum·remove·-y·"$package" | ||
| 397 | ··fi | ||
| 398 | elif·which·apt-get·;·then | ||
| 399 | ··apt-get·remove·-y·"$package" | ||
| 400 | else | ||
| 401 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 402 | ··echo·"Aborting." | ||
| 403 | ··exit·1 | ||
| 404 | fi | ||
| 405 | } | ||
| 406 | package_remove·ypbind | ||
| 407 | #·END·fix·for·'package_ypbind_removed' | ||
| 408 | ############################################################################### | ||
| 409 | #·BEGIN·fix·(12·/·149)·for·'package_ypserv_removed' | 415 | #·BEGIN·fix·(12·/·149)·for·'package_ypserv_removed' |
| 410 | ############################################################################### | 416 | ############################################################################### |
| 411 | (>&2·echo·"Remediating·rule·12/149:·'package_ypserv_removed'") | 417 | (>&2·echo·"Remediating·rule·12/149:·'package_ypserv_removed'") |
| 412 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 418 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 413 | # | 419 | # |
| 414 | #·Example·Call(s): | 420 | #·Example·Call(s): |
| 415 | # | 421 | # |
| Offset 922, 17 lines modified | Offset 922, 17 lines modified | ||
| 922 | #·BEGIN·fix·(20·/·149)·for·'use_kerberos_security_all_exports' | 922 | #·BEGIN·fix·(20·/·149)·for·'use_kerberos_security_all_exports' |
| 923 | ############################################################################### | 923 | ############################################################################### |
| 924 | (>&2·echo·"Remediating·rule·20/149:·'use_kerberos_security_all_exports'") | 924 | (>&2·echo·"Remediating·rule·20/149:·'use_kerberos_security_all_exports'") |
| 925 | #·FIX·FOR·THIS·RULE·IS·MISSING | 925 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 926 | #·END·fix·for·'use_kerberos_security_all_exports' | 926 | #·END·fix·for·'use_kerberos_security_all_exports' |
| Max diff block lines reached; 96537/100366 bytes (96.18%) of diff not shown. | |||
| Offset 293, 17 lines modified | Offset 293, 61 lines modified | ||
| 293 | } | 293 | } |
| 294 | package_remove·telnet-server | 294 | package_remove·telnet-server |
| 295 | #·END·fix·for·'package_telnet-server_removed' | 295 | #·END·fix·for·'package_telnet-server_removed' |
| 296 | ############################################################################### | 296 | ############################################################################### |
| 297 | #·BEGIN·fix·(10·/·358)·for·' | 297 | #·BEGIN·fix·(10·/·358)·for·'package_ypbind_removed' |
| 298 | ############################################################################### | 298 | ############################################################################### |
| 299 | (>&2·echo·"Remediating·rule·10/358:·' | 299 | (>&2·echo·"Remediating·rule·10/358:·'package_ypbind_removed'") |
| 300 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 301 | # | ||
| 302 | #·Example·Call(s): | ||
| 303 | # | ||
| 304 | #·····package_remove·telnet-server | ||
| 305 | # | ||
| 306 | function·package_remove·{ | ||
| 307 | #·Load·function·arguments·into·local·variables | ||
| 308 | local·package="$1" | ||
| 309 | #·Check·sanity·of·the·input | ||
| 310 | if·[·$#·-ne·"1"·] | ||
| 311 | then | ||
| 312 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 313 | ··echo·"Aborting." | ||
| 314 | ··exit·1 | ||
| 315 | fi | ||
| 316 | if·which·dnf·;·then | ||
| 317 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 318 | ····dnf·remove·-y·"$package" | ||
| 319 | ··fi | ||
| 320 | elif·which·yum·;·then | ||
| 321 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 322 | ····yum·remove·-y·"$package" | ||
| 323 | ··fi | ||
| 324 | elif·which·apt-get·;·then | ||
| 325 | ··apt-get·remove·-y·"$package" | ||
| 326 | else | ||
| 327 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 328 | ··echo·"Aborting." | ||
| 329 | ··exit·1 | ||
| 330 | fi | ||
| 331 | } | ||
| 332 | package_remove·ypbind | ||
| 333 | #·END·fix·for·'package_ypbind_removed' | ||
| 334 | ############################################################################### | ||
| 335 | #·BEGIN·fix·(11·/·358)·for·'service_ypbind_disabled' | ||
| 336 | ############################################################################### | ||
| 337 | (>&2·echo·"Remediating·rule·11/358:·'service_ypbind_disabled'") | ||
| 300 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 338 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 301 | # | 339 | # |
| 302 | #·Example·Call(s): | 340 | #·Example·Call(s): |
| 303 | # | 341 | # |
| 304 | #·····service_command·enable·bluetooth | 342 | #·····service_command·enable·bluetooth |
| 305 | #·····service_command·disable·bluetooth.service | 343 | #·····service_command·disable·bluetooth.service |
| 306 | # | 344 | # |
| Offset 375, 58 lines modified | Offset 419, 14 lines modified | ||
| 375 | } | 419 | } |
| 376 | service_command·disable·ypbind | 420 | service_command·disable·ypbind |
| 377 | #·END·fix·for·'service_ypbind_disabled' | 421 | #·END·fix·for·'service_ypbind_disabled' |
| 378 | ############################################################################### | 422 | ############################################################################### |
| 379 | #·BEGIN·fix·(11·/·358)·for·'package_ypbind_removed' | ||
| 380 | ############################################################################### | ||
| 381 | (>&2·echo·"Remediating·rule·11/358:·'package_ypbind_removed'") | ||
| 382 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 383 | # | ||
| 384 | #·Example·Call(s): | ||
| 385 | # | ||
| 386 | #·····package_remove·telnet-server | ||
| 387 | # | ||
| 388 | function·package_remove·{ | ||
| 389 | #·Load·function·arguments·into·local·variables | ||
| 390 | local·package="$1" | ||
| 391 | #·Check·sanity·of·the·input | ||
| 392 | if·[·$#·-ne·"1"·] | ||
| 393 | then | ||
| 394 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 395 | ··echo·"Aborting." | ||
| 396 | ··exit·1 | ||
| 397 | fi | ||
| 398 | if·which·dnf·;·then | ||
| 399 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 400 | ····dnf·remove·-y·"$package" | ||
| 401 | ··fi | ||
| 402 | elif·which·yum·;·then | ||
| 403 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 404 | ····yum·remove·-y·"$package" | ||
| 405 | ··fi | ||
| 406 | elif·which·apt-get·;·then | ||
| 407 | ··apt-get·remove·-y·"$package" | ||
| 408 | else | ||
| 409 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 410 | ··echo·"Aborting." | ||
| 411 | ··exit·1 | ||
| 412 | fi | ||
| 413 | } | ||
| 414 | package_remove·ypbind | ||
| 415 | #·END·fix·for·'package_ypbind_removed' | ||
| 416 | ############################################################################### | ||
| 417 | #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed' | 423 | #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed' |
| 418 | ############################################################################### | 424 | ############################################################################### |
| 419 | (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'") | 425 | (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'") |
| 420 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 426 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 421 | # | 427 | # |
| 422 | #·Example·Call(s): | 428 | #·Example·Call(s): |
| 423 | # | 429 | # |
| Offset 1428, 17 lines modified | Offset 1428, 17 lines modified | ||
| 1428 | #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems' | 1428 | #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems' |
| 1429 | ############################################################################### | 1429 | ############################################################################### |
| 1430 | (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'") | 1430 | (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'") |
| 1431 | #·FIX·FOR·THIS·RULE·IS·MISSING | 1431 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 1432 | #·END·fix·for·'mount_option_nodev_remote_filesystems' | 1432 | #·END·fix·for·'mount_option_nodev_remote_filesystems' |
| Max diff block lines reached; 227689/231532 bytes (98.34%) of diff not shown. | |||
| Offset 304, 17 lines modified | Offset 304, 61 lines modified | ||
| 304 | } | 304 | } |
| 305 | package_remove·telnet-server | 305 | package_remove·telnet-server |
| 306 | #·END·fix·for·'package_telnet-server_removed' | 306 | #·END·fix·for·'package_telnet-server_removed' |
| 307 | ############################################################################### | 307 | ############################################################################### |
| 308 | #·BEGIN·fix·(10·/·358)·for·' | 308 | #·BEGIN·fix·(10·/·358)·for·'package_ypbind_removed' |
| 309 | ############################################################################### | 309 | ############################################################################### |
| 310 | (>&2·echo·"Remediating·rule·10/358:·' | 310 | (>&2·echo·"Remediating·rule·10/358:·'package_ypbind_removed'") |
| 311 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 312 | # | ||
| 313 | #·Example·Call(s): | ||
| 314 | # | ||
| 315 | #·····package_remove·telnet-server | ||
| 316 | # | ||
| 317 | function·package_remove·{ | ||
| 318 | #·Load·function·arguments·into·local·variables | ||
| 319 | local·package="$1" | ||
| 320 | #·Check·sanity·of·the·input | ||
| 321 | if·[·$#·-ne·"1"·] | ||
| 322 | then | ||
| 323 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 324 | ··echo·"Aborting." | ||
| 325 | ··exit·1 | ||
| 326 | fi | ||
| 327 | if·which·dnf·;·then | ||
| 328 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 329 | ····dnf·remove·-y·"$package" | ||
| 330 | ··fi | ||
| 331 | elif·which·yum·;·then | ||
| 332 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 333 | ····yum·remove·-y·"$package" | ||
| 334 | ··fi | ||
| 335 | elif·which·apt-get·;·then | ||
| 336 | ··apt-get·remove·-y·"$package" | ||
| 337 | else | ||
| 338 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 339 | ··echo·"Aborting." | ||
| 340 | ··exit·1 | ||
| 341 | fi | ||
| 342 | } | ||
| 343 | package_remove·ypbind | ||
| 344 | #·END·fix·for·'package_ypbind_removed' | ||
| 345 | ############################################################################### | ||
| 346 | #·BEGIN·fix·(11·/·358)·for·'service_ypbind_disabled' | ||
| 347 | ############################################################################### | ||
| 348 | (>&2·echo·"Remediating·rule·11/358:·'service_ypbind_disabled'") | ||
| 311 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 349 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 312 | # | 350 | # |
| 313 | #·Example·Call(s): | 351 | #·Example·Call(s): |
| 314 | # | 352 | # |
| 315 | #·····service_command·enable·bluetooth | 353 | #·····service_command·enable·bluetooth |
| 316 | #·····service_command·disable·bluetooth.service | 354 | #·····service_command·disable·bluetooth.service |
| 317 | # | 355 | # |
| Offset 386, 58 lines modified | Offset 430, 14 lines modified | ||
| 386 | } | 430 | } |
| 387 | service_command·disable·ypbind | 431 | service_command·disable·ypbind |
| 388 | #·END·fix·for·'service_ypbind_disabled' | 432 | #·END·fix·for·'service_ypbind_disabled' |
| 389 | ############################################################################### | 433 | ############################################################################### |
| 390 | #·BEGIN·fix·(11·/·358)·for·'package_ypbind_removed' | ||
| 391 | ############################################################################### | ||
| 392 | (>&2·echo·"Remediating·rule·11/358:·'package_ypbind_removed'") | ||
| 393 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 394 | # | ||
| 395 | #·Example·Call(s): | ||
| 396 | # | ||
| 397 | #·····package_remove·telnet-server | ||
| 398 | # | ||
| 399 | function·package_remove·{ | ||
| 400 | #·Load·function·arguments·into·local·variables | ||
| 401 | local·package="$1" | ||
| 402 | #·Check·sanity·of·the·input | ||
| 403 | if·[·$#·-ne·"1"·] | ||
| 404 | then | ||
| 405 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 406 | ··echo·"Aborting." | ||
| 407 | ··exit·1 | ||
| 408 | fi | ||
| 409 | if·which·dnf·;·then | ||
| 410 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 411 | ····dnf·remove·-y·"$package" | ||
| 412 | ··fi | ||
| 413 | elif·which·yum·;·then | ||
| 414 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 415 | ····yum·remove·-y·"$package" | ||
| 416 | ··fi | ||
| 417 | elif·which·apt-get·;·then | ||
| 418 | ··apt-get·remove·-y·"$package" | ||
| 419 | else | ||
| 420 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 421 | ··echo·"Aborting." | ||
| 422 | ··exit·1 | ||
| 423 | fi | ||
| 424 | } | ||
| 425 | package_remove·ypbind | ||
| 426 | #·END·fix·for·'package_ypbind_removed' | ||
| 427 | ############################################################################### | ||
| 428 | #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed' | 434 | #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed' |
| 429 | ############################################################################### | 435 | ############################################################################### |
| 430 | (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'") | 436 | (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'") |
| 431 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 437 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 432 | # | 438 | # |
| 433 | #·Example·Call(s): | 439 | #·Example·Call(s): |
| 434 | # | 440 | # |
| Offset 1439, 17 lines modified | Offset 1439, 17 lines modified | ||
| 1439 | #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems' | 1439 | #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems' |
| 1440 | ############################################################################### | 1440 | ############################################################################### |
| 1441 | (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'") | 1441 | (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'") |
| 1442 | #·FIX·FOR·THIS·RULE·IS·MISSING | 1442 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 1443 | #·END·fix·for·'mount_option_nodev_remote_filesystems' | 1443 | #·END·fix·for·'mount_option_nodev_remote_filesystems' |
| Max diff block lines reached; 227689/231532 bytes (98.34%) of diff not shown. | |||
| Offset 793, 19 lines modified | Offset 793, 17 lines modified | ||
| 793 | include_dconf_settings | 793 | include_dconf_settings |
| 794 | dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings' | 794 | dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings' |
| 795 | dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock' | 795 | dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock' |
| 796 | #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled' | 796 | #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled' |
| 797 | ############################################################################### | 797 | ############################################################################### |
| 798 | #·BEGIN·fix·(17·/·94)·for·'dconf_gnome_screensaver_ | 798 | #·BEGIN·fix·(17·/·94)·for·'dconf_gnome_screensaver_mode_blank' |
| 799 | ############################################################################### | 799 | ############################################################################### |
| 800 | (>&2·echo·"Remediating·rule·17/94:·'dconf_gnome_screensaver_ | 800 | (>&2·echo·"Remediating·rule·17/94:·'dconf_gnome_screensaver_mode_blank'") |
| 801 | inactivity_timeout_value="900" | ||
| 802 | function·include_dconf_settings·{ | 801 | function·include_dconf_settings·{ |
| 803 | » : | 802 | » : |
| 804 | } | 803 | } |
| 805 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. | 804 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. |
| 806 | # | 805 | # |
| 807 | #·Example·Call(s): | 806 | #·Example·Call(s): |
| Offset 873, 22 lines modified | Offset 871, 24 lines modified | ||
| 873 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" | 871 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" |
| 874 | » fi | 872 | » fi |
| 875 | } | 873 | } |
| 876 | include_dconf_settings | 874 | include_dconf_settings |
| 877 | dconf_settings·'org/gnome/desktop/s | 875 | dconf_settings·'org/gnome/desktop/screensaver'·'picture-uri'·"string·''"·'local.d'·'00-security-settings' |
| 878 | dconf_lock·'org/gnome/desktop/ses | 876 | dconf_lock·'org/gnome/desktop/screensaver'·'picture-uri'·'local.d'·'00-security-settings-lock' |
| 879 | #·END·fix·for·'dconf_gnome_screensaver_ | 877 | #·END·fix·for·'dconf_gnome_screensaver_mode_blank' |
| 880 | ############################################################################### | 878 | ############################################################################### |
| 881 | #·BEGIN·fix·(18·/·94)·for·'dconf_gnome_screensaver_ | 879 | #·BEGIN·fix·(18·/·94)·for·'dconf_gnome_screensaver_idle_delay' |
| 882 | ############################################################################### | 880 | ############################################################################### |
| 883 | (>&2·echo·"Remediating·rule·18/94:·'dconf_gnome_screensaver_ | 881 | (>&2·echo·"Remediating·rule·18/94:·'dconf_gnome_screensaver_idle_delay'") |
| 882 | inactivity_timeout_value="900" | ||
| 884 | function·include_dconf_settings·{ | 883 | function·include_dconf_settings·{ |
| 885 | » : | 884 | » : |
| 886 | } | 885 | } |
| 887 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. | 886 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. |
| 888 | # | 887 | # |
| 889 | #·Example·Call(s): | 888 | #·Example·Call(s): |
| Offset 956, 17 lines modified | Offset 956, 17 lines modified | ||
| 956 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" | 956 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" |
| 957 | » fi | 957 | » fi |
| 958 | } | 958 | } |
| 959 | include_dconf_settings | 959 | include_dconf_settings |
| 960 | dconf_settings·'org/gnome/desktop/s | 960 | dconf_settings·'org/gnome/desktop/session'·'idle-delay'·"uint32·${inactivity_timeout_value}"·'local.d'·'00-security-settings' |
| 961 | dconf_lock·'org/gnome/desktop/s | 961 | dconf_lock·'org/gnome/desktop/session'·'idle-delay'·'local.d'·'00-security-settings-lock' |
| 962 | #·END·fix·for·'dconf_gnome_screensaver_ | 962 | #·END·fix·for·'dconf_gnome_screensaver_idle_delay' |
| 963 | ############################################################################### | 963 | ############################################################################### |
| 964 | #·BEGIN·fix·(19·/·94)·for·'dconf_gnome_screensaver_lock_enabled' | 964 | #·BEGIN·fix·(19·/·94)·for·'dconf_gnome_screensaver_lock_enabled' |
| 965 | ############################################################################### | 965 | ############################################################################### |
| 966 | (>&2·echo·"Remediating·rule·19/94:·'dconf_gnome_screensaver_lock_enabled'") | 966 | (>&2·echo·"Remediating·rule·19/94:·'dconf_gnome_screensaver_lock_enabled'") |
| 967 | function·include_dconf_settings·{ | 967 | function·include_dconf_settings·{ |
| 968 | » : | 968 | » : |
| Offset 2117, 72 lines modified | Offset 2117, 72 lines modified | ||
| 2117 | ··sed·-i·'s/^action_mail_acct.*/action_mail_acct·=·'"$var_auditd_action_mail_acct"'/g'·$AUDITCONFIG | 2117 | ··sed·-i·'s/^action_mail_acct.*/action_mail_acct·=·'"$var_auditd_action_mail_acct"'/g'·$AUDITCONFIG |
| 2118 | if·!·[·$?·-eq·0·];·then | 2118 | if·!·[·$?·-eq·0·];·then |
| 2119 | ··echo·"action_mail_acct·=·$var_auditd_action_mail_acct"·>>·$AUDITCONFIG | 2119 | ··echo·"action_mail_acct·=·$var_auditd_action_mail_acct"·>>·$AUDITCONFIG |
| 2120 | fi | 2120 | fi |
| 2121 | #·END·fix·for·'auditd_data_retention_action_mail_acct' | 2121 | #·END·fix·for·'auditd_data_retention_action_mail_acct' |
| 2122 | ############################################################################### | 2122 | ############################################################################### |
| 2123 | #·BEGIN·fix·(48·/·94)·for·'auditd_data_retention_space_left_action' | 2123 | #·BEGIN·fix·(48·/·94)·for·'auditd_data_retention_admin_space_left_action' |
| 2124 | ############################################################################### | 2124 | ############################################################################### |
| 2125 | (>&2·echo·"Remediating·rule·48/94:·'auditd_data_retention_space_left_action'") | 2125 | (>&2·echo·"Remediating·rule·48/94:·'auditd_data_retention_admin_space_left_action'") |
| 2126 | var_auditd_space_left_action="suspend" | ||
| 2127 | grep·-q·^space_left_action·/etc/audit/auditd.conf·&&·\ | ||
| 2128 | ··sed·-i·"s/space_left_action.*/space_left_action·=·$var_auditd_space_left_action/g"·/etc/audit/auditd.conf | ||
| 2129 | if·!·[·$?·-eq·0·];·then | ||
| 2130 | ····echo·"space_left_action·=·$var_auditd_space_left_action"·>>·/etc/audit/auditd.conf | ||
| 2131 | fi | ||
| 2132 | #·END·fix·for·'auditd_data_retention_space_left_action' | ||
| 2133 | ############################################################################### | ||
| 2134 | #·BEGIN·fix·(49·/·94)·for·'auditd_data_retention_admin_space_left_action' | ||
| 2135 | ############################################################################### | ||
| 2136 | (>&2·echo·"Remediating·rule·49/94:·'auditd_data_retention_admin_space_left_action'") | ||
| 2137 | var_auditd_admin_space_left_action="suspend" | 2126 | var_auditd_admin_space_left_action="suspend" |
| 2138 | grep·-q·^admin_space_left_action·/etc/audit/auditd.conf·&&·\ | 2127 | grep·-q·^admin_space_left_action·/etc/audit/auditd.conf·&&·\ |
| 2139 | ··sed·-i·"s/admin_space_left_action.*/admin_space_left_action·=·$var_auditd_admin_space_left_action/g"·/etc/audit/auditd.conf | 2128 | ··sed·-i·"s/admin_space_left_action.*/admin_space_left_action·=·$var_auditd_admin_space_left_action/g"·/etc/audit/auditd.conf |
| 2140 | if·!·[·$?·-eq·0·];·then | 2129 | if·!·[·$?·-eq·0·];·then |
| 2141 | ····echo·"admin_space_left_action·=·$var_auditd_admin_space_left_action"·>>·/etc/audit/auditd.conf | 2130 | ····echo·"admin_space_left_action·=·$var_auditd_admin_space_left_action"·>>·/etc/audit/auditd.conf |
| 2142 | fi | 2131 | fi |
| 2143 | #·END·fix·for·'auditd_data_retention_admin_space_left_action' | 2132 | #·END·fix·for·'auditd_data_retention_admin_space_left_action' |
| 2144 | ############################################################################### | 2133 | ############################################################################### |
| 2145 | #·BEGIN·fix·( | 2134 | #·BEGIN·fix·(49·/·94)·for·'auditd_data_retention_max_log_file_action' |
| 2146 | ############################################################################### | 2135 | ############################################################################### |
| 2147 | (>&2·echo·"Remediating·rule· | 2136 | (>&2·echo·"Remediating·rule·49/94:·'auditd_data_retention_max_log_file_action'") |
| 2148 | var_auditd_ | 2137 | var_auditd_max_log_file_action="rotate" |
| 2149 | AUDITCONFIG=/etc/audit/auditd.conf | 2138 | AUDITCONFIG=/etc/audit/auditd.conf |
| 2150 | grep·-q·^ | 2139 | grep·-q·^max_log_file_action·$AUDITCONFIG·&&·\ |
| 2151 | ··sed·-i·'s/^ | 2140 | ··sed·-i·'s/^max_log_file_action.*/max_log_file_action·=·'"$var_auditd_max_log_file_action"'/g'·$AUDITCONFIG |
| 2152 | if·!·[·$?·-eq·0·];·then | 2141 | if·!·[·$?·-eq·0·];·then |
| 2153 | ··echo·" | 2142 | ··echo·"max_log_file_action·=·$var_auditd_max_log_file_action"·>>·$AUDITCONFIG |
| 2154 | fi | 2143 | fi |
| 2155 | #·END·fix·for·'auditd_data_retention_ | 2144 | #·END·fix·for·'auditd_data_retention_max_log_file_action' |
| 2156 | ############################################################################### | 2145 | ############################################################################### |
| 2157 | #·BEGIN·fix·(5 | 2146 | #·BEGIN·fix·(50·/·94)·for·'auditd_data_retention_space_left_action' |
| 2158 | ############################################################################### | 2147 | ############################################################################### |
| 2159 | (>&2·echo·"Remediating·rule·5 | 2148 | (>&2·echo·"Remediating·rule·50/94:·'auditd_data_retention_space_left_action'") |
| 2160 | var_auditd_ | 2149 | var_auditd_space_left_action="suspend" |
| 2150 | grep·-q·^space_left_action·/etc/audit/auditd.conf·&&·\ | ||
| 2151 | ··sed·-i·"s/space_left_action.*/space_left_action·=·$var_auditd_space_left_action/g"·/etc/audit/auditd.conf | ||
| 2152 | if·!·[·$?·-eq·0·];·then | ||
| 2153 | ····echo·"space_left_action·=·$var_auditd_space_left_action"·>>·/etc/audit/auditd.conf | ||
| 2154 | fi | ||
| 2155 | #·END·fix·for·'auditd_data_retention_space_left_action' | ||
| Max diff block lines reached; 54266/61706 bytes (87.94%) of diff not shown. | |||
| Offset 376, 17 lines modified | Offset 376, 19 lines modified | ||
| 376 | ··fi | 376 | ··fi |
| 377 | } | 377 | } |
| 378 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' | 378 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' |
| 379 | #·END·fix·for·'sshd_set_keepalive' | 379 | #·END·fix·for·'sshd_set_keepalive' |
| 380 | ############################################################################### | 380 | ############################################################################### |
| 381 | #·BEGIN·fix·(7·/·70)·for·'sshd_e | 381 | #·BEGIN·fix·(7·/·70)·for·'sshd_set_idle_timeout' |
| 382 | ############################################################################### | 382 | ############################################################################### |
| 383 | (>&2·echo·"Remediating·rule·7/70:·'sshd_e | 383 | (>&2·echo·"Remediating·rule·7/70:·'sshd_set_idle_timeout'") |
| 384 | sshd_idle_timeout_value="300" | ||
| 384 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 385 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 385 | #·it·does·not·exist. | 386 | #·it·does·not·exist. |
| 386 | # | 387 | # |
| 387 | #·Expects·arguments: | 388 | #·Expects·arguments: |
| 388 | # | 389 | # |
| 389 | #·config_file:» » Configuration·file·that·will·be·modified | 390 | #·config_file:» » Configuration·file·that·will·be·modified |
| 390 | #·key:» » » Configuration·option·to·change | 391 | #·key:» » » Configuration·option·to·change |
| Offset 457, 21 lines modified | Offset 459, 21 lines modified | ||
| 457 | ··else | 459 | ··else |
| 458 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 460 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 459 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 461 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 460 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 462 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 461 | ··fi | 463 | ··fi |
| 462 | } | 464 | } |
| 463 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 465 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s' |
| 464 | #·END·fix·for·'sshd_e | 466 | #·END·fix·for·'sshd_set_idle_timeout' |
| 465 | ############################################################################### | 467 | ############################################################################### |
| 466 | #·BEGIN·fix·(8·/·70)·for·'sshd_ | 468 | #·BEGIN·fix·(8·/·70)·for·'sshd_enable_warning_banner' |
| 467 | ############################################################################### | 469 | ############################################################################### |
| 468 | (>&2·echo·"Remediating·rule·8/70:·'sshd_ | 470 | (>&2·echo·"Remediating·rule·8/70:·'sshd_enable_warning_banner'") |
| 469 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 471 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 470 | #·it·does·not·exist. | 472 | #·it·does·not·exist. |
| 471 | # | 473 | # |
| 472 | #·Expects·arguments: | 474 | #·Expects·arguments: |
| 473 | # | 475 | # |
| 474 | #·config_file:» » Configuration·file·that·will·be·modified | 476 | #·config_file:» » Configuration·file·that·will·be·modified |
| 475 | #·key:» » » Configuration·option·to·change | 477 | #·key:» » » Configuration·option·to·change |
| Offset 542, 16 lines modified | Offset 544, 16 lines modified | ||
| 542 | ··else | 544 | ··else |
| 543 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 545 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 544 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 546 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 545 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 547 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 546 | ··fi | 548 | ··fi |
| 547 | } | 549 | } |
| 548 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 550 | replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s' |
| 549 | #·END·fix·for·'sshd_ | 551 | #·END·fix·for·'sshd_enable_warning_banner' |
| 550 | ############################################################################### | 552 | ############################################################################### |
| 551 | #·BEGIN·fix·(9·/·70)·for·'sshd_allow_only_protocol2' | 553 | #·BEGIN·fix·(9·/·70)·for·'sshd_allow_only_protocol2' |
| 552 | ############################################################################### | 554 | ############################################################################### |
| 553 | (>&2·echo·"Remediating·rule·9/70:·'sshd_allow_only_protocol2'") | 555 | (>&2·echo·"Remediating·rule·9/70:·'sshd_allow_only_protocol2'") |
| 554 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 556 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 555 | #·it·does·not·exist. | 557 | #·it·does·not·exist. |
| Offset 716, 19 lines modified | Offset 718, 17 lines modified | ||
| 716 | ··fi | 718 | ··fi |
| 717 | } | 719 | } |
| 718 | replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s' | 720 | replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s' |
| 719 | #·END·fix·for·'sshd_disable_rhosts' | 721 | #·END·fix·for·'sshd_disable_rhosts' |
| 720 | ############################################################################### | 722 | ############################################################################### |
| 721 | #·BEGIN·fix·(11·/·70)·for·'sshd_ | 723 | #·BEGIN·fix·(11·/·70)·for·'sshd_do_not_permit_user_env' |
| 722 | ############################################################################### | 724 | ############################################################################### |
| 723 | (>&2·echo·"Remediating·rule·11/70:·'sshd_ | 725 | (>&2·echo·"Remediating·rule·11/70:·'sshd_do_not_permit_user_env'") |
| 724 | sshd_idle_timeout_value="300" | ||
| 725 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 726 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 726 | #·it·does·not·exist. | 727 | #·it·does·not·exist. |
| 727 | # | 728 | # |
| 728 | #·Expects·arguments: | 729 | #·Expects·arguments: |
| 729 | # | 730 | # |
| 730 | #·config_file:» » Configuration·file·that·will·be·modified | 731 | #·config_file:» » Configuration·file·that·will·be·modified |
| 731 | #·key:» » » Configuration·option·to·change | 732 | #·key:» » » Configuration·option·to·change |
| Offset 799, 16 lines modified | Offset 799, 16 lines modified | ||
| 799 | ··else | 799 | ··else |
| 800 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 800 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 801 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 801 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 802 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 802 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 803 | ··fi | 803 | ··fi |
| 804 | } | 804 | } |
| 805 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 805 | replace_or_append·'/etc/ssh/sshd_config'·'^PermitUserEnvironment'·'no'·'CCE-27363-1'·'%s·%s' |
| 806 | #·END·fix·for·'sshd_ | 806 | #·END·fix·for·'sshd_do_not_permit_user_env' |
| 807 | ############################################################################### | 807 | ############################################################################### |
| 808 | #·BEGIN·fix·(12·/·70)·for·'sshd_use_approved_ciphers' | 808 | #·BEGIN·fix·(12·/·70)·for·'sshd_use_approved_ciphers' |
| 809 | ############################################################################### | 809 | ############################################################################### |
| 810 | (>&2·echo·"Remediating·rule·12/70:·'sshd_use_approved_ciphers'") | 810 | (>&2·echo·"Remediating·rule·12/70:·'sshd_use_approved_ciphers'") |
| 811 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 811 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 812 | #·it·does·not·exist. | 812 | #·it·does·not·exist. |
| Offset 1502, 26 lines modified | Offset 1502, 26 lines modified | ||
| 1502 | ··sed·-i·"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS·····$var_accounts_minimum_age_login_defs/g"·/etc/login.defs | 1502 | ··sed·-i·"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS·····$var_accounts_minimum_age_login_defs/g"·/etc/login.defs |
| 1503 | if·!·[·$?·-eq·0·];·then | 1503 | if·!·[·$?·-eq·0·];·then |
| 1504 | ····echo·"PASS_MIN_DAYS······$var_accounts_minimum_age_login_defs"·>>·/etc/login.defs | 1504 | ····echo·"PASS_MIN_DAYS······$var_accounts_minimum_age_login_defs"·>>·/etc/login.defs |
| 1505 | fi | 1505 | fi |
| 1506 | #·END·fix·for·'accounts_minimum_age_login_defs' | 1506 | #·END·fix·for·'accounts_minimum_age_login_defs' |
| 1507 | ############################################################################### | 1507 | ############################################################################### |
| 1508 | #·BEGIN·fix·(34·/·70)·for·' | 1508 | #·BEGIN·fix·(34·/·70)·for·'no_shelllogin_for_systemaccounts' |
| 1509 | ############################################################################### | 1509 | ############################################################################### |
| 1510 | (>&2·echo·"Remediating·rule·34/70:·' | 1510 | (>&2·echo·"Remediating·rule·34/70:·'no_shelllogin_for_systemaccounts'") |
| 1511 | 1511 | #·FIX·FOR·THIS·RULE·IS·MISSING | |
| 1512 | #·END·fix·for·' | 1512 | #·END·fix·for·'no_shelllogin_for_systemaccounts' |
| 1513 | ############################################################################### | 1513 | ############################################################################### |
| 1514 | #·BEGIN·fix·(35·/·70)·for·' | 1514 | #·BEGIN·fix·(35·/·70)·for·'accounts_no_uid_except_zero' |
| 1515 | ############################################################################### | 1515 | ############################################################################### |
| 1516 | (>&2·echo·"Remediating·rule·35/70:·' | 1516 | (>&2·echo·"Remediating·rule·35/70:·'accounts_no_uid_except_zero'") |
| 1517 | 1517 | awk·-F:·'$3·==·0·&&·$1·!=·"root"·{·print·$1·}'·/etc/passwd·|·xargs·passwd·-l | |
| 1518 | #·END·fix·for·' | 1518 | #·END·fix·for·'accounts_no_uid_except_zero' |
| 1519 | ############################################################################### | 1519 | ############################################################################### |
| 1520 | #·BEGIN·fix·(36·/·70)·for·'accounts_password_all_shadowed' | 1520 | #·BEGIN·fix·(36·/·70)·for·'accounts_password_all_shadowed' |
| 1521 | ############################################################################### | 1521 | ############################################################################### |
| 1522 | (>&2·echo·"Remediating·rule·36/70:·'accounts_password_all_shadowed'") | 1522 | (>&2·echo·"Remediating·rule·36/70:·'accounts_password_all_shadowed'") |
| 1523 | #·FIX·FOR·THIS·RULE·IS·MISSING | 1523 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 1524 | #·END·fix·for·'accounts_password_all_shadowed' | 1524 | #·END·fix·for·'accounts_password_all_shadowed' |
| Offset 2267, 37 lines modified | Offset 2267, 37 lines modified | ||
| 2267 | ############################################################################### | 2267 | ############################################################################### |
| 2268 | (>&2·echo·"Remediating·rule·66/70:·'file_permissions_etc_passwd'") | 2268 | (>&2·echo·"Remediating·rule·66/70:·'file_permissions_etc_passwd'") |
| 2269 | chmod·0644·/etc/passwd | 2269 | chmod·0644·/etc/passwd |
| Max diff block lines reached; 1963/8920 bytes (22.01%) of diff not shown. | |||
| Offset 1476, 158 lines modified | Offset 1476, 17 lines modified | ||
| 1476 | } | 1476 | } |
| 1477 | fix_audit_watch_rule·"auditctl"·"/usr/sbin/modprobe"·"x"·"modules" | 1477 | fix_audit_watch_rule·"auditctl"·"/usr/sbin/modprobe"·"x"·"modules" |
| 1478 | fix_audit_watch_rule·"augenrules"·"/usr/sbin/modprobe"·"x"·"modules" | 1478 | fix_audit_watch_rule·"augenrules"·"/usr/sbin/modprobe"·"x"·"modules" |
| 1479 | #·END·fix·for·'audit_rules_kernel_module_loading' | 1479 | #·END·fix·for·'audit_rules_kernel_module_loading' |
| 1480 | ############################################################################### | 1480 | ############################################################################### |
| 1481 | #·BEGIN·fix·(19·/·51)·for·'audit_rules_time_ | 1481 | #·BEGIN·fix·(19·/·51)·for·'audit_rules_time_stime' |
| 1482 | ############################################################################### | 1482 | ############################################################################### |
| 1483 | (>&2·echo·"Remediating·rule·19/51:·'audit_rules_time_ | 1483 | (>&2·echo·"Remediating·rule·19/51:·'audit_rules_time_stime'") |
| 1484 | #·Perform·the·remediation·for·both·possible·tools:·'auditctl'·and·'augenrules' | ||
| 1485 | #·Function·to·fix·audit·file·system·object·watch·rule·for·given·path: | ||
| 1486 | #·*·if·rule·exists,·also·verifies·the·-w·bits·match·the·requirements | ||
| 1487 | #·*·if·rule·doesn't·exist·yet,·appends·expected·rule·form·to·$files_to_inspect | ||
| 1488 | #···audit·rules·file,·depending·on·the·tool·which·was·used·to·load·audit·rules | ||
| 1489 | # | ||
| 1490 | #·Expects·four·arguments·(each·of·them·is·required)·in·the·form·of: | ||
| 1491 | #·*·audit·tool» » » » tool·used·to·load·audit·rules, | ||
| 1492 | #·» » » » » either·'auditctl',·or·'augenrules' | ||
| 1493 | #·*·path························» value·of·-w·audit·rule's·argument | ||
| 1494 | #·*·required·access·bits········» value·of·-p·audit·rule's·argument | ||
| 1495 | #·*·key·························» value·of·-k·audit·rule's·argument | ||
| 1496 | # | ||
| 1497 | #·Example·call: | ||
| 1498 | # | ||
| 1499 | #·······fix_audit_watch_rule·"auditctl"·"/etc/localtime"·"wa"·"audit_time_rules" | ||
| 1500 | # | ||
| 1501 | function·fix_audit_watch_rule·{ | ||
| 1502 | #·Load·function·arguments·into·local·variables | ||
| 1503 | local·tool="$1" | ||
| 1504 | local·path="$2" | ||
| 1505 | local·required_access_bits="$3" | ||
| 1506 | local·key="$4" | ||
| 1507 | #·Check·sanity·of·the·input | ||
| 1508 | if·[·$#·-ne·"4"·] | ||
| 1509 | then | ||
| 1510 | » echo·"Usage:·fix_audit_watch_rule·'tool'·'path'·'bits'·'key'" | ||
| 1511 | » echo·"Aborting." | ||
| 1512 | » exit·1 | ||
| 1513 | fi | ||
| 1514 | #·Create·a·list·of·audit·*.rules·files·that·should·be·inspected·for·presence·and·correctness | ||
| 1515 | #·of·a·particular·audit·rule.·The·scheme·is·as·follows: | ||
| 1516 | # | ||
| 1517 | #·----------------------------------------------------------------------------------------- | ||
| 1518 | #·Tool·used·to·load·audit·rules» |·Rule·already·defined» |··Audit·rules·file·to·inspect» ··| | ||
| 1519 | #·----------------------------------------------------------------------------------------- | ||
| 1520 | #» auditctl» » |·····Doesn't·matter»|··/etc/audit/audit.rules» ··| | ||
| 1521 | #·----------------------------------------------------------------------------------------- | ||
| 1522 | #·» augenrules» » |··········Yes»»|··/etc/audit/rules.d/*.rules» ··| | ||
| 1523 | #·» augenrules» » |··········No» » |··/etc/audit/rules.d/$key.rules··| | ||
| 1524 | #·----------------------------------------------------------------------------------------- | ||
| 1525 | declare·-a·files_to_inspect | ||
| 1526 | #·Check·sanity·of·the·specified·audit·tool | ||
| 1527 | if·[·"$tool"·!=·'auditctl'·]·&&·[·"$tool"·!=·'augenrules'·] | ||
| 1528 | then | ||
| 1529 | » echo·"Unknown·audit·rules·loading·tool:·$1.·Aborting." | ||
| 1530 | » echo·"Use·either·'auditctl'·or·'augenrules'!" | ||
| 1531 | » exit·1 | ||
| 1532 | #·If·the·audit·tool·is·'auditctl',·then·add·'/etc/audit/audit.rules' | ||
| 1533 | #·into·the·list·of·files·to·be·inspected | ||
| 1534 | elif·[·"$tool"·==·'auditctl'·] | ||
| 1535 | then | ||
| 1536 | » files_to_inspect=("${files_to_inspect[@]}"·'/etc/audit/audit.rules') | ||
| 1537 | #·If·the·audit·is·'augenrules',·then·check·if·rule·is·already·defined | ||
| 1538 | #·If·rule·is·defined,·add·'/etc/audit/rules.d/*.rules'·to·list·of·files·for·inspection. | ||
| 1539 | #·If·rule·isn't·defined,·add·'/etc/audit/rules.d/$key.rules'·to·list·of·files·for·inspection. | ||
| 1540 | elif·[·"$tool"·==·'augenrules'·] | ||
| 1541 | then | ||
| 1542 | » #·Case·when·particular·audit·rule·is·already·defined·in·some·of·/etc/audit/rules.d/*.rules·file | ||
| 1543 | » #·Get·pair·--·filepath·:·matching_row·into·@matches·array | ||
| 1544 | » IFS=$'\n'·matches=($(grep·-P·"[\s]*-w[\s]+$path"·/etc/audit/rules.d/*.rules)) | ||
| 1545 | » #·Reset·IFS·back·to·default | ||
| 1546 | » unset·IFS | ||
| 1547 | » #·For·each·of·the·matched·entries | ||
| 1548 | » for·match·in·"${matches[@]}" | ||
| 1549 | » do | ||
| 1550 | » » #·Extract·filepath·from·the·match | ||
| 1551 | » » rulesd_audit_file=$(echo·$match·|·cut·-f1·-d·':') | ||
| 1552 | » » #·Append·that·path·into·list·of·files·for·inspection | ||
| 1553 | » » files_to_inspect=("${files_to_inspect[@]}"·"$rulesd_audit_file") | ||
| 1554 | » done | ||
| 1555 | » #·Case·when·particular·audit·rule·isn't·defined·yet | ||
| 1556 | » if·[·${#files_to_inspect[@]}·-eq·"0"·] | ||
| 1557 | » then | ||
| 1558 | » » #·Append·'/etc/audit/rules.d/$key.rules'·into·list·of·files·for·inspection | ||
| 1559 | » » files_to_inspect="/etc/audit/rules.d/$key.rules" | ||
| 1560 | » » #·If·the·$key.rules·file·doesn't·exist·yet,·create·it·with·correct·permissions | ||
| 1561 | » » if·[·!·-e·"$files_to_inspect"·] | ||
| 1562 | » » then | ||
| 1563 | » » » touch·"$files_to_inspect" | ||
| 1564 | » » » chmod·0640·"$files_to_inspect" | ||
| 1565 | » » fi | ||
| 1566 | » fi | ||
| 1567 | fi | ||
| 1568 | #·Finally·perform·the·inspection·and·possible·subsequent·audit·rule | ||
| 1569 | #·correction·for·each·of·the·files·previously·identified·for·inspection | ||
| 1570 | for·audit_rules_file·in·"${files_to_inspect[@]}" | ||
| 1571 | do | ||
| 1572 | » #·Check·if·audit·watch·file·system·object·rule·for·given·path·already·present | ||
| 1573 | » if·grep·-q·-P·--·"[\s]*-w[\s]+$path"·"$audit_rules_file" | ||
| 1574 | » then | ||
| 1575 | » » #·Rule·is·found·=>·verify·yet·if·existing·rule·definition·contains | ||
| 1576 | » » #·all·of·the·required·access·type·bits | ||
| 1577 | » » #·Escape·slashes·in·path·for·use·in·sed·pattern·below | ||
| 1578 | » » local·esc_path=${path//$'/'/$'\/'} | ||
| 1579 | » » #·Define·BRE·whitespace·class·shortcut | ||
| 1580 | » » local·sp="[[:space:]]" | ||
| 1581 | » » #·Extract·current·permission·access·types·(e.g.·-p·[r|w|x|a]·values)·from·audit·rule | ||
| 1582 | » » current_access_bits=$(sed·-ne·"s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p"·"$audit_rules_file") | ||
| 1583 | » » #·Split·required·access·bits·string·into·characters·array | ||
| 1584 | » » #·(to·check·bit's·presence·for·one·bit·at·a·time) | ||
| 1585 | » » for·access_bit·in·$(echo·"$required_access_bits"·|·grep·-o·.) | ||
| 1586 | » » do | ||
| 1587 | » » » #·For·each·from·the·required·access·bits·(e.g.·'w',·'a')·check | ||
| 1588 | » » » #·if·they·are·already·present·in·current·access·bits·for·rule. | ||
| 1589 | » » » #·If·not,·append·that·bit·at·the·end | ||
| 1590 | » » » if·!·grep·-q·"$access_bit"·<<<·"$current_access_bits" | ||
| 1591 | » » » then | ||
| Max diff block lines reached; 47569/54366 bytes (87.50%) of diff not shown. | |||
| Offset 496, 17 lines modified | Offset 496, 17 lines modified | ||
| 496 | #·BEGIN·fix·(22·/·243)·for·'mount_option_nosuid_remote_filesystems' | 496 | #·BEGIN·fix·(22·/·243)·for·'mount_option_nosuid_remote_filesystems' |
| 497 | ############################################################################### | 497 | ############################################################################### |
| 498 | (>&2·echo·"Remediating·rule·22/243:·'mount_option_nosuid_remote_filesystems'") | 498 | (>&2·echo·"Remediating·rule·22/243:·'mount_option_nosuid_remote_filesystems'") |
| 499 | #·FIX·FOR·THIS·RULE·IS·MISSING | 499 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 500 | #·END·fix·for·'mount_option_nosuid_remote_filesystems' | 500 | #·END·fix·for·'mount_option_nosuid_remote_filesystems' |
| 501 | ############################################################################### | 501 | ############################################################################### |
| 502 | #·BEGIN·fix·(23·/·243)·for·'sshd_ | 502 | #·BEGIN·fix·(23·/·243)·for·'sshd_enable_strictmodes' |
| 503 | ############################################################################### | 503 | ############################################################################### |
| 504 | (>&2·echo·"Remediating·rule·23/243:·'sshd_ | 504 | (>&2·echo·"Remediating·rule·23/243:·'sshd_enable_strictmodes'") |
| 505 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 505 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 506 | #·it·does·not·exist. | 506 | #·it·does·not·exist. |
| 507 | # | 507 | # |
| 508 | #·Expects·arguments: | 508 | #·Expects·arguments: |
| 509 | # | 509 | # |
| 510 | #·config_file:» » Configuration·file·that·will·be·modified | 510 | #·config_file:» » Configuration·file·that·will·be·modified |
| 511 | #·key:» » » Configuration·option·to·change | 511 | #·key:» » » Configuration·option·to·change |
| Offset 577, 21 lines modified | Offset 577, 21 lines modified | ||
| 577 | ··else | 577 | ··else |
| 578 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 578 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 579 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 579 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 580 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 580 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 581 | ··fi | 581 | ··fi |
| 582 | } | 582 | } |
| 583 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 583 | replace_or_append·'/etc/ssh/sshd_config'·'^StrictModes'·'yes'·'CCE-80222-3'·'%s·%s' |
| 584 | #·END·fix·for·'sshd_ | 584 | #·END·fix·for·'sshd_enable_strictmodes' |
| 585 | ############################################################################### | 585 | ############################################################################### |
| 586 | #·BEGIN·fix·(24·/·243)·for·'sshd_disable_ | 586 | #·BEGIN·fix·(24·/·243)·for·'sshd_disable_user_known_hosts' |
| 587 | ############################################################################### | 587 | ############################################################################### |
| 588 | (>&2·echo·"Remediating·rule·24/243:·'sshd_disable_ | 588 | (>&2·echo·"Remediating·rule·24/243:·'sshd_disable_user_known_hosts'") |
| 589 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 589 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 590 | #·it·does·not·exist. | 590 | #·it·does·not·exist. |
| 591 | # | 591 | # |
| 592 | #·Expects·arguments: | 592 | #·Expects·arguments: |
| 593 | # | 593 | # |
| 594 | #·config_file:» » Configuration·file·that·will·be·modified | 594 | #·config_file:» » Configuration·file·that·will·be·modified |
| 595 | #·key:» » » Configuration·option·to·change | 595 | #·key:» » » Configuration·option·to·change |
| Offset 662, 21 lines modified | Offset 662, 21 lines modified | ||
| 662 | ··else | 662 | ··else |
| 663 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 663 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 664 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 664 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 665 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 665 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 666 | ··fi | 666 | ··fi |
| 667 | } | 667 | } |
| 668 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 668 | replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreUserKnownHosts'·'yes'·'CCE-80372-6'·'%s·%s' |
| 669 | #·END·fix·for·'sshd_disable_ | 669 | #·END·fix·for·'sshd_disable_user_known_hosts' |
| 670 | ############################################################################### | 670 | ############################################################################### |
| 671 | #·BEGIN·fix·(25·/·243)·for·'sshd_set_ | 671 | #·BEGIN·fix·(25·/·243)·for·'sshd_disable_empty_passwords' |
| 672 | ############################################################################### | 672 | ############################################################################### |
| 673 | (>&2·echo·"Remediating·rule·25/243:·'sshd_set_ | 673 | (>&2·echo·"Remediating·rule·25/243:·'sshd_disable_empty_passwords'") |
| 674 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 674 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 675 | #·it·does·not·exist. | 675 | #·it·does·not·exist. |
| 676 | # | 676 | # |
| 677 | #·Expects·arguments: | 677 | #·Expects·arguments: |
| 678 | # | 678 | # |
| 679 | #·config_file:» » Configuration·file·that·will·be·modified | 679 | #·config_file:» » Configuration·file·that·will·be·modified |
| 680 | #·key:» » » Configuration·option·to·change | 680 | #·key:» » » Configuration·option·to·change |
| Offset 747, 21 lines modified | Offset 747, 21 lines modified | ||
| 747 | ··else | 747 | ··else |
| 748 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 748 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 749 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 749 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 750 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 750 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 751 | ··fi | 751 | ··fi |
| 752 | } | 752 | } |
| 753 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 753 | replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s' |
| 754 | #·END·fix·for·'sshd_set_ | 754 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 755 | ############################################################################### | 755 | ############################################################################### |
| 756 | #·BEGIN·fix·(26·/·243)·for·'sshd_ | 756 | #·BEGIN·fix·(26·/·243)·for·'sshd_set_keepalive' |
| 757 | ############################################################################### | 757 | ############################################################################### |
| 758 | (>&2·echo·"Remediating·rule·26/243:·'sshd_ | 758 | (>&2·echo·"Remediating·rule·26/243:·'sshd_set_keepalive'") |
| 759 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 759 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 760 | #·it·does·not·exist. | 760 | #·it·does·not·exist. |
| 761 | # | 761 | # |
| 762 | #·Expects·arguments: | 762 | #·Expects·arguments: |
| 763 | # | 763 | # |
| 764 | #·config_file:» » Configuration·file·that·will·be·modified | 764 | #·config_file:» » Configuration·file·that·will·be·modified |
| 765 | #·key:» » » Configuration·option·to·change | 765 | #·key:» » » Configuration·option·to·change |
| Offset 832, 21 lines modified | Offset 832, 23 lines modified | ||
| 832 | ··else | 832 | ··else |
| 833 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 833 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 834 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 834 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 835 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 835 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 836 | ··fi | 836 | ··fi |
| 837 | } | 837 | } |
| 838 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 838 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' |
| 839 | #·END·fix·for·'sshd_ | 839 | #·END·fix·for·'sshd_set_keepalive' |
| 840 | ############################################################################### | 840 | ############################################################################### |
| 841 | #·BEGIN·fix·(27·/·243)·for·'sshd_e | 841 | #·BEGIN·fix·(27·/·243)·for·'sshd_set_idle_timeout' |
| 842 | ############################################################################### | 842 | ############################################################################### |
| 843 | (>&2·echo·"Remediating·rule·27/243:·'sshd_e | 843 | (>&2·echo·"Remediating·rule·27/243:·'sshd_set_idle_timeout'") |
| 844 | sshd_idle_timeout_value="600" | ||
| 844 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 845 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 845 | #·it·does·not·exist. | 846 | #·it·does·not·exist. |
| 846 | # | 847 | # |
| 847 | #·Expects·arguments: | 848 | #·Expects·arguments: |
| 848 | # | 849 | # |
| 849 | #·config_file:» » Configuration·file·that·will·be·modified | 850 | #·config_file:» » Configuration·file·that·will·be·modified |
| 850 | #·key:» » » Configuration·option·to·change | 851 | #·key:» » » Configuration·option·to·change |
| Offset 917, 23 lines modified | Offset 919, 21 lines modified | ||
| 917 | ··else | 919 | ··else |
| 918 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 920 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 919 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 921 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 920 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 922 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 921 | ··fi | 923 | ··fi |
| 922 | } | 924 | } |
| 923 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 925 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s' |
| 924 | #·END·fix·for·'sshd_e | 926 | #·END·fix·for·'sshd_set_idle_timeout' |
| 925 | ############################################################################### | 927 | ############################################################################### |
| 926 | #·BEGIN·fix·(28·/·243)·for·'sshd_ | 928 | #·BEGIN·fix·(28·/·243)·for·'sshd_enable_warning_banner' |
| 927 | ############################################################################### | 929 | ############################################################################### |
| 928 | (>&2·echo·"Remediating·rule·28/243:·'sshd_ | 930 | (>&2·echo·"Remediating·rule·28/243:·'sshd_enable_warning_banner'") |
| 929 | sshd_approved_macs="hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com" | ||
| 930 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 931 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 931 | #·it·does·not·exist. | 932 | #·it·does·not·exist. |
| 932 | # | 933 | # |
| Max diff block lines reached; 122126/129181 bytes (94.54%) of diff not shown. | |||
| Offset 27, 17 lines modified | Offset 27, 17 lines modified | ||
| 27 | # | 27 | # |
| 28 | #·How·to·apply·this·remediation·role: | 28 | #·How·to·apply·this·remediation·role: |
| 29 | #·$·sudo·./remediation-role.sh | 29 | #·$·sudo·./remediation-role.sh |
| 30 | # | 30 | # |
| 31 | ############################################################################### | 31 | ############################################################################### |
| 32 | ############################################################################### | 32 | ############################################################################### |
| 33 | #·BEGIN·fix·(1·/·188)·for·'package_s | 33 | #·BEGIN·fix·(1·/·188)·for·'package_vsftpd_removed' |
| 34 | ############################################################################### | 34 | ############################################################################### |
| 35 | (>&2·echo·"Remediating·rule·1/188:·'package_s | 35 | (>&2·echo·"Remediating·rule·1/188:·'package_vsftpd_removed'") |
| 36 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 36 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 37 | # | 37 | # |
| 38 | #·Example·Call(s): | 38 | #·Example·Call(s): |
| 39 | # | 39 | # |
| 40 | #·····package_remove·telnet-server | 40 | #·····package_remove·telnet-server |
| 41 | # | 41 | # |
| 42 | function·package_remove·{ | 42 | function·package_remove·{ |
| Offset 67, 16 lines modified | Offset 67, 16 lines modified | ||
| 67 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 67 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 68 | ··echo·"Aborting." | 68 | ··echo·"Aborting." |
| 69 | ··exit·1 | 69 | ··exit·1 |
| 70 | fi | 70 | fi |
| 71 | } | 71 | } |
| 72 | package_remove·s | 72 | package_remove·vsftpd |
| 73 | #·END·fix·for·'package_s | 73 | #·END·fix·for·'package_vsftpd_removed' |
| 74 | ############################################################################### | 74 | ############################################################################### |
| 75 | #·BEGIN·fix·(2·/·188)·for·'package_httpd_removed' | 75 | #·BEGIN·fix·(2·/·188)·for·'package_httpd_removed' |
| 76 | ############################################################################### | 76 | ############################################################################### |
| 77 | (>&2·echo·"Remediating·rule·2/188:·'package_httpd_removed'") | 77 | (>&2·echo·"Remediating·rule·2/188:·'package_httpd_removed'") |
| 78 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 78 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 79 | # | 79 | # |
| Offset 115, 24 lines modified | Offset 115, 61 lines modified | ||
| 115 | } | 115 | } |
| 116 | package_remove·httpd | 116 | package_remove·httpd |
| 117 | #·END·fix·for·'package_httpd_removed' | 117 | #·END·fix·for·'package_httpd_removed' |
| 118 | ############################################################################### | 118 | ############################################################################### |
| 119 | #·BEGIN·fix·(3·/·188)·for·'p | 119 | #·BEGIN·fix·(3·/·188)·for·'package_bind_removed' |
| 120 | ############################################################################### | 120 | ############################################################################### |
| 121 | (>&2·echo·"Remediating·rule·3/188:·'p | 121 | (>&2·echo·"Remediating·rule·3/188:·'package_bind_removed'") |
| 122 | #·F | 122 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 123 | # | 123 | # |
| 124 | #·Example·Call(s): | ||
| 125 | # | ||
| 126 | #·····package_remove·telnet-server | ||
| 127 | # | ||
| 128 | function·package_remove·{ | ||
| 129 | #·Load·function·arguments·into·local·variables | ||
| 130 | local·package="$1" | ||
| 131 | #·Check·sanity·of·the·input | ||
| 132 | if·[·$#·-ne·"1"·] | ||
| 133 | then | ||
| 134 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 135 | ··echo·"Aborting." | ||
| 136 | ··exit·1 | ||
| 137 | fi | ||
| 138 | if·which·dnf·;·then | ||
| 139 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 140 | ····dnf·remove·-y·"$package" | ||
| 141 | ··fi | ||
| 142 | elif·which·yum·;·then | ||
| 143 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 144 | ····yum·remove·-y·"$package" | ||
| 145 | ··fi | ||
| 146 | elif·which·apt-get·;·then | ||
| 147 | ··apt-get·remove·-y·"$package" | ||
| 148 | else | ||
| 149 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 150 | ··echo·"Aborting." | ||
| 151 | ··exit·1 | ||
| 152 | fi | ||
| 153 | } | ||
| 154 | package_remove·bind | ||
| 155 | #·END·fix·for·'package_bind_removed' | ||
| 124 | ############################################################################### | 156 | ############################################################################### |
| 125 | #·BEGIN·fix·(4·/·188)·for·'package_ | 157 | #·BEGIN·fix·(4·/·188)·for·'package_samba_removed' |
| 126 | ############################################################################### | 158 | ############################################################################### |
| 127 | (>&2·echo·"Remediating·rule·4/188:·'package_ | 159 | (>&2·echo·"Remediating·rule·4/188:·'package_samba_removed'") |
| 128 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 160 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 129 | # | 161 | # |
| 130 | #·Example·Call(s): | 162 | #·Example·Call(s): |
| 131 | # | 163 | # |
| 132 | #·····package_remove·telnet-server | 164 | #·····package_remove·telnet-server |
| 133 | # | 165 | # |
| 134 | function·package_remove·{ | 166 | function·package_remove·{ |
| Offset 162, 16 lines modified | Offset 199, 16 lines modified | ||
| 162 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 199 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 163 | ··echo·"Aborting." | 200 | ··echo·"Aborting." |
| 164 | ··exit·1 | 201 | ··exit·1 |
| 165 | fi | 202 | fi |
| 166 | } | 203 | } |
| 167 | package_remove· | 204 | package_remove·samba |
| 168 | #·END·fix·for·'package_ | 205 | #·END·fix·for·'package_samba_removed' |
| 169 | ############################################################################### | 206 | ############################################################################### |
| 170 | #·BEGIN·fix·(5·/·188)·for·'service_ntpd_enabled' | 207 | #·BEGIN·fix·(5·/·188)·for·'service_ntpd_enabled' |
| 171 | ############################################################################### | 208 | ############################################################################### |
| 172 | (>&2·echo·"Remediating·rule·5/188:·'service_ntpd_enabled'") | 209 | (>&2·echo·"Remediating·rule·5/188:·'service_ntpd_enabled'") |
| 173 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 210 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 174 | # | 211 | # |
| Offset 262, 17 lines modified | Offset 299, 105 lines modified | ||
| 262 | #·BEGIN·fix·(7·/·188)·for·'ntpd_specify_remote_server' | 299 | #·BEGIN·fix·(7·/·188)·for·'ntpd_specify_remote_server' |
| 263 | ############################################################################### | 300 | ############################################################################### |
| 264 | (>&2·echo·"Remediating·rule·7/188:·'ntpd_specify_remote_server'") | 301 | (>&2·echo·"Remediating·rule·7/188:·'ntpd_specify_remote_server'") |
| 265 | #·FIX·FOR·THIS·RULE·IS·MISSING | 302 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 266 | #·END·fix·for·'ntpd_specify_remote_server' | 303 | #·END·fix·for·'ntpd_specify_remote_server' |
| 267 | ############################################################################### | 304 | ############################################################################### |
| 268 | #·BEGIN·fix·(8·/·188)·for·' | 305 | #·BEGIN·fix·(8·/·188)·for·'package_openldap-servers_removed' |
| 269 | ############################################################################### | 306 | ############################################################################### |
| 270 | (>&2·echo·"Remediating·rule·8/188:·' | 307 | (>&2·echo·"Remediating·rule·8/188:·'package_openldap-servers_removed'") |
| 308 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 309 | # | ||
| 310 | #·Example·Call(s): | ||
| Max diff block lines reached; 329997/337019 bytes (97.92%) of diff not shown. | |||
| Offset 18, 17 lines modified | Offset 18, 31 lines modified | ||
| 18 | # | 18 | # |
| 19 | #·How·to·apply·this·remediation·role: | 19 | #·How·to·apply·this·remediation·role: |
| 20 | #·$·sudo·./remediation-role.sh | 20 | #·$·sudo·./remediation-role.sh |
| 21 | # | 21 | # |
| 22 | ############################################################################### | 22 | ############################################################################### |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | #·BEGIN·fix·(1·/·313)·for·' | 24 | #·BEGIN·fix·(1·/·313)·for·'ftp_log_transactions' |
| 25 | ############################################################################### | 25 | ############################################################################### |
| 26 | (>&2·echo·"Remediating·rule·1/313:·' | 26 | (>&2·echo·"Remediating·rule·1/313:·'ftp_log_transactions'") |
| 27 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 28 | #·END·fix·for·'ftp_log_transactions' | ||
| 29 | ############################################################################### | ||
| 30 | #·BEGIN·fix·(2·/·313)·for·'ftp_present_banner' | ||
| 31 | ############################################################################### | ||
| 32 | (>&2·echo·"Remediating·rule·2/313:·'ftp_present_banner'") | ||
| 33 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 34 | #·END·fix·for·'ftp_present_banner' | ||
| 35 | ############################################################################### | ||
| 36 | #·BEGIN·fix·(3·/·313)·for·'service_vsftpd_disabled' | ||
| 37 | ############################################################################### | ||
| 38 | (>&2·echo·"Remediating·rule·3/313:·'service_vsftpd_disabled'") | ||
| 27 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 39 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 28 | # | 40 | # |
| 29 | #·Example·Call(s): | 41 | #·Example·Call(s): |
| 30 | # | 42 | # |
| 31 | #·····service_command·enable·bluetooth | 43 | #·····service_command·enable·bluetooth |
| 32 | #·····service_command·disable·bluetooth.service | 44 | #·····service_command·disable·bluetooth.service |
| 33 | # | 45 | # |
| Offset 96, 49 lines modified | Offset 110, 60 lines modified | ||
| 96 | ··else | 110 | ··else |
| 97 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 111 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 98 | ··fi | 112 | ··fi |
| 99 | fi | 113 | fi |
| 100 | } | 114 | } |
| 101 | service_command·disable·s | 115 | service_command·disable·vsftpd |
| 102 | #·END·fix·for·'service_s | 116 | #·END·fix·for·'service_vsftpd_disabled' |
| 103 | ############################################################################### | 117 | ############################################################################### |
| 104 | #·BEGIN·fix·( | 118 | #·BEGIN·fix·(4·/·313)·for·'package_vsftpd_removed' |
| 105 | ############################################################################### | 119 | ############################################################################### |
| 106 | (>&2·echo·"Remediating·rule· | 120 | (>&2·echo·"Remediating·rule·4/313:·'package_vsftpd_removed'") |
| 107 | #·F | 121 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 108 | # | 122 | # |
| 123 | #·Example·Call(s): | ||
| 124 | # | ||
| 125 | #·····package_remove·telnet-server | ||
| 126 | # | ||
| 127 | function·package_remove·{ | ||
| 109 | # | 128 | #·Load·function·arguments·into·local·variables |
| 110 | 129 | local·package="$1" | |
| 111 | ############################################################################### | ||
| 112 | (>&2·echo·"Remediating·rule·3/313:·'require_smb_client_signing'") | ||
| 113 | ###################################################################### | ||
| 114 | #By·Luke·"Brisk-OH"·Brisk | ||
| 115 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com | ||
| 116 | ###################################################################### | ||
| 117 | 130 | #·Check·sanity·of·the·input | |
| 131 | if·[·$#·-ne·"1"·] | ||
| 132 | then | ||
| 133 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 134 | ··echo·"Aborting." | ||
| 135 | ··exit·1 | ||
| 136 | fi | ||
| 118 | if· | 137 | if·which·dnf·;·then |
| 119 | 138 | ··if·rpm·-q·--quiet·"$package";·then | |
| 120 | 139 | ····dnf·remove·-y·"$package" | |
| 140 | ··fi | ||
| 141 | elif·which·yum·;·then | ||
| 142 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 143 | ····yum·remove·-y·"$package" | ||
| 144 | ··fi | ||
| 145 | elif·which·apt-get·;·then | ||
| 146 | ··apt-get·remove·-y·"$package" | ||
| 121 | else | 147 | else |
| 122 | 148 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 149 | ··echo·"Aborting." | ||
| 150 | ··exit·1 | ||
| 123 | fi | 151 | fi |
| 124 | #·END·fix·for·'require_smb_client_signing' | ||
| 125 | 152 | } | |
| 126 | #·BEGIN·fix·(4·/·313)·for·'mount_option_smb_client_signing' | ||
| 127 | 153 | package_remove·vsftpd | |
| 128 | 154 | #·END·fix·for·'package_vsftpd_removed' | |
| 129 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 130 | #·END·fix·for·'mount_option_smb_client_signing' | ||
| 131 | ############################################################################### | 155 | ############################################################################### |
| 132 | #·BEGIN·fix·(5·/·313)·for·'package_httpd_removed' | 156 | #·BEGIN·fix·(5·/·313)·for·'package_httpd_removed' |
| 133 | ############################################################################### | 157 | ############################################################################### |
| 134 | (>&2·echo·"Remediating·rule·5/313:·'package_httpd_removed'") | 158 | (>&2·echo·"Remediating·rule·5/313:·'package_httpd_removed'") |
| 135 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 159 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 136 | # | 160 | # |
| Offset 248, 94 lines modified | Offset 273, 183 lines modified | ||
| 248 | #·BEGIN·fix·(15·/·313)·for·'httpd_ldap_support' | 273 | #·BEGIN·fix·(15·/·313)·for·'httpd_ldap_support' |
| 249 | ############################################################################### | 274 | ############################################################################### |
| 250 | (>&2·echo·"Remediating·rule·15/313:·'httpd_ldap_support'") | 275 | (>&2·echo·"Remediating·rule·15/313:·'httpd_ldap_support'") |
| 251 | #·FIX·FOR·THIS·RULE·IS·MISSING | 276 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 252 | #·END·fix·for·'httpd_ldap_support' | 277 | #·END·fix·for·'httpd_ldap_support' |
| 253 | ############################################################################### | 278 | ############################################################################### |
| 254 | #·BEGIN·fix·(16·/·313)·for·'httpd_ | 279 | #·BEGIN·fix·(16·/·313)·for·'httpd_cgi_support' |
| 255 | ############################################################################### | 280 | ############################################################################### |
| 256 | (>&2·echo·"Remediating·rule·16/313:·'httpd_ | 281 | (>&2·echo·"Remediating·rule·16/313:·'httpd_cgi_support'") |
| 257 | #·FIX·FOR·THIS·RULE·IS·MISSING | 282 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 258 | #·END·fix·for·'httpd_ | 283 | #·END·fix·for·'httpd_cgi_support' |
| 259 | ############################################################################### | 284 | ############################################################################### |
| 260 | #·BEGIN·fix·(17·/·313)·for·'httpd_ | 285 | #·BEGIN·fix·(17·/·313)·for·'httpd_url_correction' |
| 261 | ############################################################################### | 286 | ############################################################################### |
| 262 | (>&2·echo·"Remediating·rule·17/313:·'httpd_ | 287 | (>&2·echo·"Remediating·rule·17/313:·'httpd_url_correction'") |
| 263 | #·FIX·FOR·THIS·RULE·IS·MISSING | 288 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 264 | #·END·fix·for·'httpd_ | 289 | #·END·fix·for·'httpd_url_correction' |
| 265 | ############################################################################### | 290 | ############################################################################### |
| 266 | #·BEGIN·fix·(18·/·313)·for·'httpd_server_activity_status' | 291 | #·BEGIN·fix·(18·/·313)·for·'httpd_server_activity_status' |
| 267 | ############################################################################### | 292 | ############################################################################### |
| 268 | (>&2·echo·"Remediating·rule·18/313:·'httpd_server_activity_status'") | 293 | (>&2·echo·"Remediating·rule·18/313:·'httpd_server_activity_status'") |
| 269 | #·FIX·FOR·THIS·RULE·IS·MISSING | 294 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| Max diff block lines reached; 441404/447704 bytes (98.59%) of diff not shown. | |||
| Offset 23, 46 lines modified | Offset 23, 99 lines modified | ||
| 23 | # | 23 | # |
| 24 | #·How·to·apply·this·remediation·role: | 24 | #·How·to·apply·this·remediation·role: |
| 25 | #·$·sudo·./remediation-role.sh | 25 | #·$·sudo·./remediation-role.sh |
| 26 | # | 26 | # |
| 27 | ############################################################################### | 27 | ############################################################################### |
| 28 | ############################################################################### | 28 | ############################################################################### |
| 29 | #·BEGIN·fix·(1·/·215)·for·' | 29 | #·BEGIN·fix·(1·/·215)·for·'service_vsftpd_disabled' |
| 30 | ############################################################################### | 30 | ############################################################################### |
| 31 | (>&2·echo·"Remediating·rule·1/215:·' | 31 | (>&2·echo·"Remediating·rule·1/215:·'service_vsftpd_disabled'") |
| 32 | #·F | 32 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 33 | # | 33 | # |
| 34 | #·Example·Call(s): | ||
| 35 | # | ||
| 36 | #·····service_command·enable·bluetooth | ||
| 37 | #·····service_command·disable·bluetooth.service | ||
| 38 | # | ||
| 39 | #·····Using·xinetd: | ||
| 40 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 41 | # | ||
| 42 | function·service_command·{ | ||
| 34 | # | 43 | #·Load·function·arguments·into·local·variables |
| 35 | 44 | local·service_state=$1 | |
| 36 | 45 | local·service=$2 | |
| 37 | 46 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | |
| 38 | 47 | #·Check·sanity·of·the·input | |
| 39 | 48 | if·[·$#·-lt·"2"·] | |
| 49 | then | ||
| 50 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 51 | ··echo | ||
| 52 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 53 | ··echo·"as·the·last·argument"·· | ||
| 54 | ··echo·"Aborting." | ||
| 55 | ··exit·1 | ||
| 56 | fi | ||
| 40 | # | 57 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands |
| 41 | 58 | if·[·-f·"/usr/bin/systemctl"·]·;·then | |
| 42 | 59 | ··service_util="/usr/bin/systemctl" | |
| 43 | 60 | else | |
| 44 | 61 | ··service_util="/sbin/service" | |
| 45 | 62 | ··chkconfig_util="/sbin/chkconfig" | |
| 63 | fi | ||
| 46 | # | 64 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. |
| 47 | #· | 65 | #·Otherwise,·variables·are·to·be·set·to·disable·services. |
| 48 | 66 | if·[·"$service_state"·!=·'disable'·]·;·then | |
| 49 | 67 | ··service_state="enable" | |
| 50 | 68 | ··service_operation="start" | |
| 51 | 69 | ··chkconfig_state="on" | |
| 70 | else | ||
| 71 | ··service_state="disable" | ||
| 72 | ··service_operation="stop" | ||
| 73 | ··chkconfig_state="off" | ||
| 74 | fi | ||
| 75 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 76 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 77 | ··$service_util·$service·$service_operation | ||
| 78 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 79 | else | ||
| 80 | ··$service_util·$service_operation·$service | ||
| 81 | ··$service_util·$service_state·$service | ||
| 82 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 83 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 84 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 85 | ··$service_util·reset-failed·$service | ||
| 86 | fi | ||
| 87 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 88 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 89 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 90 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 91 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 92 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 93 | ··else | ||
| 94 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 95 | ··fi | ||
| 96 | fi | ||
| 97 | } | ||
| 98 | service_command·disable·vsftpd | ||
| 99 | #·END·fix·for·'service_vsftpd_disabled' | ||
| 52 | ############################################################################### | 100 | ############################################################################### |
| 53 | #·BEGIN·fix·( | 101 | #·BEGIN·fix·(2·/·215)·for·'package_vsftpd_removed' |
| 54 | ############################################################################### | 102 | ############################################################################### |
| 55 | (>&2·echo·"Remediating·rule· | 103 | (>&2·echo·"Remediating·rule·2/215:·'package_vsftpd_removed'") |
| 56 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 104 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 57 | # | 105 | # |
| 58 | #·Example·Call(s): | 106 | #·Example·Call(s): |
| 59 | # | 107 | # |
| 60 | #·····package_remove·telnet-server | 108 | #·····package_remove·telnet-server |
| 61 | # | 109 | # |
| 62 | function·package_remove·{ | 110 | function·package_remove·{ |
| Offset 92, 49 lines modified | Offset 145, 132 lines modified | ||
| 92 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 145 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 93 | ··echo·"Aborting." | 146 | ··echo·"Aborting." |
| 94 | ··exit·1 | 147 | ··exit·1 |
| 95 | fi | 148 | fi |
| 96 | } | 149 | } |
| 97 | package_remove· | 150 | package_remove·vsftpd |
| 98 | #·END·fix·for·'package_ | 151 | #·END·fix·for·'package_vsftpd_removed' |
| 99 | ############################################################################### | 152 | ############################################################################### |
| 100 | #·BEGIN·fix·( | 153 | #·BEGIN·fix·(3·/·215)·for·'httpd_servertokens_prod' |
| 101 | ############################################################################### | 154 | ############################################################################### |
| 102 | (>&2·echo·"Remediating·rule· | 155 | (>&2·echo·"Remediating·rule·3/215:·'httpd_servertokens_prod'") |
| 103 | #·FIX·FOR·THIS·RULE·IS·MISSING | 156 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 104 | #·END·fix·for·' | 157 | #·END·fix·for·'httpd_servertokens_prod' |
| 105 | ############################################################################### | 158 | ############################################################################### |
| 106 | #·BEGIN·fix·( | 159 | #·BEGIN·fix·(4·/·215)·for·'file_permissions_httpd_server_conf_files' |
| 107 | ############################################################################### | 160 | ############################################################################### |
| 108 | (>&2·echo·"Remediating·rule· | 161 | (>&2·echo·"Remediating·rule·4/215:·'file_permissions_httpd_server_conf_files'") |
| 109 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 110 | 162 | chmod·0640·/etc/httpd/conf/* | |
| 163 | #·END·fix·for·'file_permissions_httpd_server_conf_files' | ||
| 111 | ############################################################################### | 164 | ############################################################################### |
| 112 | #·BEGIN·fix·( | 165 | #·BEGIN·fix·(5·/·215)·for·'dir_perms_var_log_httpd' |
| Max diff block lines reached; 292875/299278 bytes (97.86%) of diff not shown. | |||
| Offset 19, 17 lines modified | Offset 19, 17 lines modified | ||
| 19 | # | 19 | # |
| 20 | #·How·to·apply·this·remediation·role: | 20 | #·How·to·apply·this·remediation·role: |
| 21 | #·$·sudo·./remediation-role.sh | 21 | #·$·sudo·./remediation-role.sh |
| 22 | # | 22 | # |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | ############################################################################### | 24 | ############################################################################### |
| 25 | #·BEGIN·fix·(1·/·206)·for·'service_s | 25 | #·BEGIN·fix·(1·/·206)·for·'service_vsftpd_disabled' |
| 26 | ############################################################################### | 26 | ############################################################################### |
| 27 | (>&2·echo·"Remediating·rule·1/206:·'service_s | 27 | (>&2·echo·"Remediating·rule·1/206:·'service_vsftpd_disabled'") |
| 28 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 28 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 29 | # | 29 | # |
| 30 | #·Example·Call(s): | 30 | #·Example·Call(s): |
| 31 | # | 31 | # |
| 32 | #·····service_command·enable·bluetooth | 32 | #·····service_command·enable·bluetooth |
| 33 | #·····service_command·disable·bluetooth.service | 33 | #·····service_command·disable·bluetooth.service |
| 34 | # | 34 | # |
| Offset 97, 47 lines modified | Offset 97, 65 lines modified | ||
| 97 | ··else | 97 | ··else |
| 98 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 98 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 99 | ··fi | 99 | ··fi |
| 100 | fi | 100 | fi |
| 101 | } | 101 | } |
| 102 | service_command·disable·s | 102 | service_command·disable·vsftpd |
| 103 | #·END·fix·for·'service_s | 103 | #·END·fix·for·'service_vsftpd_disabled' |
| 104 | ############################################################################### | 104 | ############################################################################### |
| 105 | #·BEGIN·fix·(2·/·206)·for·' | 105 | #·BEGIN·fix·(2·/·206)·for·'package_vsftpd_removed' |
| 106 | ############################################################################### | 106 | ############################################################################### |
| 107 | (>&2·echo·"Remediating·rule·2/206:·' | 107 | (>&2·echo·"Remediating·rule·2/206:·'package_vsftpd_removed'") |
| 108 | # | 108 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 109 | # | 109 | # |
| 110 | # | 110 | #·Example·Call(s): |
| 111 | # | 111 | # |
| 112 | #·····package_remove·telnet-server | ||
| 113 | # | ||
| 114 | function·package_remove·{ | ||
| 112 | 115 | #·Load·function·arguments·into·local·variables | |
| 116 | local·package="$1" | ||
| 113 | 117 | #·Check·sanity·of·the·input | |
| 114 | 118 | if·[·$#·-ne·"1"·] | |
| 115 | 119 | then | |
| 120 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 121 | ··echo·"Aborting." | ||
| 122 | ··exit·1 | ||
| 123 | fi | ||
| 124 | if·which·dnf·;·then | ||
| 125 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 126 | ····dnf·remove·-y·"$package" | ||
| 127 | ··fi | ||
| 128 | elif·which·yum·;·then | ||
| 129 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 130 | ····yum·remove·-y·"$package" | ||
| 131 | ··fi | ||
| 132 | elif·which·apt-get·;·then | ||
| 133 | ··apt-get·remove·-y·"$package" | ||
| 116 | else | 134 | else |
| 117 | 135 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 136 | ··echo·"Aborting." | ||
| 137 | ··exit·1 | ||
| 118 | fi | 138 | fi |
| 119 | #·END·fix·for·'require_smb_client_signing' | ||
| 120 | 139 | } | |
| 121 | #·BEGIN·fix·(3·/·206)·for·'mount_option_smb_client_signing' | ||
| 122 | 140 | package_remove·vsftpd | |
| 123 | 141 | #·END·fix·for·'package_vsftpd_removed' | |
| 124 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 125 | #·END·fix·for·'mount_option_smb_client_signing' | ||
| 126 | ############################################################################### | 142 | ############################################################################### |
| 127 | #·BEGIN·fix·( | 143 | #·BEGIN·fix·(3·/·206)·for·'service_httpd_disabled' |
| 128 | ############################################################################### | 144 | ############################################################################### |
| 129 | (>&2·echo·"Remediating·rule· | 145 | (>&2·echo·"Remediating·rule·3/206:·'service_httpd_disabled'") |
| 130 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 146 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 131 | # | 147 | # |
| 132 | #·Example·Call(s): | 148 | #·Example·Call(s): |
| 133 | # | 149 | # |
| 134 | #·····service_command·enable·bluetooth | 150 | #·····service_command·enable·bluetooth |
| 135 | #·····service_command·disable·bluetooth.service | 151 | #·····service_command·disable·bluetooth.service |
| 136 | # | 152 | # |
| Offset 209, 17 lines modified | Offset 227, 17 lines modified | ||
| 209 | } | 227 | } |
| 210 | service_command·disable·httpd | 228 | service_command·disable·httpd |
| 211 | #·END·fix·for·'service_httpd_disabled' | 229 | #·END·fix·for·'service_httpd_disabled' |
| 212 | ############################################################################### | 230 | ############################################################################### |
| 213 | #·BEGIN·fix·( | 231 | #·BEGIN·fix·(4·/·206)·for·'package_httpd_removed' |
| 214 | ############################################################################### | 232 | ############################################################################### |
| 215 | (>&2·echo·"Remediating·rule· | 233 | (>&2·echo·"Remediating·rule·4/206:·'package_httpd_removed'") |
| 216 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 234 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 217 | # | 235 | # |
| 218 | #·Example·Call(s): | 236 | #·Example·Call(s): |
| 219 | # | 237 | # |
| 220 | #·····package_remove·telnet-server | 238 | #·····package_remove·telnet-server |
| 221 | # | 239 | # |
| 222 | function·package_remove·{ | 240 | function·package_remove·{ |
| Offset 253, 24 lines modified | Offset 271, 99 lines modified | ||
| 253 | } | 271 | } |
| 254 | package_remove·httpd | 272 | package_remove·httpd |
| 255 | #·END·fix·for·'package_httpd_removed' | 273 | #·END·fix·for·'package_httpd_removed' |
| 256 | ############################################################################### | 274 | ############################################################################### |
| 257 | #·BEGIN·fix·( | 275 | #·BEGIN·fix·(5·/·206)·for·'service_named_disabled' |
| 258 | ############################################################################### | 276 | ############################################################################### |
| 259 | (>&2·echo·"Remediating·rule· | 277 | (>&2·echo·"Remediating·rule·5/206:·'service_named_disabled'") |
| 260 | #·F | 278 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 261 | # | 279 | # |
| 280 | #·Example·Call(s): | ||
| 281 | # | ||
| 282 | #·····service_command·enable·bluetooth | ||
| 283 | #·····service_command·disable·bluetooth.service | ||
| 284 | # | ||
| 285 | #·····Using·xinetd: | ||
| 286 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 287 | # | ||
| 288 | function·service_command·{ | ||
| Max diff block lines reached; 321323/328772 bytes (97.73%) of diff not shown. | |||
| Offset 114, 17 lines modified | Offset 114, 181 lines modified | ||
| 114 | #·BEGIN·fix·(3·/·211)·for·'ntpd_specify_remote_server' | 114 | #·BEGIN·fix·(3·/·211)·for·'ntpd_specify_remote_server' |
| 115 | ############################################################################### | 115 | ############################################################################### |
| 116 | (>&2·echo·"Remediating·rule·3/211:·'ntpd_specify_remote_server'") | 116 | (>&2·echo·"Remediating·rule·3/211:·'ntpd_specify_remote_server'") |
| 117 | #·FIX·FOR·THIS·RULE·IS·MISSING | 117 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 118 | #·END·fix·for·'ntpd_specify_remote_server' | 118 | #·END·fix·for·'ntpd_specify_remote_server' |
| 119 | ############################################################################### | 119 | ############################################################################### |
| 120 | #·BEGIN·fix·(4·/·211)·for·' | 120 | #·BEGIN·fix·(4·/·211)·for·'service_crond_enabled' |
| 121 | ############################################################################### | 121 | ############################################################################### |
| 122 | (>&2·echo·"Remediating·rule·4/211:·' | 122 | (>&2·echo·"Remediating·rule·4/211:·'service_crond_enabled'") |
| 123 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 124 | # | ||
| 125 | #·Example·Call(s): | ||
| 126 | # | ||
| 127 | #·····service_command·enable·bluetooth | ||
| 128 | #·····service_command·disable·bluetooth.service | ||
| 129 | # | ||
| 130 | #·····Using·xinetd: | ||
| 131 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 132 | # | ||
| 133 | function·service_command·{ | ||
| 134 | #·Load·function·arguments·into·local·variables | ||
| 135 | local·service_state=$1 | ||
| 136 | local·service=$2 | ||
| 137 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 138 | #·Check·sanity·of·the·input | ||
| 139 | if·[·$#·-lt·"2"·] | ||
| 140 | then | ||
| 141 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 142 | ··echo | ||
| 143 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 144 | ··echo·"as·the·last·argument"·· | ||
| 145 | ··echo·"Aborting." | ||
| 146 | ··exit·1 | ||
| 147 | fi | ||
| 148 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 149 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 150 | ··service_util="/usr/bin/systemctl" | ||
| 151 | else | ||
| 152 | ··service_util="/sbin/service" | ||
| 153 | ··chkconfig_util="/sbin/chkconfig" | ||
| 154 | fi | ||
| 155 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 156 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 157 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 158 | ··service_state="enable" | ||
| 159 | ··service_operation="start" | ||
| 160 | ··chkconfig_state="on" | ||
| 161 | else | ||
| 162 | ··service_state="disable" | ||
| 163 | ··service_operation="stop" | ||
| 164 | ··chkconfig_state="off" | ||
| 165 | fi | ||
| 166 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 167 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 168 | ··$service_util·$service·$service_operation | ||
| 169 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 170 | else | ||
| 171 | ··$service_util·$service_operation·$service | ||
| 172 | ··$service_util·$service_state·$service | ||
| 173 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 174 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 175 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 176 | ··$service_util·reset-failed·$service | ||
| 177 | fi | ||
| 178 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 179 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 180 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 181 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 182 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 183 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 184 | ··else | ||
| 185 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 186 | ··fi | ||
| 187 | fi | ||
| 188 | } | ||
| 189 | service_command·enable·crond | ||
| 190 | #·END·fix·for·'service_crond_enabled' | ||
| 191 | ############################################################################### | ||
| 192 | #·BEGIN·fix·(5·/·211)·for·'service_atd_disabled' | ||
| 193 | ############################################################################### | ||
| 194 | (>&2·echo·"Remediating·rule·5/211:·'service_atd_disabled'") | ||
| 195 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 196 | # | ||
| 197 | #·Example·Call(s): | ||
| 198 | # | ||
| 199 | #·····service_command·enable·bluetooth | ||
| 200 | #·····service_command·disable·bluetooth.service | ||
| 201 | # | ||
| 202 | #·····Using·xinetd: | ||
| 203 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 204 | # | ||
| 205 | function·service_command·{ | ||
| 206 | #·Load·function·arguments·into·local·variables | ||
| 207 | local·service_state=$1 | ||
| 208 | local·service=$2 | ||
| 209 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 210 | #·Check·sanity·of·the·input | ||
| 211 | if·[·$#·-lt·"2"·] | ||
| 212 | then | ||
| 213 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 214 | ··echo | ||
| 215 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 216 | ··echo·"as·the·last·argument"·· | ||
| 217 | ··echo·"Aborting." | ||
| 218 | ··exit·1 | ||
| 219 | fi | ||
| 220 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 221 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 222 | ··service_util="/usr/bin/systemctl" | ||
| 223 | else | ||
| 224 | ··service_util="/sbin/service" | ||
| 225 | ··chkconfig_util="/sbin/chkconfig" | ||
| 226 | fi | ||
| Max diff block lines reached; 326691/332694 bytes (98.20%) of diff not shown. | |||
| Offset 18, 17 lines modified | Offset 18, 96 lines modified | ||
| 18 | # | 18 | # |
| 19 | #·How·to·apply·this·remediation·role: | 19 | #·How·to·apply·this·remediation·role: |
| 20 | #·$·sudo·./remediation-role.sh | 20 | #·$·sudo·./remediation-role.sh |
| 21 | # | 21 | # |
| 22 | ############################################################################### | 22 | ############################################################################### |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | #·BEGIN·fix·(1·/·192)·for·' | 24 | #·BEGIN·fix·(1·/·192)·for·'ftp_restrict_to_anon' |
| 25 | ############################################################################### | 25 | ############################################################################### |
| 26 | (>&2·echo·"Remediating·rule·1/192:·' | 26 | (>&2·echo·"Remediating·rule·1/192:·'ftp_restrict_to_anon'") |
| 27 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 28 | #·END·fix·for·'ftp_restrict_to_anon' | ||
| 29 | ############################################################################### | ||
| 30 | #·BEGIN·fix·(2·/·192)·for·'ftp_home_partition' | ||
| 31 | ############################################################################### | ||
| 32 | (>&2·echo·"Remediating·rule·2/192:·'ftp_home_partition'") | ||
| 33 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 34 | #·END·fix·for·'ftp_home_partition' | ||
| 35 | ############################################################################### | ||
| 36 | #·BEGIN·fix·(3·/·192)·for·'ftp_log_transactions' | ||
| 37 | ############################################################################### | ||
| 38 | (>&2·echo·"Remediating·rule·3/192:·'ftp_log_transactions'") | ||
| 39 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 40 | #·END·fix·for·'ftp_log_transactions' | ||
| 41 | ############################################################################### | ||
| 42 | #·BEGIN·fix·(4·/·192)·for·'ftp_disable_uploads' | ||
| 43 | ############################################################################### | ||
| 44 | (>&2·echo·"Remediating·rule·4/192:·'ftp_disable_uploads'") | ||
| 45 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 46 | #·END·fix·for·'ftp_disable_uploads' | ||
| 47 | ############################################################################### | ||
| 48 | #·BEGIN·fix·(5·/·192)·for·'ftp_present_banner' | ||
| 49 | ############################################################################### | ||
| 50 | (>&2·echo·"Remediating·rule·5/192:·'ftp_present_banner'") | ||
| 51 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 52 | #·END·fix·for·'ftp_present_banner' | ||
| 53 | ############################################################################### | ||
| 54 | #·BEGIN·fix·(6·/·192)·for·'package_vsftpd_installed' | ||
| 55 | ############################################################################### | ||
| 56 | (>&2·echo·"Remediating·rule·6/192:·'package_vsftpd_installed'") | ||
| 57 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 58 | # | ||
| 59 | #·Example·Call(s): | ||
| 60 | # | ||
| 61 | #·····package_install·aide | ||
| 62 | # | ||
| 63 | function·package_install·{ | ||
| 64 | #·Load·function·arguments·into·local·variables | ||
| 65 | local·package="$1" | ||
| 66 | #·Check·sanity·of·the·input | ||
| 67 | if·[·$#·-ne·"1"·] | ||
| 68 | then | ||
| 69 | ··echo·"Usage:·package_install·'package_name'" | ||
| 70 | ··echo·"Aborting." | ||
| 71 | ··exit·1 | ||
| 72 | fi | ||
| 73 | if·which·dnf·;·then | ||
| 74 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 75 | ····dnf·install·-y·"$package" | ||
| 76 | ··fi | ||
| 77 | elif·which·yum·;·then | ||
| 78 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 79 | ····yum·install·-y·"$package" | ||
| 80 | ··fi | ||
| 81 | elif·which·apt-get·;·then | ||
| 82 | ··apt-get·install·-y·"$package" | ||
| 83 | else | ||
| 84 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 85 | ··echo·"Aborting." | ||
| 86 | ··exit·1 | ||
| 87 | fi | ||
| 88 | } | ||
| 89 | package_install·vsftpd | ||
| 90 | #·END·fix·for·'package_vsftpd_installed' | ||
| 91 | ############################################################################### | ||
| 92 | #·BEGIN·fix·(7·/·192)·for·'require_smb_client_signing' | ||
| 93 | ############################################################################### | ||
| 94 | (>&2·echo·"Remediating·rule·7/192:·'require_smb_client_signing'") | ||
| 27 | ###################################################################### | 95 | ###################################################################### |
| 28 | #By·Luke·"Brisk-OH"·Brisk | 96 | #By·Luke·"Brisk-OH"·Brisk |
| 29 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com | 97 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com |
| 30 | ###################################################################### | 98 | ###################################################################### |
| 31 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) | 99 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) |
| Offset 37, 38 lines modified | Offset 116, 24 lines modified | ||
| 37 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf | 116 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 38 | else | 117 | else |
| 39 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf | 118 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 40 | fi | 119 | fi |
| 41 | #·END·fix·for·'require_smb_client_signing' | 120 | #·END·fix·for·'require_smb_client_signing' |
| 42 | ############################################################################### | 121 | ############################################################################### |
| 43 | #·BEGIN·fix·( | 122 | #·BEGIN·fix·(8·/·192)·for·'mount_option_smb_client_signing' |
| 44 | ############################################################################### | 123 | ############################################################################### |
| 45 | (>&2·echo·"Remediating·rule· | 124 | (>&2·echo·"Remediating·rule·8/192:·'mount_option_smb_client_signing'") |
| 46 | #·FIX·FOR·THIS·RULE·IS·MISSING | 125 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 47 | #·END·fix·for·'mount_option_smb_client_signing' | 126 | #·END·fix·for·'mount_option_smb_client_signing' |
| 48 | ############################################################################### | 127 | ############################################################################### |
| 49 | #·BEGIN·fix·( | 128 | #·BEGIN·fix·(9·/·192)·for·'service_ntpd_enabled' |
| 50 | ############################################################################### | ||
| 51 | (>&2·echo·"Remediating·rule·3/192:·'postfix_network_listening_disabled'") | ||
| 52 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 53 | #·END·fix·for·'postfix_network_listening_disabled' | ||
| 54 | ############################################################################### | ||
| 55 | #·BEGIN·fix·(4·/·192)·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 56 | ############################################################################### | ||
| 57 | (>&2·echo·"Remediating·rule·4/192:·'sysconfig_networking_bootproto_ifcfg'") | ||
| 58 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 59 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 60 | ############################################################################### | ||
| 61 | #·BEGIN·fix·(5·/·192)·for·'service_ntpd_enabled' | ||
| 62 | ############################################################################### | 129 | ############################################################################### |
| Max diff block lines reached; 286922/292683 bytes (98.03%) of diff not shown. | |||
| Offset 22, 43 lines modified | Offset 22, 61 lines modified | ||
| 22 | # | 22 | # |
| 23 | #·How·to·apply·this·remediation·role: | 23 | #·How·to·apply·this·remediation·role: |
| 24 | #·$·sudo·./remediation-role.sh | 24 | #·$·sudo·./remediation-role.sh |
| 25 | # | 25 | # |
| 26 | ############################################################################### | 26 | ############################################################################### |
| 27 | ############################################################################### | 27 | ############################################################################### |
| 28 | #·BEGIN·fix·(1·/·270)·for·' | 28 | #·BEGIN·fix·(1·/·270)·for·'package_vsftpd_removed' |
| 29 | ############################################################################### | 29 | ############################################################################### |
| 30 | (>&2·echo·"Remediating·rule·1/270:·' | 30 | (>&2·echo·"Remediating·rule·1/270:·'package_vsftpd_removed'") |
| 31 | # | 31 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 32 | # | 32 | # |
| 33 | # | 33 | #·Example·Call(s): |
| 34 | # | 34 | # |
| 35 | #·····package_remove·telnet-server | ||
| 36 | # | ||
| 37 | function·package_remove·{ | ||
| 35 | 38 | #·Load·function·arguments·into·local·variables | |
| 39 | local·package="$1" | ||
| 36 | 40 | #·Check·sanity·of·the·input | |
| 37 | 41 | if·[·$#·-ne·"1"·] | |
| 38 | 42 | then | |
| 43 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 44 | ··echo·"Aborting." | ||
| 45 | ··exit·1 | ||
| 46 | fi | ||
| 47 | if·which·dnf·;·then | ||
| 48 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 49 | ····dnf·remove·-y·"$package" | ||
| 50 | ··fi | ||
| 51 | elif·which·yum·;·then | ||
| 52 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 53 | ····yum·remove·-y·"$package" | ||
| 54 | ··fi | ||
| 55 | elif·which·apt-get·;·then | ||
| 56 | ··apt-get·remove·-y·"$package" | ||
| 39 | else | 57 | else |
| 40 | 58 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 59 | ··echo·"Aborting." | ||
| 60 | ··exit·1 | ||
| 41 | fi | 61 | fi |
| 42 | #·END·fix·for·'require_smb_client_signing' | ||
| 43 | 62 | } | |
| 44 | #·BEGIN·fix·(2·/·270)·for·'mount_option_smb_client_signing' | ||
| 45 | 63 | package_remove·vsftpd | |
| 46 | 64 | #·END·fix·for·'package_vsftpd_removed' | |
| 47 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 48 | #·END·fix·for·'mount_option_smb_client_signing' | ||
| 49 | ############################################################################### | 65 | ############################################################################### |
| 50 | #·BEGIN·fix·( | 66 | #·BEGIN·fix·(2·/·270)·for·'service_httpd_disabled' |
| 51 | ############################################################################### | 67 | ############################################################################### |
| 52 | (>&2·echo·"Remediating·rule· | 68 | (>&2·echo·"Remediating·rule·2/270:·'service_httpd_disabled'") |
| 53 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 69 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 54 | # | 70 | # |
| 55 | #·Example·Call(s): | 71 | #·Example·Call(s): |
| 56 | # | 72 | # |
| 57 | #·····service_command·enable·bluetooth | 73 | #·····service_command·enable·bluetooth |
| 58 | #·····service_command·disable·bluetooth.service | 74 | #·····service_command·disable·bluetooth.service |
| 59 | # | 75 | # |
| Offset 130, 17 lines modified | Offset 148, 17 lines modified | ||
| 130 | } | 148 | } |
| 131 | service_command·disable·httpd | 149 | service_command·disable·httpd |
| 132 | #·END·fix·for·'service_httpd_disabled' | 150 | #·END·fix·for·'service_httpd_disabled' |
| 133 | ############################################################################### | 151 | ############################################################################### |
| 134 | #·BEGIN·fix·( | 152 | #·BEGIN·fix·(3·/·270)·for·'package_httpd_removed' |
| 135 | ############################################################################### | 153 | ############################################################################### |
| 136 | (>&2·echo·"Remediating·rule· | 154 | (>&2·echo·"Remediating·rule·3/270:·'package_httpd_removed'") |
| 137 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 155 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 138 | # | 156 | # |
| 139 | #·Example·Call(s): | 157 | #·Example·Call(s): |
| 140 | # | 158 | # |
| 141 | #·····package_remove·telnet-server | 159 | #·····package_remove·telnet-server |
| 142 | # | 160 | # |
| 143 | function·package_remove·{ | 161 | function·package_remove·{ |
| Offset 174, 75 lines modified | Offset 192, 99 lines modified | ||
| 174 | } | 192 | } |
| 175 | package_remove·httpd | 193 | package_remove·httpd |
| 176 | #·END·fix·for·'package_httpd_removed' | 194 | #·END·fix·for·'package_httpd_removed' |
| 177 | ############################################################################### | 195 | ############################################################################### |
| 178 | #·BEGIN·fix·( | 196 | #·BEGIN·fix·(4·/·270)·for·'service_named_disabled' |
| 179 | ############################################################################### | 197 | ############################################################################### |
| 180 | (>&2·echo·"Remediating·rule· | 198 | (>&2·echo·"Remediating·rule·4/270:·'service_named_disabled'") |
| 181 | #·F | 199 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 182 | #·END·fix·for·'postfix_network_listening_disabled' | ||
| 183 | ############################################################################### | ||
| 184 | #·BEGIN·fix·(6·/·270)·for·'package_sendmail_removed' | ||
| 185 | ############################################################################### | ||
| 186 | (>&2·echo·"Remediating·rule·6/270:·'package_sendmail_removed'") | ||
| 187 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 188 | # | 200 | # |
| 189 | #·Example·Call(s): | 201 | #·Example·Call(s): |
| 190 | # | 202 | # |
| 191 | #····· | 203 | #·····service_command·enable·bluetooth |
| 204 | #·····service_command·disable·bluetooth.service | ||
| 192 | # | 205 | # |
| 193 | 206 | #·····Using·xinetd: | |
| 207 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 208 | # | ||
| 209 | function·service_command·{ | ||
| 194 | #·Load·function·arguments·into·local·variables | 210 | #·Load·function·arguments·into·local·variables |
| 195 | local· | 211 | local·service_state=$1 |
| 212 | local·service=$2 | ||
| 213 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 196 | #·Check·sanity·of·the·input | 214 | #·Check·sanity·of·the·input |
| 197 | if·[·$#·- | 215 | if·[·$#·-lt·"2"·] |
| 198 | then | 216 | then |
| 199 | ··echo·"Usage:· | 217 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" |
| 218 | ··echo | ||
| 219 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 220 | ··echo·"as·the·last·argument"·· | ||
| 200 | ··echo·"Aborting." | 221 | ··echo·"Aborting." |
| 201 | ··exit·1 | 222 | ··exit·1 |
| 202 | fi | 223 | fi |
| Max diff block lines reached; 415516/421004 bytes (98.70%) of diff not shown. | |||
| Offset 128, 424 lines modified | Offset 128, 17 lines modified | ||
| 128 | ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config | 128 | ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config |
| 129 | if·!·[·$?·-eq·0·];·then | 129 | if·!·[·$?·-eq·0·];·then |
| 130 | ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config | 130 | ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config |
| 131 | fi | 131 | fi |
| 132 | #·END·fix·for·'sshd_set_idle_timeout' | 132 | #·END·fix·for·'sshd_set_idle_timeout' |
| 133 | ############################################################################### | 133 | ############################################################################### |
| 134 | #·BEGIN·fix·(5·/·94)·for·'r | 134 | #·BEGIN·fix·(5·/·94)·for·'rsyslog_files_permissions' |
| 135 | ############################################################################### | 135 | ############################################################################### |
| 136 | (>&2·echo·"Remediating·rule·5/94:·'r | 136 | (>&2·echo·"Remediating·rule·5/94:·'rsyslog_files_permissions'") |
| 137 | #·Declare·array·to·hold·list·of·RPM·packages·we·need·to·correct·permissions·for | ||
| 138 | declare·-a·SETPERMS_RPM_LIST | ||
| 139 | #·Create·a·list·of·files·on·the·system·having·permissions·different·from·what | ||
| 140 | #·is·expected·by·the·RPM·database | ||
| 141 | FILES_WITH_INCORRECT_PERMS=($(rpm·-Va·--nofiledigest·|·grep·'^.M'·|·cut·-d·'·'·-f4-)) | ||
| 142 | #·For·each·file·path·from·that·list: | ||
| 143 | #·*·Determine·the·RPM·package·the·file·path·is·shipped·by, | ||
| 144 | #·*·Include·it·into·SETPERMS_RPM_LIST·array | ||
| 145 | for·FILE_PATH·in·"${FILES_WITH_INCORRECT_PERMS[@]}" | ||
| 146 | do | ||
| 147 | » RPM_PACKAGE=$(rpm·-qf·"$FILE_PATH") | ||
| 148 | » SETPERMS_RPM_LIST=("${SETPERMS_RPM_LIST[@]}"·"$RPM_PACKAGE") | ||
| 149 | done | ||
| 150 | #·Remove·duplicate·mention·of·same·RPM·in·$SETPERMS_RPM_LIST·(if·any) | ||
| 151 | SETPERMS_RPM_LIST=(·$(echo·"${SETPERMS_RPM_LIST[@]}"·|·tr·'·'·'\n'·|·sort·-u·|·tr·'\n'·'·')·) | ||
| 152 | #·For·each·of·the·RPM·packages·left·in·the·list·--·reset·its·permissions·to·the | ||
| 153 | #·correct·values | ||
| 154 | for·RPM_PACKAGE·in·"${SETPERMS_RPM_LIST[@]}" | ||
| 155 | do | ||
| 156 | » rpm·--setperms·"${RPM_PACKAGE}" | ||
| 157 | done | ||
| 158 | #·END·fix·for·'rpm_verify_permissions' | ||
| 159 | ############################################################################### | ||
| 160 | #·BEGIN·fix·(6·/·94)·for·'rpm_verify_hashes' | ||
| 161 | ############################################################################### | ||
| 162 | (>&2·echo·"Remediating·rule·6/94:·'rpm_verify_hashes'") | ||
| 163 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 164 | #·END·fix·for·'rpm_verify_hashes' | ||
| 165 | ############################################################################### | ||
| 166 | #·BEGIN·fix·(7·/·94)·for·'install_hids' | ||
| 167 | ############################################################################### | ||
| 168 | (>&2·echo·"Remediating·rule·7/94:·'install_hids'") | ||
| 169 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 170 | #·END·fix·for·'install_hids' | ||
| 171 | ############################################################################### | ||
| 172 | #·BEGIN·fix·(8·/·94)·for·'package_aide_installed' | ||
| 173 | ############################################################################### | ||
| 174 | (>&2·echo·"Remediating·rule·8/94:·'package_aide_installed'") | ||
| 175 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 176 | # | ||
| 177 | #·Example·Call(s): | ||
| 178 | # | ||
| 179 | #·····package_install·aide | ||
| 180 | # | ||
| 181 | function·package_install·{ | ||
| 182 | #·Load·function·arguments·into·local·variables | ||
| 183 | local·package="$1" | ||
| 184 | #·Check·sanity·of·the·input | ||
| 185 | if·[·$#·-ne·"1"·] | ||
| 186 | then | ||
| 187 | ··echo·"Usage:·package_install·'package_name'" | ||
| 188 | ··echo·"Aborting." | ||
| 189 | ··exit·1 | ||
| 190 | fi | ||
| 191 | if·which·dnf·;·then | ||
| 192 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 193 | ····dnf·install·-y·"$package" | ||
| 194 | ··fi | ||
| 195 | elif·which·yum·;·then | ||
| 196 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 197 | ····yum·install·-y·"$package" | ||
| 198 | ··fi | ||
| 199 | elif·which·apt-get·;·then | ||
| 200 | ··apt-get·install·-y·"$package" | ||
| 201 | else | ||
| 202 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 203 | ··echo·"Aborting." | ||
| 204 | ··exit·1 | ||
| 205 | fi | ||
| 206 | } | ||
| 207 | package_install·aide | ||
| 208 | #·END·fix·for·'package_aide_installed' | ||
| 209 | ############################################################################### | ||
| 210 | #·BEGIN·fix·(9·/·94)·for·'aide_periodic_cron_checking' | ||
| 211 | ############################################################################### | ||
| 212 | (>&2·echo·"Remediating·rule·9/94:·'aide_periodic_cron_checking'") | ||
| 213 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 214 | # | ||
| 215 | #·Example·Call(s): | ||
| 216 | # | ||
| 217 | #·····package_install·aide | ||
| 218 | # | ||
| 219 | function·package_install·{ | ||
| 220 | #·Load·function·arguments·into·local·variables | ||
| 221 | local·package="$1" | ||
| 222 | #·Check·sanity·of·the·input | ||
| 223 | if·[·$#·-ne·"1"·] | ||
| 224 | then | ||
| 225 | ··echo·"Usage:·package_install·'package_name'" | ||
| 226 | ··echo·"Aborting." | ||
| 227 | ··exit·1 | ||
| 228 | fi | ||
| 229 | if·which·dnf·;·then | ||
| 230 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 231 | ····dnf·install·-y·"$package" | ||
| 232 | ··fi | ||
| 233 | elif·which·yum·;·then | ||
| 234 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 235 | ····yum·install·-y·"$package" | ||
| Max diff block lines reached; 176223/192119 bytes (91.73%) of diff not shown. | |||
| Offset 18, 38 lines modified | Offset 18, 120 lines modified | ||
| 18 | # | 18 | # |
| 19 | #·How·to·apply·this·remediation·role: | 19 | #·How·to·apply·this·remediation·role: |
| 20 | #·$·sudo·./remediation-role.sh | 20 | #·$·sudo·./remediation-role.sh |
| 21 | # | 21 | # |
| 22 | ############################################################################### | 22 | ############################################################################### |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | #·BEGIN·fix·(1·/·94)·for·'service_ | 24 | #·BEGIN·fix·(1·/·94)·for·'service_atd_disabled' |
| 25 | ############################################################################### | 25 | ############################################################################### |
| 26 | (>&2·echo·"Remediating·rule·1/94:·'service_ | 26 | (>&2·echo·"Remediating·rule·1/94:·'service_atd_disabled'") |
| 27 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | ||
| 28 | # | ||
| 29 | #·Example·Call(s): | ||
| 30 | # | ||
| 31 | #·····service_command·enable·bluetooth | ||
| 32 | #·····service_command·disable·bluetooth.service | ||
| 33 | # | ||
| 34 | #·····Using·xinetd: | ||
| 35 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 36 | # | ||
| 37 | function·service_command·{ | ||
| 38 | #·Load·function·arguments·into·local·variables | ||
| 39 | local·service_state=$1 | ||
| 40 | local·service=$2 | ||
| 41 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 42 | #·Check·sanity·of·the·input | ||
| 43 | if·[·$#·-lt·"2"·] | ||
| 44 | then | ||
| 45 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 46 | ··echo | ||
| 47 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 48 | ··echo·"as·the·last·argument"·· | ||
| 49 | ··echo·"Aborting." | ||
| 50 | ··exit·1 | ||
| 51 | fi | ||
| 52 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 53 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 54 | ··service_util="/usr/bin/systemctl" | ||
| 55 | else | ||
| 56 | ··service_util="/sbin/service" | ||
| 57 | ··chkconfig_util="/sbin/chkconfig" | ||
| 58 | fi | ||
| 59 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 60 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 61 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 62 | ··service_state="enable" | ||
| 63 | ··service_operation="start" | ||
| 64 | ··chkconfig_state="on" | ||
| 65 | else | ||
| 66 | ··service_state="disable" | ||
| 67 | ··service_operation="stop" | ||
| 68 | ··chkconfig_state="off" | ||
| 69 | fi | ||
| 70 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 71 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 72 | ··$service_util·$service·$service_operation | ||
| 73 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 74 | else | ||
| 75 | ··$service_util·$service_operation·$service | ||
| 76 | ··$service_util·$service_state·$service | ||
| 77 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 78 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 79 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 80 | ··$service_util·reset-failed·$service | ||
| 81 | fi | ||
| 82 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 83 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 84 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 85 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 86 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 87 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 88 | ··else | ||
| 89 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 90 | ··fi | ||
| 91 | fi | ||
| 92 | } | ||
| 93 | service_command·disable·atd | ||
| 94 | #·END·fix·for·'service_atd_disabled' | ||
| 95 | ############################################################################### | ||
| 96 | #·BEGIN·fix·(2·/·94)·for·'service_rlogin_disabled' | ||
| 97 | ############################################################################### | ||
| 98 | (>&2·echo·"Remediating·rule·2/94:·'service_rlogin_disabled'") | ||
| 27 | #·FIX·FOR·THIS·RULE·IS·MISSING | 99 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 28 | #·END·fix·for·'service_rlogin_disabled' | 100 | #·END·fix·for·'service_rlogin_disabled' |
| 29 | ############################################################################### | 101 | ############################################################################### |
| 30 | #·BEGIN·fix·( | 102 | #·BEGIN·fix·(3·/·94)·for·'service_rexec_disabled' |
| 31 | ############################################################################### | 103 | ############################################################################### |
| 32 | (>&2·echo·"Remediating·rule· | 104 | (>&2·echo·"Remediating·rule·3/94:·'service_rexec_disabled'") |
| 33 | #·FIX·FOR·THIS·RULE·IS·MISSING | 105 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 34 | #·END·fix·for·'service_rexec_disabled' | 106 | #·END·fix·for·'service_rexec_disabled' |
| 35 | ############################################################################### | 107 | ############################################################################### |
| 36 | #·BEGIN·fix·( | 108 | #·BEGIN·fix·(4·/·94)·for·'service_rsh_disabled' |
| 37 | ############################################################################### | 109 | ############################################################################### |
| 38 | (>&2·echo·"Remediating·rule· | 110 | (>&2·echo·"Remediating·rule·4/94:·'service_rsh_disabled'") |
| 39 | #·FIX·FOR·THIS·RULE·IS·MISSING | 111 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 40 | #·END·fix·for·'service_rsh_disabled' | 112 | #·END·fix·for·'service_rsh_disabled' |
| 41 | ############################################################################### | 113 | ############################################################################### |
| 42 | #·BEGIN·fix·( | 114 | #·BEGIN·fix·(5·/·94)·for·'package_rsh-server_removed' |
| 43 | ############################################################################### | 115 | ############################################################################### |
| 44 | (>&2·echo·"Remediating·rule· | 116 | (>&2·echo·"Remediating·rule·5/94:·'package_rsh-server_removed'") |
| 45 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 117 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 46 | # | 118 | # |
| 47 | #·Example·Call(s): | 119 | #·Example·Call(s): |
| 48 | # | 120 | # |
| 49 | #·····package_remove·telnet-server | 121 | #·····package_remove·telnet-server |
| 50 | # | 122 | # |
| 51 | function·package_remove·{ | 123 | function·package_remove·{ |
| Offset 83, 17 lines modified | Offset 165, 17 lines modified | ||
| 83 | } | 165 | } |
| 84 | package_remove·rsh-server | 166 | package_remove·rsh-server |
| 85 | #·END·fix·for·'package_rsh-server_removed' | 167 | #·END·fix·for·'package_rsh-server_removed' |
| Max diff block lines reached; 79730/84667 bytes (94.17%) of diff not shown. | |||
| Offset 45, 31 lines modified | Offset 45, 17 lines modified | ||
| 45 | #·BEGIN·fix·(2·/·186)·for·'mount_option_smb_client_signing' | 45 | #·BEGIN·fix·(2·/·186)·for·'mount_option_smb_client_signing' |
| 46 | ############################################################################### | 46 | ############################################################################### |
| 47 | (>&2·echo·"Remediating·rule·2/186:·'mount_option_smb_client_signing'") | 47 | (>&2·echo·"Remediating·rule·2/186:·'mount_option_smb_client_signing'") |
| 48 | #·FIX·FOR·THIS·RULE·IS·MISSING | 48 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 49 | #·END·fix·for·'mount_option_smb_client_signing' | 49 | #·END·fix·for·'mount_option_smb_client_signing' |
| 50 | ############################################################################### | 50 | ############################################################################### |
| 51 | #·BEGIN·fix·(3·/·186)·for·' | 51 | #·BEGIN·fix·(3·/·186)·for·'service_ntpd_enabled' |
| 52 | ############################################################################### | 52 | ############################################################################### |
| 53 | (>&2·echo·"Remediating·rule·3/186:·' | 53 | (>&2·echo·"Remediating·rule·3/186:·'service_ntpd_enabled'") |
| 54 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 55 | #·END·fix·for·'postfix_network_listening_disabled' | ||
| 56 | ############################################################################### | ||
| 57 | #·BEGIN·fix·(4·/·186)·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 58 | ############################################################################### | ||
| 59 | (>&2·echo·"Remediating·rule·4/186:·'sysconfig_networking_bootproto_ifcfg'") | ||
| 60 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 61 | #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' | ||
| 62 | ############################################################################### | ||
| 63 | #·BEGIN·fix·(5·/·186)·for·'service_ntpd_enabled' | ||
| 64 | ############################################################################### | ||
| 65 | (>&2·echo·"Remediating·rule·5/186:·'service_ntpd_enabled'") | ||
| 66 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 54 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 67 | # | 55 | # |
| 68 | #·Example·Call(s): | 56 | #·Example·Call(s): |
| 69 | # | 57 | # |
| 70 | #·····service_command·enable·bluetooth | 58 | #·····service_command·enable·bluetooth |
| 71 | #·····service_command·disable·bluetooth.service | 59 | #·····service_command·disable·bluetooth.service |
| 72 | # | 60 | # |
| Offset 141, 45 lines modified | Offset 127, 24 lines modified | ||
| 141 | } | 127 | } |
| 142 | service_command·enable·ntpd | 128 | service_command·enable·ntpd |
| 143 | #·END·fix·for·'service_ntpd_enabled' | 129 | #·END·fix·for·'service_ntpd_enabled' |
| 144 | ############################################################################### | 130 | ############################################################################### |
| 145 | #·BEGIN·fix·( | 131 | #·BEGIN·fix·(4·/·186)·for·'ntpd_specify_remote_server' |
| 146 | ############################################################################### | 132 | ############################################################################### |
| 147 | (>&2·echo·"Remediating·rule· | 133 | (>&2·echo·"Remediating·rule·4/186:·'ntpd_specify_remote_server'") |
| 148 | #·FIX·FOR·THIS·RULE·IS·MISSING | 134 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 149 | #·END·fix·for·'ntpd_specify_remote_server' | 135 | #·END·fix·for·'ntpd_specify_remote_server' |
| 150 | ############################################################################### | 136 | ############################################################################### |
| 151 | #·BEGIN·fix·( | 137 | #·BEGIN·fix·(5·/·186)·for·'package_openldap-servers_removed' |
| 152 | ############################################################################### | ||
| 153 | (>&2·echo·"Remediating·rule·7/186:·'service_rlogin_disabled'") | ||
| 154 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 155 | #·END·fix·for·'service_rlogin_disabled' | ||
| 156 | ############################################################################### | ||
| 157 | #·BEGIN·fix·(8·/·186)·for·'service_rexec_disabled' | ||
| 158 | ############################################################################### | 138 | ############################################################################### |
| 159 | (>&2·echo·"Remediating·rule· | 139 | (>&2·echo·"Remediating·rule·5/186:·'package_openldap-servers_removed'") |
| 160 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 161 | #·END·fix·for·'service_rexec_disabled' | ||
| 162 | ############################################################################### | ||
| 163 | #·BEGIN·fix·(9·/·186)·for·'service_rsh_disabled' | ||
| 164 | ############################################################################### | ||
| 165 | (>&2·echo·"Remediating·rule·9/186:·'service_rsh_disabled'") | ||
| 166 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 167 | #·END·fix·for·'service_rsh_disabled' | ||
| 168 | ############################################################################### | ||
| 169 | #·BEGIN·fix·(10·/·186)·for·'package_rsh-server_removed' | ||
| 170 | ############################################################################### | ||
| 171 | (>&2·echo·"Remediating·rule·10/186:·'package_rsh-server_removed'") | ||
| 172 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 140 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 173 | # | 141 | # |
| 174 | #·Example·Call(s): | 142 | #·Example·Call(s): |
| 175 | # | 143 | # |
| 176 | #·····package_remove·telnet-server | 144 | #·····package_remove·telnet-server |
| 177 | # | 145 | # |
| 178 | function·package_remove·{ | 146 | function·package_remove·{ |
| Offset 209, 83 lines modified | Offset 174, 279 lines modified | ||
| 209 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 174 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 210 | ··echo·"Aborting." | 175 | ··echo·"Aborting." |
| 211 | ··exit·1 | 176 | ··exit·1 |
| 212 | fi | 177 | fi |
| 213 | } | 178 | } |
| 214 | package_remove· | 179 | package_remove·openldap-servers |
| 215 | #·END·fix·for·'package_ | 180 | #·END·fix·for·'package_openldap-servers_removed' |
| 216 | ############################################################################### | 181 | ############################################################################### |
| 217 | #·BEGIN·fix·( | 182 | #·BEGIN·fix·(6·/·186)·for·'ldap_client_start_tls' |
| 218 | ############################################################################### | 183 | ############################################################################### |
| 219 | (>&2·echo·"Remediating·rule· | 184 | (>&2·echo·"Remediating·rule·6/186:·'ldap_client_start_tls'") |
| 220 | find·/home·-maxdepth·2·-type·f·-name·.rhosts·-exec·rm·-f·'{}'·\; | ||
| 221 | if·[·-f·/etc/hosts.equiv·];·then | ||
| 222 | 185 | #·Use·LDAP·for·authentication | |
| 223 | fi | 186 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 224 | #· | 187 | #·it·does·not·exist. |
| 188 | # | ||
| 189 | #·Expects·arguments: | ||
| 190 | # | ||
| 191 | #·config_file:» » Configuration·file·that·will·be·modified | ||
| 192 | #·key:» » » Configuration·option·to·change | ||
| 193 | #·value:»»Value·of·the·configuration·option·to·change | ||
| 194 | #·cce:» » » The·CCE·identifier·or·'@CCENUM@'·if·no·CCE·identifier·exists | ||
| 195 | #·format:» » The·printf-like·format·string·that·will·be·given·stripped·key·and·value·as·arguments, | ||
| 196 | #» » » so·e.g.·'%s=%s'·will·result·in·key=value·subsitution·(i.e.·without·spaces·around·=) | ||
| 197 | # | ||
| 198 | #·Optional·arugments: | ||
| 199 | # | ||
| 200 | #·format:» » Optional·argument·to·specify·the·format·of·how·key/value·should·be | ||
| 201 | #·» » » modified/appended·in·the·configuration·file.·The·default·is·key·=·value. | ||
| 202 | # | ||
| 203 | #·Example·Call(s): | ||
| 204 | # | ||
| 205 | #·····With·default·format·of·'key·=·value': | ||
| 206 | #·····replace_or_append·'/etc/sysctl.conf'·'^kernel.randomize_va_space'·'2'·'@CCENUM@' | ||
| 207 | # | ||
| 208 | #·····With·custom·key/value·format: | ||
| 209 | #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·'disabled'·'@CCENUM@'·'%s=%s' | ||
| 210 | # | ||
| 211 | #·····With·a·variable: | ||
| 212 | #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·$var_selinux_state·'@CCENUM@'·'%s=%s' | ||
| 213 | # | ||
| 214 | function·replace_or_append·{ | ||
| 215 | ··local·default_format='%s·=·%s'·case_insensitive_mode=yes·sed_case_insensitive_option=''·grep_case_insensitive_option='' | ||
| 216 | ··local·config_file=$1 | ||
| Max diff block lines reached; 274005/285608 bytes (95.94%) of diff not shown. | |||
| Offset 46, 24 lines modified | Offset 46, 17 lines modified | ||
| 46 | #·BEGIN·fix·(2·/·182)·for·'mount_option_smb_client_signing' | 46 | #·BEGIN·fix·(2·/·182)·for·'mount_option_smb_client_signing' |
| 47 | ############################################################################### | 47 | ############################################################################### |
| 48 | (>&2·echo·"Remediating·rule·2/182:·'mount_option_smb_client_signing'") | 48 | (>&2·echo·"Remediating·rule·2/182:·'mount_option_smb_client_signing'") |
| 49 | #·FIX·FOR·THIS·RULE·IS·MISSING | 49 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 50 | #·END·fix·for·'mount_option_smb_client_signing' | 50 | #·END·fix·for·'mount_option_smb_client_signing' |
| 51 | ############################################################################### | 51 | ############################################################################### |
| 52 | #·BEGIN·fix·(3·/·182)·for·' | 52 | #·BEGIN·fix·(3·/·182)·for·'service_ntpd_enabled' |
| 53 | ############################################################################### | 53 | ############################################################################### |
| 54 | (>&2·echo·"Remediating·rule·3/182:·' | 54 | (>&2·echo·"Remediating·rule·3/182:·'service_ntpd_enabled'") |
| 55 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 56 | #·END·fix·for·'postfix_network_listening_disabled' | ||
| 57 | ############################################################################### | ||
| 58 | #·BEGIN·fix·(4·/·182)·for·'service_ntpd_enabled' | ||
| 59 | ############################################################################### | ||
| 60 | (>&2·echo·"Remediating·rule·4/182:·'service_ntpd_enabled'") | ||
| 61 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 55 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 62 | # | 56 | # |
| 63 | #·Example·Call(s): | 57 | #·Example·Call(s): |
| 64 | # | 58 | # |
| 65 | #·····service_command·enable·bluetooth | 59 | #·····service_command·enable·bluetooth |
| 66 | #·····service_command·disable·bluetooth.service | 60 | #·····service_command·disable·bluetooth.service |
| 67 | # | 61 | # |
| Offset 135, 45 lines modified | Offset 128, 24 lines modified | ||
| 135 | } | 128 | } |
| 136 | service_command·enable·ntpd | 129 | service_command·enable·ntpd |
| 137 | #·END·fix·for·'service_ntpd_enabled' | 130 | #·END·fix·for·'service_ntpd_enabled' |
| 138 | ############################################################################### | 131 | ############################################################################### |
| 139 | #·BEGIN·fix·( | 132 | #·BEGIN·fix·(4·/·182)·for·'ntpd_specify_remote_server' |
| 140 | ############################################################################### | 133 | ############################################################################### |
| 141 | (>&2·echo·"Remediating·rule· | 134 | (>&2·echo·"Remediating·rule·4/182:·'ntpd_specify_remote_server'") |
| 142 | #·FIX·FOR·THIS·RULE·IS·MISSING | 135 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 143 | #·END·fix·for·'ntpd_specify_remote_server' | 136 | #·END·fix·for·'ntpd_specify_remote_server' |
| 144 | ############################################################################### | 137 | ############################################################################### |
| 145 | #·BEGIN·fix·( | 138 | #·BEGIN·fix·(5·/·182)·for·'package_openldap-servers_removed' |
| 146 | ############################################################################### | ||
| 147 | (>&2·echo·"Remediating·rule·6/182:·'service_rlogin_disabled'") | ||
| 148 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 149 | #·END·fix·for·'service_rlogin_disabled' | ||
| 150 | ############################################################################### | ||
| 151 | #·BEGIN·fix·(7·/·182)·for·'service_rexec_disabled' | ||
| 152 | ############################################################################### | ||
| 153 | (>&2·echo·"Remediating·rule·7/182:·'service_rexec_disabled'") | ||
| 154 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 155 | #·END·fix·for·'service_rexec_disabled' | ||
| 156 | ############################################################################### | ||
| 157 | #·BEGIN·fix·(8·/·182)·for·'service_rsh_disabled' | ||
| 158 | ############################################################################### | 139 | ############################################################################### |
| 159 | (>&2·echo·"Remediating·rule· | 140 | (>&2·echo·"Remediating·rule·5/182:·'package_openldap-servers_removed'") |
| 160 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 161 | #·END·fix·for·'service_rsh_disabled' | ||
| 162 | ############################################################################### | ||
| 163 | #·BEGIN·fix·(9·/·182)·for·'package_rsh-server_removed' | ||
| 164 | ############################################################################### | ||
| 165 | (>&2·echo·"Remediating·rule·9/182:·'package_rsh-server_removed'") | ||
| 166 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 141 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 167 | # | 142 | # |
| 168 | #·Example·Call(s): | 143 | #·Example·Call(s): |
| 169 | # | 144 | # |
| 170 | #·····package_remove·telnet-server | 145 | #·····package_remove·telnet-server |
| 171 | # | 146 | # |
| 172 | function·package_remove·{ | 147 | function·package_remove·{ |
| Offset 203, 83 lines modified | Offset 175, 279 lines modified | ||
| 203 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 175 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 204 | ··echo·"Aborting." | 176 | ··echo·"Aborting." |
| 205 | ··exit·1 | 177 | ··exit·1 |
| 206 | fi | 178 | fi |
| 207 | } | 179 | } |
| 208 | package_remove· | 180 | package_remove·openldap-servers |
| 209 | #·END·fix·for·'package_ | 181 | #·END·fix·for·'package_openldap-servers_removed' |
| 210 | ############################################################################### | 182 | ############################################################################### |
| 211 | #·BEGIN·fix·( | 183 | #·BEGIN·fix·(6·/·182)·for·'ldap_client_start_tls' |
| 212 | ############################################################################### | 184 | ############################################################################### |
| 213 | (>&2·echo·"Remediating·rule· | 185 | (>&2·echo·"Remediating·rule·6/182:·'ldap_client_start_tls'") |
| 214 | find·/home·-maxdepth·2·-type·f·-name·.rhosts·-exec·rm·-f·'{}'·\; | ||
| 215 | if·[·-f·/etc/hosts.equiv·];·then | ||
| 216 | 186 | #·Use·LDAP·for·authentication | |
| 217 | fi | 187 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 218 | #· | 188 | #·it·does·not·exist. |
| 189 | # | ||
| 190 | #·Expects·arguments: | ||
| 191 | # | ||
| 192 | #·config_file:» » Configuration·file·that·will·be·modified | ||
| 193 | #·key:» » » Configuration·option·to·change | ||
| 194 | #·value:»»Value·of·the·configuration·option·to·change | ||
| 195 | #·cce:» » » The·CCE·identifier·or·'@CCENUM@'·if·no·CCE·identifier·exists | ||
| 196 | #·format:» » The·printf-like·format·string·that·will·be·given·stripped·key·and·value·as·arguments, | ||
| 197 | #» » » so·e.g.·'%s=%s'·will·result·in·key=value·subsitution·(i.e.·without·spaces·around·=) | ||
| 198 | # | ||
| 199 | #·Optional·arugments: | ||
| 200 | # | ||
| 201 | #·format:» » Optional·argument·to·specify·the·format·of·how·key/value·should·be | ||
| 202 | #·» » » modified/appended·in·the·configuration·file.·The·default·is·key·=·value. | ||
| 203 | # | ||
| 204 | #·Example·Call(s): | ||
| 205 | # | ||
| 206 | #·····With·default·format·of·'key·=·value': | ||
| 207 | #·····replace_or_append·'/etc/sysctl.conf'·'^kernel.randomize_va_space'·'2'·'@CCENUM@' | ||
| 208 | # | ||
| 209 | #·····With·custom·key/value·format: | ||
| 210 | #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·'disabled'·'@CCENUM@'·'%s=%s' | ||
| 211 | # | ||
| 212 | #·····With·a·variable: | ||
| 213 | #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·$var_selinux_state·'@CCENUM@'·'%s=%s' | ||
| 214 | # | ||
| 215 | function·replace_or_append·{ | ||
| 216 | ··local·default_format='%s·=·%s'·case_insensitive_mode=yes·sed_case_insensitive_option=''·grep_case_insensitive_option='' | ||
| 217 | ··local·config_file=$1 | ||
| 218 | ··local·key=$2 | ||
| 219 | ··local·value=$3 | ||
| 220 | ··local·cce=$4 | ||
| 221 | ··local·format=$5 | ||
| 222 | ··if·[·"$case_insensitive_mode"·=·yes·];·then | ||
| 223 | ····sed_case_insensitive_option="i" | ||
| Max diff block lines reached; 270022/281230 bytes (96.01%) of diff not shown. | |||
| Offset 25, 17 lines modified | Offset 25, 31 lines modified | ||
| 25 | # | 25 | # |
| 26 | #·How·to·apply·this·remediation·role: | 26 | #·How·to·apply·this·remediation·role: |
| 27 | #·$·sudo·./remediation-role.sh | 27 | #·$·sudo·./remediation-role.sh |
| 28 | # | 28 | # |
| 29 | ############################################################################### | 29 | ############################################################################### |
| 30 | ############################################################################### | 30 | ############################################################################### |
| 31 | #·BEGIN·fix·(1·/·250)·for·' | 31 | #·BEGIN·fix·(1·/·250)·for·'ftp_log_transactions' |
| 32 | ############################################################################### | 32 | ############################################################################### |
| 33 | (>&2·echo·"Remediating·rule·1/250:·' | 33 | (>&2·echo·"Remediating·rule·1/250:·'ftp_log_transactions'") |
| 34 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 35 | #·END·fix·for·'ftp_log_transactions' | ||
| 36 | ############################################################################### | ||
| 37 | #·BEGIN·fix·(2·/·250)·for·'ftp_present_banner' | ||
| 38 | ############################################################################### | ||
| 39 | (>&2·echo·"Remediating·rule·2/250:·'ftp_present_banner'") | ||
| 40 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 41 | #·END·fix·for·'ftp_present_banner' | ||
| 42 | ############################################################################### | ||
| 43 | #·BEGIN·fix·(3·/·250)·for·'require_smb_client_signing' | ||
| 44 | ############################################################################### | ||
| 45 | (>&2·echo·"Remediating·rule·3/250:·'require_smb_client_signing'") | ||
| 34 | ###################################################################### | 46 | ###################################################################### |
| 35 | #By·Luke·"Brisk-OH"·Brisk | 47 | #By·Luke·"Brisk-OH"·Brisk |
| 36 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com | 48 | #luke.brisk@boeing.com·or·luke.brisk@gmail.com |
| 37 | ###################################################################### | 49 | ###################################################################### |
| 38 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) | 50 | CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·) |
| Offset 44, 38 lines modified | Offset 58, 113 lines modified | ||
| 44 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf | 58 | » sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 45 | else | 59 | else |
| 46 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf | 60 | » sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf |
| 47 | fi | 61 | fi |
| 48 | #·END·fix·for·'require_smb_client_signing' | 62 | #·END·fix·for·'require_smb_client_signing' |
| 49 | ############################################################################### | 63 | ############################################################################### |
| 50 | #·BEGIN·fix·( | 64 | #·BEGIN·fix·(4·/·250)·for·'mount_option_smb_client_signing' |
| 51 | ############################################################################### | 65 | ############################################################################### |
| 52 | (>&2·echo·"Remediating·rule· | 66 | (>&2·echo·"Remediating·rule·4/250:·'mount_option_smb_client_signing'") |
| 53 | #·FIX·FOR·THIS·RULE·IS·MISSING | 67 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 54 | #·END·fix·for·'mount_option_smb_client_signing' | 68 | #·END·fix·for·'mount_option_smb_client_signing' |
| 55 | ############################################################################### | 69 | ############################################################################### |
| 56 | #·BEGIN·fix·( | 70 | #·BEGIN·fix·(5·/·250)·for·'service_ntpd_enabled' |
| 57 | ############################################################################### | 71 | ############################################################################### |
| 58 | (>&2·echo·"Remediating·rule· | 72 | (>&2·echo·"Remediating·rule·5/250:·'service_ntpd_enabled'") |
| 59 | #·F | 73 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 60 | # | 74 | # |
| 75 | #·Example·Call(s): | ||
| 76 | # | ||
| 77 | #·····service_command·enable·bluetooth | ||
| 78 | #·····service_command·disable·bluetooth.service | ||
| 79 | # | ||
| 80 | #·····Using·xinetd: | ||
| 81 | #·····service_command·disable·rsh.socket·xinetd=rsh | ||
| 82 | # | ||
| 83 | function·service_command·{ | ||
| 84 | #·Load·function·arguments·into·local·variables | ||
| 85 | local·service_state=$1 | ||
| 86 | local·service=$2 | ||
| 87 | local·xinetd=$(echo·$3·|·cut·-d'='·-f2) | ||
| 88 | #·Check·sanity·of·the·input | ||
| 89 | if·[·$#·-lt·"2"·] | ||
| 90 | then | ||
| 91 | ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'" | ||
| 92 | ··echo | ||
| 93 | ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'" | ||
| 94 | ··echo·"as·the·last·argument"·· | ||
| 95 | ··echo·"Aborting." | ||
| 96 | ··exit·1 | ||
| 97 | fi | ||
| 98 | #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands | ||
| 99 | if·[·-f·"/usr/bin/systemctl"·]·;·then | ||
| 100 | ··service_util="/usr/bin/systemctl" | ||
| 101 | else | ||
| 102 | ··service_util="/sbin/service" | ||
| 103 | ··chkconfig_util="/sbin/chkconfig" | ||
| 104 | fi | ||
| 105 | #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services. | ||
| 106 | #·Otherwise,·variables·are·to·be·set·to·disable·services. | ||
| 107 | if·[·"$service_state"·!=·'disable'·]·;·then | ||
| 108 | ··service_state="enable" | ||
| 109 | ··service_operation="start" | ||
| 110 | ··chkconfig_state="on" | ||
| 111 | else | ||
| 112 | ··service_state="disable" | ||
| 113 | ··service_operation="stop" | ||
| 114 | ··chkconfig_state="off" | ||
| 115 | fi | ||
| 116 | #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands. | ||
| 117 | if·[·"x$chkconfig_util"·!=·x·]·;·then | ||
| 118 | ··$service_util·$service·$service_operation | ||
| 119 | ··$chkconfig_util·--level·0123456·$service·$chkconfig_state | ||
| 120 | else | ||
| 121 | ··$service_util·$service_operation·$service | ||
| 122 | ··$service_util·$service_state·$service | ||
| 123 | ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed, | ||
| 124 | ··#·so·let's·reset·the·state·so·OVAL·checks·pass. | ||
| 125 | ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though. | ||
| 126 | ··$service_util·reset-failed·$service | ||
| 127 | fi | ||
| 128 | #·Test·if·local·variable·xinetd·is·empty·using·non-bashism. | ||
| 129 | #·If·empty,·then·xinetd·is·not·being·used. | ||
| 130 | if·[·"x$xinetd"·!=·x·]·;·then | ||
| 131 | ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\ | ||
| 132 | ··if·[·"$service_operation"·=·'disable'·]·;·then | ||
| 133 | ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd | ||
| 134 | ··else | ||
| 135 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | ||
| 136 | ··fi | ||
| 137 | fi | ||
| 138 | } | ||
| 139 | service_command·enable·ntpd | ||
| 140 | #·END·fix·for·'service_ntpd_enabled' | ||
| Max diff block lines reached; 353872/359166 bytes (98.53%) of diff not shown. | |||
| Offset 19, 17 lines modified | Offset 19, 17 lines modified | ||
| 19 | # | 19 | # |
| 20 | #·How·to·apply·this·remediation·role: | 20 | #·How·to·apply·this·remediation·role: |
| 21 | #·$·sudo·./remediation-role.sh | 21 | #·$·sudo·./remediation-role.sh |
| 22 | # | 22 | # |
| 23 | ############################################################################### | 23 | ############################################################################### |
| 24 | ############################################################################### | 24 | ############################################################################### |
| 25 | #·BEGIN·fix·(1·/·223)·for·'service_s | 25 | #·BEGIN·fix·(1·/·223)·for·'service_vsftpd_disabled' |
| 26 | ############################################################################### | 26 | ############################################################################### |
| 27 | (>&2·echo·"Remediating·rule·1/223:·'service_s | 27 | (>&2·echo·"Remediating·rule·1/223:·'service_vsftpd_disabled'") |
| 28 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 28 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 29 | # | 29 | # |
| 30 | #·Example·Call(s): | 30 | #·Example·Call(s): |
| 31 | # | 31 | # |
| 32 | #·····service_command·enable·bluetooth | 32 | #·····service_command·enable·bluetooth |
| 33 | #·····service_command·disable·bluetooth.service | 33 | #·····service_command·disable·bluetooth.service |
| 34 | # | 34 | # |
| Offset 97, 47 lines modified | Offset 97, 65 lines modified | ||
| 97 | ··else | 97 | ··else |
| 98 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd | 98 | ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd |
| 99 | ··fi | 99 | ··fi |
| 100 | fi | 100 | fi |
| 101 | } | 101 | } |
| 102 | service_command·disable·s | 102 | service_command·disable·vsftpd |
| 103 | #·END·fix·for·'service_s | 103 | #·END·fix·for·'service_vsftpd_disabled' |
| 104 | ############################################################################### | 104 | ############################################################################### |
| 105 | #·BEGIN·fix·(2·/·223)·for·' | 105 | #·BEGIN·fix·(2·/·223)·for·'package_vsftpd_removed' |
| 106 | ############################################################################### | 106 | ############################################################################### |
| 107 | (>&2·echo·"Remediating·rule·2/223:·' | 107 | (>&2·echo·"Remediating·rule·2/223:·'package_vsftpd_removed'") |
| 108 | # | 108 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 109 | # | 109 | # |
| 110 | # | 110 | #·Example·Call(s): |
| 111 | # | 111 | # |
| 112 | #·····package_remove·telnet-server | ||
| 113 | # | ||
| 114 | function·package_remove·{ | ||
| 112 | 115 | #·Load·function·arguments·into·local·variables | |
| 116 | local·package="$1" | ||
| 113 | 117 | #·Check·sanity·of·the·input | |
| 114 | 118 | if·[·$#·-ne·"1"·] | |
| 115 | 119 | then | |
| 120 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 121 | ··echo·"Aborting." | ||
| 122 | ··exit·1 | ||
| 123 | fi | ||
| 124 | if·which·dnf·;·then | ||
| 125 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 126 | ····dnf·remove·-y·"$package" | ||
| 127 | ··fi | ||
| 128 | elif·which·yum·;·then | ||
| 129 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 130 | ····yum·remove·-y·"$package" | ||
| 131 | ··fi | ||
| 132 | elif·which·apt-get·;·then | ||
| 133 | ··apt-get·remove·-y·"$package" | ||
| 116 | else | 134 | else |
| 117 | 135 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | |
| 136 | ··echo·"Aborting." | ||
| 137 | ··exit·1 | ||
| 118 | fi | 138 | fi |
| 119 | #·END·fix·for·'require_smb_client_signing' | ||
| 120 | 139 | } | |
| 121 | #·BEGIN·fix·(3·/·223)·for·'mount_option_smb_client_signing' | ||
| 122 | 140 | package_remove·vsftpd | |
| 123 | 141 | #·END·fix·for·'package_vsftpd_removed' | |
| 124 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 125 | #·END·fix·for·'mount_option_smb_client_signing' | ||
| 126 | ############################################################################### | 142 | ############################################################################### |
| 127 | #·BEGIN·fix·( | 143 | #·BEGIN·fix·(3·/·223)·for·'service_httpd_disabled' |
| 128 | ############################################################################### | 144 | ############################################################################### |
| 129 | (>&2·echo·"Remediating·rule· | 145 | (>&2·echo·"Remediating·rule·3/223:·'service_httpd_disabled'") |
| 130 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 146 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 131 | # | 147 | # |
| 132 | #·Example·Call(s): | 148 | #·Example·Call(s): |
| 133 | # | 149 | # |
| 134 | #·····service_command·enable·bluetooth | 150 | #·····service_command·enable·bluetooth |
| 135 | #·····service_command·disable·bluetooth.service | 151 | #·····service_command·disable·bluetooth.service |
| 136 | # | 152 | # |
| Offset 209, 17 lines modified | Offset 227, 17 lines modified | ||
| 209 | } | 227 | } |
| 210 | service_command·disable·httpd | 228 | service_command·disable·httpd |
| 211 | #·END·fix·for·'service_httpd_disabled' | 229 | #·END·fix·for·'service_httpd_disabled' |
| 212 | ############################################################################### | 230 | ############################################################################### |
| 213 | #·BEGIN·fix·( | 231 | #·BEGIN·fix·(4·/·223)·for·'package_httpd_removed' |
| 214 | ############################################################################### | 232 | ############################################################################### |
| 215 | (>&2·echo·"Remediating·rule· | 233 | (>&2·echo·"Remediating·rule·4/223:·'package_httpd_removed'") |
| 216 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 234 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 217 | # | 235 | # |
| 218 | #·Example·Call(s): | 236 | #·Example·Call(s): |
| 219 | # | 237 | # |
| 220 | #·····package_remove·telnet-server | 238 | #·····package_remove·telnet-server |
| 221 | # | 239 | # |
| 222 | function·package_remove·{ | 240 | function·package_remove·{ |
| Offset 253, 68 lines modified | Offset 271, 99 lines modified | ||
| 253 | } | 271 | } |
| 254 | package_remove·httpd | 272 | package_remove·httpd |
| 255 | #·END·fix·for·'package_httpd_removed' | 273 | #·END·fix·for·'package_httpd_removed' |
| 256 | ############################################################################### | 274 | ############################################################################### |
| 257 | #·BEGIN·fix·( | 275 | #·BEGIN·fix·(5·/·223)·for·'service_named_disabled' |
| 258 | ############################################################################### | ||
| 259 | (>&2·echo·"Remediating·rule·6/223:·'postfix_network_listening_disabled'") | ||
| 260 | #·FIX·FOR·THIS·RULE·IS·MISSING | ||
| 261 | #·END·fix·for·'postfix_network_listening_disabled' | ||
| 262 | ############################################################################### | ||
| 263 | #·BEGIN·fix·(7·/·223)·for·'package_sendmail_removed' | ||
| 264 | ############################################################################### | 276 | ############################################################################### |
| 265 | (>&2·echo·"Remediating·rule· | 277 | (>&2·echo·"Remediating·rule·5/223:·'service_named_disabled'") |
| 266 | #·Function·to· | 278 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 267 | # | 279 | # |
| 268 | #·Example·Call(s): | 280 | #·Example·Call(s): |
| 269 | # | 281 | # |
| 270 | #····· | 282 | #·····service_command·enable·bluetooth |
| Max diff block lines reached; 388953/394659 bytes (98.55%) of diff not shown. | |||
| Offset 369, 17 lines modified | Offset 369, 61 lines modified | ||
| 369 | } | 369 | } |
| 370 | service_command·disable·tftp | 370 | service_command·disable·tftp |
| 371 | #·END·fix·for·'service_tftp_disabled' | 371 | #·END·fix·for·'service_tftp_disabled' |
| 372 | ############################################################################### | 372 | ############################################################################### |
| 373 | #·BEGIN·fix·(11·/·213)·for·' | 373 | #·BEGIN·fix·(11·/·213)·for·'package_tcp_wrappers_installed' |
| 374 | ############################################################################### | 374 | ############################################################################### |
| 375 | (>&2·echo·"Remediating·rule·11/213:·' | 375 | (>&2·echo·"Remediating·rule·11/213:·'package_tcp_wrappers_installed'") |
| 376 | #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 377 | # | ||
| 378 | #·Example·Call(s): | ||
| 379 | # | ||
| 380 | #·····package_install·aide | ||
| 381 | # | ||
| 382 | function·package_install·{ | ||
| 383 | #·Load·function·arguments·into·local·variables | ||
| 384 | local·package="$1" | ||
| 385 | #·Check·sanity·of·the·input | ||
| 386 | if·[·$#·-ne·"1"·] | ||
| 387 | then | ||
| 388 | ··echo·"Usage:·package_install·'package_name'" | ||
| 389 | ··echo·"Aborting." | ||
| 390 | ··exit·1 | ||
| 391 | fi | ||
| 392 | if·which·dnf·;·then | ||
| 393 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 394 | ····dnf·install·-y·"$package" | ||
| 395 | ··fi | ||
| 396 | elif·which·yum·;·then | ||
| 397 | ··if·!·rpm·-q·--quiet·"$package";·then | ||
| 398 | ····yum·install·-y·"$package" | ||
| 399 | ··fi | ||
| 400 | elif·which·apt-get·;·then | ||
| 401 | ··apt-get·install·-y·"$package" | ||
| 402 | else | ||
| 403 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 404 | ··echo·"Aborting." | ||
| 405 | ··exit·1 | ||
| 406 | fi | ||
| 407 | } | ||
| 408 | package_install·tcp_wrappers | ||
| 409 | #·END·fix·for·'package_tcp_wrappers_installed' | ||
| 410 | ############################################################################### | ||
| 411 | #·BEGIN·fix·(12·/·213)·for·'service_xinetd_disabled' | ||
| 412 | ############################################################################### | ||
| 413 | (>&2·echo·"Remediating·rule·12/213:·'service_xinetd_disabled'") | ||
| 376 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 414 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 377 | # | 415 | # |
| 378 | #·Example·Call(s): | 416 | #·Example·Call(s): |
| 379 | # | 417 | # |
| 380 | #·····service_command·enable·bluetooth | 418 | #·····service_command·enable·bluetooth |
| 381 | #·····service_command·disable·bluetooth.service | 419 | #·····service_command·disable·bluetooth.service |
| 382 | # | 420 | # |
| Offset 451, 61 lines modified | Offset 495, 61 lines modified | ||
| 451 | } | 495 | } |
| 452 | service_command·disable·xinetd | 496 | service_command·disable·xinetd |
| 453 | #·END·fix·for·'service_xinetd_disabled' | 497 | #·END·fix·for·'service_xinetd_disabled' |
| 454 | ############################################################################### | 498 | ############################################################################### |
| 455 | #·BEGIN·fix·(1 | 499 | #·BEGIN·fix·(13·/·213)·for·'package_talk_removed' |
| 456 | ############################################################################### | 500 | ############################################################################### |
| 457 | (>&2·echo·"Remediating·rule·1 | 501 | (>&2·echo·"Remediating·rule·13/213:·'package_talk_removed'") |
| 458 | #·Function·to· | 502 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 459 | # | 503 | # |
| 460 | #·Example·Call(s): | 504 | #·Example·Call(s): |
| 461 | # | 505 | # |
| 462 | #·····package_ | 506 | #·····package_remove·telnet-server |
| 463 | # | 507 | # |
| 464 | function·package_ | 508 | function·package_remove·{ |
| 465 | #·Load·function·arguments·into·local·variables | 509 | #·Load·function·arguments·into·local·variables |
| 466 | local·package="$1" | 510 | local·package="$1" |
| 467 | #·Check·sanity·of·the·input | 511 | #·Check·sanity·of·the·input |
| 468 | if·[·$#·-ne·"1"·] | 512 | if·[·$#·-ne·"1"·] |
| 469 | then | 513 | then |
| 470 | ··echo·"Usage:·package_ | 514 | ··echo·"Usage:·package_remove·'package_name'" |
| 471 | ··echo·"Aborting." | 515 | ··echo·"Aborting." |
| 472 | ··exit·1 | 516 | ··exit·1 |
| 473 | fi | 517 | fi |
| 474 | if·which·dnf·;·then | 518 | if·which·dnf·;·then |
| 475 | ··if· | 519 | ··if·rpm·-q·--quiet·"$package";·then |
| 476 | ····dnf· | 520 | ····dnf·remove·-y·"$package" |
| 477 | ··fi | 521 | ··fi |
| 478 | elif·which·yum·;·then | 522 | elif·which·yum·;·then |
| 479 | ··if· | 523 | ··if·rpm·-q·--quiet·"$package";·then |
| 480 | ····yum· | 524 | ····yum·remove·-y·"$package" |
| 481 | ··fi | 525 | ··fi |
| 482 | elif·which·apt-get·;·then | 526 | elif·which·apt-get·;·then |
| 483 | ··apt-get· | 527 | ··apt-get·remove·-y·"$package" |
| 484 | else | 528 | else |
| 485 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 529 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 486 | ··echo·"Aborting." | 530 | ··echo·"Aborting." |
| 487 | ··exit·1 | 531 | ··exit·1 |
| 488 | fi | 532 | fi |
| 489 | } | 533 | } |
| 490 | package_ | 534 | package_remove·talk |
| 491 | #·END·fix·for·'package_t | 535 | #·END·fix·for·'package_talk_removed' |
| 492 | ############################################################################### | 536 | ############################################################################### |
| 493 | #·BEGIN·fix·(1 | 537 | #·BEGIN·fix·(14·/·213)·for·'package_talk-server_removed' |
| 494 | ############################################################################### | 538 | ############################################################################### |
| 495 | (>&2·echo·"Remediating·rule·1 | 539 | (>&2·echo·"Remediating·rule·14/213:·'package_talk-server_removed'") |
| 496 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 540 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 497 | # | 541 | # |
| 498 | #·Example·Call(s): | 542 | #·Example·Call(s): |
| 499 | # | 543 | # |
| 500 | #·····package_remove·telnet-server | 544 | #·····package_remove·telnet-server |
| 501 | # | 545 | # |
| 502 | function·package_remove·{ | 546 | function·package_remove·{ |
| Offset 535, 65 lines modified | Offset 579, 103 lines modified | ||
| 535 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | 579 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" |
| 536 | ··echo·"Aborting." | 580 | ··echo·"Aborting." |
| 537 | ··exit·1 | 581 | ··exit·1 |
| Max diff block lines reached; 132822/137164 bytes (96.83%) of diff not shown. | |||
| Offset 192, 17 lines modified | Offset 192, 19 lines modified | ||
| 192 | ··fi | 192 | ··fi |
| 193 | } | 193 | } |
| 194 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' | 194 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' |
| 195 | #·END·fix·for·'sshd_set_keepalive' | 195 | #·END·fix·for·'sshd_set_keepalive' |
| 196 | ############################################################################### | 196 | ############################################################################### |
| 197 | #·BEGIN·fix·(3·/·102)·for·'sshd_e | 197 | #·BEGIN·fix·(3·/·102)·for·'sshd_set_idle_timeout' |
| 198 | ############################################################################### | 198 | ############################################################################### |
| 199 | (>&2·echo·"Remediating·rule·3/102:·'sshd_e | 199 | (>&2·echo·"Remediating·rule·3/102:·'sshd_set_idle_timeout'") |
| 200 | sshd_idle_timeout_value="1800" | ||
| 200 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 201 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 201 | #·it·does·not·exist. | 202 | #·it·does·not·exist. |
| 202 | # | 203 | # |
| 203 | #·Expects·arguments: | 204 | #·Expects·arguments: |
| 204 | # | 205 | # |
| 205 | #·config_file:» » Configuration·file·that·will·be·modified | 206 | #·config_file:» » Configuration·file·that·will·be·modified |
| 206 | #·key:» » » Configuration·option·to·change | 207 | #·key:» » » Configuration·option·to·change |
| Offset 273, 21 lines modified | Offset 275, 21 lines modified | ||
| 273 | ··else | 275 | ··else |
| 274 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 276 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 275 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 277 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 276 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 278 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 277 | ··fi | 279 | ··fi |
| 278 | } | 280 | } |
| 279 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 281 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s' |
| 280 | #·END·fix·for·'sshd_e | 282 | #·END·fix·for·'sshd_set_idle_timeout' |
| 281 | ############################################################################### | 283 | ############################################################################### |
| 282 | #·BEGIN·fix·(4·/·102)·for·'sshd_ | 284 | #·BEGIN·fix·(4·/·102)·for·'sshd_enable_warning_banner' |
| 283 | ############################################################################### | 285 | ############################################################################### |
| 284 | (>&2·echo·"Remediating·rule·4/102:·'sshd_ | 286 | (>&2·echo·"Remediating·rule·4/102:·'sshd_enable_warning_banner'") |
| 285 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 287 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 286 | #·it·does·not·exist. | 288 | #·it·does·not·exist. |
| 287 | # | 289 | # |
| 288 | #·Expects·arguments: | 290 | #·Expects·arguments: |
| 289 | # | 291 | # |
| 290 | #·config_file:» » Configuration·file·that·will·be·modified | 292 | #·config_file:» » Configuration·file·that·will·be·modified |
| 291 | #·key:» » » Configuration·option·to·change | 293 | #·key:» » » Configuration·option·to·change |
| Offset 358, 16 lines modified | Offset 360, 16 lines modified | ||
| 358 | ··else | 360 | ··else |
| 359 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 361 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 360 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 362 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 361 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 363 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 362 | ··fi | 364 | ··fi |
| 363 | } | 365 | } |
| 364 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 366 | replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s' |
| 365 | #·END·fix·for·'sshd_ | 367 | #·END·fix·for·'sshd_enable_warning_banner' |
| 366 | ############################################################################### | 368 | ############################################################################### |
| 367 | #·BEGIN·fix·(5·/·102)·for·'sshd_allow_only_protocol2' | 369 | #·BEGIN·fix·(5·/·102)·for·'sshd_allow_only_protocol2' |
| 368 | ############################################################################### | 370 | ############################################################################### |
| 369 | (>&2·echo·"Remediating·rule·5/102:·'sshd_allow_only_protocol2'") | 371 | (>&2·echo·"Remediating·rule·5/102:·'sshd_allow_only_protocol2'") |
| 370 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 372 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 371 | #·it·does·not·exist. | 373 | #·it·does·not·exist. |
| Offset 532, 19 lines modified | Offset 534, 17 lines modified | ||
| 532 | ··fi | 534 | ··fi |
| 533 | } | 535 | } |
| 534 | replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s' | 536 | replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s' |
| 535 | #·END·fix·for·'sshd_disable_rhosts' | 537 | #·END·fix·for·'sshd_disable_rhosts' |
| 536 | ############################################################################### | 538 | ############################################################################### |
| 537 | #·BEGIN·fix·(7·/·102)·for·'sshd_ | 539 | #·BEGIN·fix·(7·/·102)·for·'sshd_do_not_permit_user_env' |
| 538 | ############################################################################### | 540 | ############################################################################### |
| 539 | (>&2·echo·"Remediating·rule·7/102:·'sshd_ | 541 | (>&2·echo·"Remediating·rule·7/102:·'sshd_do_not_permit_user_env'") |
| 540 | sshd_idle_timeout_value="1800" | ||
| 541 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 542 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 542 | #·it·does·not·exist. | 543 | #·it·does·not·exist. |
| 543 | # | 544 | # |
| 544 | #·Expects·arguments: | 545 | #·Expects·arguments: |
| 545 | # | 546 | # |
| 546 | #·config_file:» » Configuration·file·that·will·be·modified | 547 | #·config_file:» » Configuration·file·that·will·be·modified |
| 547 | #·key:» » » Configuration·option·to·change | 548 | #·key:» » » Configuration·option·to·change |
| Offset 615, 16 lines modified | Offset 615, 16 lines modified | ||
| 615 | ··else | 615 | ··else |
| 616 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 616 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 617 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 617 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 618 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 618 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 619 | ··fi | 619 | ··fi |
| 620 | } | 620 | } |
| 621 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 621 | replace_or_append·'/etc/ssh/sshd_config'·'^PermitUserEnvironment'·'no'·'CCE-27363-1'·'%s·%s' |
| 622 | #·END·fix·for·'sshd_ | 622 | #·END·fix·for·'sshd_do_not_permit_user_env' |
| 623 | ############################################################################### | 623 | ############################################################################### |
| 624 | #·BEGIN·fix·(8·/·102)·for·'sshd_use_approved_ciphers' | 624 | #·BEGIN·fix·(8·/·102)·for·'sshd_use_approved_ciphers' |
| 625 | ############################################################################### | 625 | ############################################################################### |
| 626 | (>&2·echo·"Remediating·rule·8/102:·'sshd_use_approved_ciphers'") | 626 | (>&2·echo·"Remediating·rule·8/102:·'sshd_use_approved_ciphers'") |
| 627 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 627 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 628 | #·it·does·not·exist. | 628 | #·it·does·not·exist. |
| Offset 1193, 19 lines modified | Offset 1193, 17 lines modified | ||
| 1193 | include_dconf_settings | 1193 | include_dconf_settings |
| 1194 | dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings' | 1194 | dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings' |
| 1195 | dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock' | 1195 | dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock' |
| 1196 | #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled' | 1196 | #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled' |
| 1197 | ############################################################################### | 1197 | ############################################################################### |
| 1198 | #·BEGIN·fix·(23·/·102)·for·'dconf_gnome_screensaver_ | 1198 | #·BEGIN·fix·(23·/·102)·for·'dconf_gnome_screensaver_mode_blank' |
| 1199 | ############################################################################### | 1199 | ############################################################################### |
| 1200 | (>&2·echo·"Remediating·rule·23/102:·'dconf_gnome_screensaver_ | 1200 | (>&2·echo·"Remediating·rule·23/102:·'dconf_gnome_screensaver_mode_blank'") |
| 1201 | inactivity_timeout_value="1800" | ||
| 1202 | function·include_dconf_settings·{ | 1201 | function·include_dconf_settings·{ |
| 1203 | » : | 1202 | » : |
| 1204 | } | 1203 | } |
| 1205 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. | 1204 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. |
| 1206 | # | 1205 | # |
| 1207 | #·Example·Call(s): | 1206 | #·Example·Call(s): |
| Offset 1273, 22 lines modified | Offset 1271, 24 lines modified | ||
| 1273 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" | 1271 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" |
| 1274 | » fi | 1272 | » fi |
| 1275 | } | 1273 | } |
| 1276 | include_dconf_settings | 1274 | include_dconf_settings |
| 1277 | dconf_settings·'org/gnome/desktop/s | 1275 | dconf_settings·'org/gnome/desktop/screensaver'·'picture-uri'·"string·''"·'local.d'·'00-security-settings' |
| 1278 | dconf_lock·'org/gnome/desktop/ses | 1276 | dconf_lock·'org/gnome/desktop/screensaver'·'picture-uri'·'local.d'·'00-security-settings-lock' |
| 1279 | #·END·fix·for·'dconf_gnome_screensaver_ | 1277 | #·END·fix·for·'dconf_gnome_screensaver_mode_blank' |
| Max diff block lines reached; 69231/75731 bytes (91.42%) of diff not shown. | |||
| Offset 285, 17 lines modified | Offset 285, 61 lines modified | ||
| 285 | } | 285 | } |
| 286 | package_remove·telnet-server | 286 | package_remove·telnet-server |
| 287 | #·END·fix·for·'package_telnet-server_removed' | 287 | #·END·fix·for·'package_telnet-server_removed' |
| 288 | ############################################################################### | 288 | ############################################################################### |
| 289 | #·BEGIN·fix·(10·/·149)·for·' | 289 | #·BEGIN·fix·(10·/·149)·for·'package_ypbind_removed' |
| 290 | ############################################################################### | 290 | ############################################################################### |
| 291 | (>&2·echo·"Remediating·rule·10/149:·' | 291 | (>&2·echo·"Remediating·rule·10/149:·'package_ypbind_removed'") |
| 292 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 293 | # | ||
| 294 | #·Example·Call(s): | ||
| 295 | # | ||
| 296 | #·····package_remove·telnet-server | ||
| 297 | # | ||
| 298 | function·package_remove·{ | ||
| 299 | #·Load·function·arguments·into·local·variables | ||
| 300 | local·package="$1" | ||
| 301 | #·Check·sanity·of·the·input | ||
| 302 | if·[·$#·-ne·"1"·] | ||
| 303 | then | ||
| 304 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 305 | ··echo·"Aborting." | ||
| 306 | ··exit·1 | ||
| 307 | fi | ||
| 308 | if·which·dnf·;·then | ||
| 309 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 310 | ····dnf·remove·-y·"$package" | ||
| 311 | ··fi | ||
| 312 | elif·which·yum·;·then | ||
| 313 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 314 | ····yum·remove·-y·"$package" | ||
| 315 | ··fi | ||
| 316 | elif·which·apt-get·;·then | ||
| 317 | ··apt-get·remove·-y·"$package" | ||
| 318 | else | ||
| 319 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 320 | ··echo·"Aborting." | ||
| 321 | ··exit·1 | ||
| 322 | fi | ||
| 323 | } | ||
| 324 | package_remove·ypbind | ||
| 325 | #·END·fix·for·'package_ypbind_removed' | ||
| 326 | ############################################################################### | ||
| 327 | #·BEGIN·fix·(11·/·149)·for·'service_ypbind_disabled' | ||
| 328 | ############################################################################### | ||
| 329 | (>&2·echo·"Remediating·rule·11/149:·'service_ypbind_disabled'") | ||
| 292 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 330 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 293 | # | 331 | # |
| 294 | #·Example·Call(s): | 332 | #·Example·Call(s): |
| 295 | # | 333 | # |
| 296 | #·····service_command·enable·bluetooth | 334 | #·····service_command·enable·bluetooth |
| 297 | #·····service_command·disable·bluetooth.service | 335 | #·····service_command·disable·bluetooth.service |
| 298 | # | 336 | # |
| Offset 367, 58 lines modified | Offset 411, 14 lines modified | ||
| 367 | } | 411 | } |
| 368 | service_command·disable·ypbind | 412 | service_command·disable·ypbind |
| 369 | #·END·fix·for·'service_ypbind_disabled' | 413 | #·END·fix·for·'service_ypbind_disabled' |
| 370 | ############################################################################### | 414 | ############################################################################### |
| 371 | #·BEGIN·fix·(11·/·149)·for·'package_ypbind_removed' | ||
| 372 | ############################################################################### | ||
| 373 | (>&2·echo·"Remediating·rule·11/149:·'package_ypbind_removed'") | ||
| 374 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 375 | # | ||
| 376 | #·Example·Call(s): | ||
| 377 | # | ||
| 378 | #·····package_remove·telnet-server | ||
| 379 | # | ||
| 380 | function·package_remove·{ | ||
| 381 | #·Load·function·arguments·into·local·variables | ||
| 382 | local·package="$1" | ||
| 383 | #·Check·sanity·of·the·input | ||
| 384 | if·[·$#·-ne·"1"·] | ||
| 385 | then | ||
| 386 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 387 | ··echo·"Aborting." | ||
| 388 | ··exit·1 | ||
| 389 | fi | ||
| 390 | if·which·dnf·;·then | ||
| 391 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 392 | ····dnf·remove·-y·"$package" | ||
| 393 | ··fi | ||
| 394 | elif·which·yum·;·then | ||
| 395 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 396 | ····yum·remove·-y·"$package" | ||
| 397 | ··fi | ||
| 398 | elif·which·apt-get·;·then | ||
| 399 | ··apt-get·remove·-y·"$package" | ||
| 400 | else | ||
| 401 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 402 | ··echo·"Aborting." | ||
| 403 | ··exit·1 | ||
| 404 | fi | ||
| 405 | } | ||
| 406 | package_remove·ypbind | ||
| 407 | #·END·fix·for·'package_ypbind_removed' | ||
| 408 | ############################################################################### | ||
| 409 | #·BEGIN·fix·(12·/·149)·for·'package_ypserv_removed' | 415 | #·BEGIN·fix·(12·/·149)·for·'package_ypserv_removed' |
| 410 | ############################################################################### | 416 | ############################################################################### |
| 411 | (>&2·echo·"Remediating·rule·12/149:·'package_ypserv_removed'") | 417 | (>&2·echo·"Remediating·rule·12/149:·'package_ypserv_removed'") |
| 412 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 418 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 413 | # | 419 | # |
| 414 | #·Example·Call(s): | 420 | #·Example·Call(s): |
| 415 | # | 421 | # |
| Offset 922, 17 lines modified | Offset 922, 17 lines modified | ||
| 922 | #·BEGIN·fix·(20·/·149)·for·'use_kerberos_security_all_exports' | 922 | #·BEGIN·fix·(20·/·149)·for·'use_kerberos_security_all_exports' |
| 923 | ############################################################################### | 923 | ############################################################################### |
| 924 | (>&2·echo·"Remediating·rule·20/149:·'use_kerberos_security_all_exports'") | 924 | (>&2·echo·"Remediating·rule·20/149:·'use_kerberos_security_all_exports'") |
| 925 | #·FIX·FOR·THIS·RULE·IS·MISSING | 925 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 926 | #·END·fix·for·'use_kerberos_security_all_exports' | 926 | #·END·fix·for·'use_kerberos_security_all_exports' |
| Max diff block lines reached; 96537/100366 bytes (96.18%) of diff not shown. | |||
| Offset 293, 17 lines modified | Offset 293, 61 lines modified | ||
| 293 | } | 293 | } |
| 294 | package_remove·telnet-server | 294 | package_remove·telnet-server |
| 295 | #·END·fix·for·'package_telnet-server_removed' | 295 | #·END·fix·for·'package_telnet-server_removed' |
| 296 | ############################################################################### | 296 | ############################################################################### |
| 297 | #·BEGIN·fix·(10·/·358)·for·' | 297 | #·BEGIN·fix·(10·/·358)·for·'package_ypbind_removed' |
| 298 | ############################################################################### | 298 | ############################################################################### |
| 299 | (>&2·echo·"Remediating·rule·10/358:·' | 299 | (>&2·echo·"Remediating·rule·10/358:·'package_ypbind_removed'") |
| 300 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 301 | # | ||
| 302 | #·Example·Call(s): | ||
| 303 | # | ||
| 304 | #·····package_remove·telnet-server | ||
| 305 | # | ||
| 306 | function·package_remove·{ | ||
| 307 | #·Load·function·arguments·into·local·variables | ||
| 308 | local·package="$1" | ||
| 309 | #·Check·sanity·of·the·input | ||
| 310 | if·[·$#·-ne·"1"·] | ||
| 311 | then | ||
| 312 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 313 | ··echo·"Aborting." | ||
| 314 | ··exit·1 | ||
| 315 | fi | ||
| 316 | if·which·dnf·;·then | ||
| 317 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 318 | ····dnf·remove·-y·"$package" | ||
| 319 | ··fi | ||
| 320 | elif·which·yum·;·then | ||
| 321 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 322 | ····yum·remove·-y·"$package" | ||
| 323 | ··fi | ||
| 324 | elif·which·apt-get·;·then | ||
| 325 | ··apt-get·remove·-y·"$package" | ||
| 326 | else | ||
| 327 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 328 | ··echo·"Aborting." | ||
| 329 | ··exit·1 | ||
| 330 | fi | ||
| 331 | } | ||
| 332 | package_remove·ypbind | ||
| 333 | #·END·fix·for·'package_ypbind_removed' | ||
| 334 | ############################################################################### | ||
| 335 | #·BEGIN·fix·(11·/·358)·for·'service_ypbind_disabled' | ||
| 336 | ############################################################################### | ||
| 337 | (>&2·echo·"Remediating·rule·11/358:·'service_ypbind_disabled'") | ||
| 300 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 338 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 301 | # | 339 | # |
| 302 | #·Example·Call(s): | 340 | #·Example·Call(s): |
| 303 | # | 341 | # |
| 304 | #·····service_command·enable·bluetooth | 342 | #·····service_command·enable·bluetooth |
| 305 | #·····service_command·disable·bluetooth.service | 343 | #·····service_command·disable·bluetooth.service |
| 306 | # | 344 | # |
| Offset 375, 58 lines modified | Offset 419, 14 lines modified | ||
| 375 | } | 419 | } |
| 376 | service_command·disable·ypbind | 420 | service_command·disable·ypbind |
| 377 | #·END·fix·for·'service_ypbind_disabled' | 421 | #·END·fix·for·'service_ypbind_disabled' |
| 378 | ############################################################################### | 422 | ############################################################################### |
| 379 | #·BEGIN·fix·(11·/·358)·for·'package_ypbind_removed' | ||
| 380 | ############################################################################### | ||
| 381 | (>&2·echo·"Remediating·rule·11/358:·'package_ypbind_removed'") | ||
| 382 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 383 | # | ||
| 384 | #·Example·Call(s): | ||
| 385 | # | ||
| 386 | #·····package_remove·telnet-server | ||
| 387 | # | ||
| 388 | function·package_remove·{ | ||
| 389 | #·Load·function·arguments·into·local·variables | ||
| 390 | local·package="$1" | ||
| 391 | #·Check·sanity·of·the·input | ||
| 392 | if·[·$#·-ne·"1"·] | ||
| 393 | then | ||
| 394 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 395 | ··echo·"Aborting." | ||
| 396 | ··exit·1 | ||
| 397 | fi | ||
| 398 | if·which·dnf·;·then | ||
| 399 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 400 | ····dnf·remove·-y·"$package" | ||
| 401 | ··fi | ||
| 402 | elif·which·yum·;·then | ||
| 403 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 404 | ····yum·remove·-y·"$package" | ||
| 405 | ··fi | ||
| 406 | elif·which·apt-get·;·then | ||
| 407 | ··apt-get·remove·-y·"$package" | ||
| 408 | else | ||
| 409 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 410 | ··echo·"Aborting." | ||
| 411 | ··exit·1 | ||
| 412 | fi | ||
| 413 | } | ||
| 414 | package_remove·ypbind | ||
| 415 | #·END·fix·for·'package_ypbind_removed' | ||
| 416 | ############################################################################### | ||
| 417 | #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed' | 423 | #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed' |
| 418 | ############################################################################### | 424 | ############################################################################### |
| 419 | (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'") | 425 | (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'") |
| 420 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 426 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 421 | # | 427 | # |
| 422 | #·Example·Call(s): | 428 | #·Example·Call(s): |
| 423 | # | 429 | # |
| Offset 1428, 17 lines modified | Offset 1428, 17 lines modified | ||
| 1428 | #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems' | 1428 | #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems' |
| 1429 | ############################################################################### | 1429 | ############################################################################### |
| 1430 | (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'") | 1430 | (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'") |
| 1431 | #·FIX·FOR·THIS·RULE·IS·MISSING | 1431 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 1432 | #·END·fix·for·'mount_option_nodev_remote_filesystems' | 1432 | #·END·fix·for·'mount_option_nodev_remote_filesystems' |
| Max diff block lines reached; 227689/231532 bytes (98.34%) of diff not shown. | |||
| Offset 304, 17 lines modified | Offset 304, 61 lines modified | ||
| 304 | } | 304 | } |
| 305 | package_remove·telnet-server | 305 | package_remove·telnet-server |
| 306 | #·END·fix·for·'package_telnet-server_removed' | 306 | #·END·fix·for·'package_telnet-server_removed' |
| 307 | ############################################################################### | 307 | ############################################################################### |
| 308 | #·BEGIN·fix·(10·/·358)·for·' | 308 | #·BEGIN·fix·(10·/·358)·for·'package_ypbind_removed' |
| 309 | ############################################################################### | 309 | ############################################################################### |
| 310 | (>&2·echo·"Remediating·rule·10/358:·' | 310 | (>&2·echo·"Remediating·rule·10/358:·'package_ypbind_removed'") |
| 311 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 312 | # | ||
| 313 | #·Example·Call(s): | ||
| 314 | # | ||
| 315 | #·····package_remove·telnet-server | ||
| 316 | # | ||
| 317 | function·package_remove·{ | ||
| 318 | #·Load·function·arguments·into·local·variables | ||
| 319 | local·package="$1" | ||
| 320 | #·Check·sanity·of·the·input | ||
| 321 | if·[·$#·-ne·"1"·] | ||
| 322 | then | ||
| 323 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 324 | ··echo·"Aborting." | ||
| 325 | ··exit·1 | ||
| 326 | fi | ||
| 327 | if·which·dnf·;·then | ||
| 328 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 329 | ····dnf·remove·-y·"$package" | ||
| 330 | ··fi | ||
| 331 | elif·which·yum·;·then | ||
| 332 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 333 | ····yum·remove·-y·"$package" | ||
| 334 | ··fi | ||
| 335 | elif·which·apt-get·;·then | ||
| 336 | ··apt-get·remove·-y·"$package" | ||
| 337 | else | ||
| 338 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 339 | ··echo·"Aborting." | ||
| 340 | ··exit·1 | ||
| 341 | fi | ||
| 342 | } | ||
| 343 | package_remove·ypbind | ||
| 344 | #·END·fix·for·'package_ypbind_removed' | ||
| 345 | ############################################################################### | ||
| 346 | #·BEGIN·fix·(11·/·358)·for·'service_ypbind_disabled' | ||
| 347 | ############################################################################### | ||
| 348 | (>&2·echo·"Remediating·rule·11/358:·'service_ypbind_disabled'") | ||
| 311 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. | 349 | #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems. |
| 312 | # | 350 | # |
| 313 | #·Example·Call(s): | 351 | #·Example·Call(s): |
| 314 | # | 352 | # |
| 315 | #·····service_command·enable·bluetooth | 353 | #·····service_command·enable·bluetooth |
| 316 | #·····service_command·disable·bluetooth.service | 354 | #·····service_command·disable·bluetooth.service |
| 317 | # | 355 | # |
| Offset 386, 58 lines modified | Offset 430, 14 lines modified | ||
| 386 | } | 430 | } |
| 387 | service_command·disable·ypbind | 431 | service_command·disable·ypbind |
| 388 | #·END·fix·for·'service_ypbind_disabled' | 432 | #·END·fix·for·'service_ypbind_disabled' |
| 389 | ############################################################################### | 433 | ############################################################################### |
| 390 | #·BEGIN·fix·(11·/·358)·for·'package_ypbind_removed' | ||
| 391 | ############################################################################### | ||
| 392 | (>&2·echo·"Remediating·rule·11/358:·'package_ypbind_removed'") | ||
| 393 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | ||
| 394 | # | ||
| 395 | #·Example·Call(s): | ||
| 396 | # | ||
| 397 | #·····package_remove·telnet-server | ||
| 398 | # | ||
| 399 | function·package_remove·{ | ||
| 400 | #·Load·function·arguments·into·local·variables | ||
| 401 | local·package="$1" | ||
| 402 | #·Check·sanity·of·the·input | ||
| 403 | if·[·$#·-ne·"1"·] | ||
| 404 | then | ||
| 405 | ··echo·"Usage:·package_remove·'package_name'" | ||
| 406 | ··echo·"Aborting." | ||
| 407 | ··exit·1 | ||
| 408 | fi | ||
| 409 | if·which·dnf·;·then | ||
| 410 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 411 | ····dnf·remove·-y·"$package" | ||
| 412 | ··fi | ||
| 413 | elif·which·yum·;·then | ||
| 414 | ··if·rpm·-q·--quiet·"$package";·then | ||
| 415 | ····yum·remove·-y·"$package" | ||
| 416 | ··fi | ||
| 417 | elif·which·apt-get·;·then | ||
| 418 | ··apt-get·remove·-y·"$package" | ||
| 419 | else | ||
| 420 | ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" | ||
| 421 | ··echo·"Aborting." | ||
| 422 | ··exit·1 | ||
| 423 | fi | ||
| 424 | } | ||
| 425 | package_remove·ypbind | ||
| 426 | #·END·fix·for·'package_ypbind_removed' | ||
| 427 | ############################################################################### | ||
| 428 | #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed' | 434 | #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed' |
| 429 | ############################################################################### | 435 | ############################################################################### |
| 430 | (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'") | 436 | (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'") |
| 431 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. | 437 | #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. |
| 432 | # | 438 | # |
| 433 | #·Example·Call(s): | 439 | #·Example·Call(s): |
| 434 | # | 440 | # |
| Offset 1439, 17 lines modified | Offset 1439, 17 lines modified | ||
| 1439 | #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems' | 1439 | #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems' |
| 1440 | ############################################################################### | 1440 | ############################################################################### |
| 1441 | (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'") | 1441 | (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'") |
| 1442 | #·FIX·FOR·THIS·RULE·IS·MISSING | 1442 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 1443 | #·END·fix·for·'mount_option_nodev_remote_filesystems' | 1443 | #·END·fix·for·'mount_option_nodev_remote_filesystems' |
| Max diff block lines reached; 227689/231532 bytes (98.34%) of diff not shown. | |||
| Offset 793, 19 lines modified | Offset 793, 17 lines modified | ||
| 793 | include_dconf_settings | 793 | include_dconf_settings |
| 794 | dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings' | 794 | dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings' |
| 795 | dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock' | 795 | dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock' |
| 796 | #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled' | 796 | #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled' |
| 797 | ############################################################################### | 797 | ############################################################################### |
| 798 | #·BEGIN·fix·(17·/·94)·for·'dconf_gnome_screensaver_ | 798 | #·BEGIN·fix·(17·/·94)·for·'dconf_gnome_screensaver_mode_blank' |
| 799 | ############################################################################### | 799 | ############################################################################### |
| 800 | (>&2·echo·"Remediating·rule·17/94:·'dconf_gnome_screensaver_ | 800 | (>&2·echo·"Remediating·rule·17/94:·'dconf_gnome_screensaver_mode_blank'") |
| 801 | inactivity_timeout_value="900" | ||
| 802 | function·include_dconf_settings·{ | 801 | function·include_dconf_settings·{ |
| 803 | » : | 802 | » : |
| 804 | } | 803 | } |
| 805 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. | 804 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. |
| 806 | # | 805 | # |
| 807 | #·Example·Call(s): | 806 | #·Example·Call(s): |
| Offset 873, 22 lines modified | Offset 871, 24 lines modified | ||
| 873 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" | 871 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" |
| 874 | » fi | 872 | » fi |
| 875 | } | 873 | } |
| 876 | include_dconf_settings | 874 | include_dconf_settings |
| 877 | dconf_settings·'org/gnome/desktop/s | 875 | dconf_settings·'org/gnome/desktop/screensaver'·'picture-uri'·"string·''"·'local.d'·'00-security-settings' |
| 878 | dconf_lock·'org/gnome/desktop/ses | 876 | dconf_lock·'org/gnome/desktop/screensaver'·'picture-uri'·'local.d'·'00-security-settings-lock' |
| 879 | #·END·fix·for·'dconf_gnome_screensaver_ | 877 | #·END·fix·for·'dconf_gnome_screensaver_mode_blank' |
| 880 | ############################################################################### | 878 | ############################################################################### |
| 881 | #·BEGIN·fix·(18·/·94)·for·'dconf_gnome_screensaver_ | 879 | #·BEGIN·fix·(18·/·94)·for·'dconf_gnome_screensaver_idle_delay' |
| 882 | ############################################################################### | 880 | ############################################################################### |
| 883 | (>&2·echo·"Remediating·rule·18/94:·'dconf_gnome_screensaver_ | 881 | (>&2·echo·"Remediating·rule·18/94:·'dconf_gnome_screensaver_idle_delay'") |
| 882 | inactivity_timeout_value="900" | ||
| 884 | function·include_dconf_settings·{ | 883 | function·include_dconf_settings·{ |
| 885 | » : | 884 | » : |
| 886 | } | 885 | } |
| 887 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. | 886 | #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems. |
| 888 | # | 887 | # |
| 889 | #·Example·Call(s): | 888 | #·Example·Call(s): |
| Offset 956, 17 lines modified | Offset 956, 17 lines modified | ||
| 956 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" | 956 | » » echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}" |
| 957 | » fi | 957 | » fi |
| 958 | } | 958 | } |
| 959 | include_dconf_settings | 959 | include_dconf_settings |
| 960 | dconf_settings·'org/gnome/desktop/s | 960 | dconf_settings·'org/gnome/desktop/session'·'idle-delay'·"uint32·${inactivity_timeout_value}"·'local.d'·'00-security-settings' |
| 961 | dconf_lock·'org/gnome/desktop/s | 961 | dconf_lock·'org/gnome/desktop/session'·'idle-delay'·'local.d'·'00-security-settings-lock' |
| 962 | #·END·fix·for·'dconf_gnome_screensaver_ | 962 | #·END·fix·for·'dconf_gnome_screensaver_idle_delay' |
| 963 | ############################################################################### | 963 | ############################################################################### |
| 964 | #·BEGIN·fix·(19·/·94)·for·'dconf_gnome_screensaver_lock_enabled' | 964 | #·BEGIN·fix·(19·/·94)·for·'dconf_gnome_screensaver_lock_enabled' |
| 965 | ############################################################################### | 965 | ############################################################################### |
| 966 | (>&2·echo·"Remediating·rule·19/94:·'dconf_gnome_screensaver_lock_enabled'") | 966 | (>&2·echo·"Remediating·rule·19/94:·'dconf_gnome_screensaver_lock_enabled'") |
| 967 | function·include_dconf_settings·{ | 967 | function·include_dconf_settings·{ |
| 968 | » : | 968 | » : |
| Offset 2117, 72 lines modified | Offset 2117, 72 lines modified | ||
| 2117 | ··sed·-i·'s/^action_mail_acct.*/action_mail_acct·=·'"$var_auditd_action_mail_acct"'/g'·$AUDITCONFIG | 2117 | ··sed·-i·'s/^action_mail_acct.*/action_mail_acct·=·'"$var_auditd_action_mail_acct"'/g'·$AUDITCONFIG |
| 2118 | if·!·[·$?·-eq·0·];·then | 2118 | if·!·[·$?·-eq·0·];·then |
| 2119 | ··echo·"action_mail_acct·=·$var_auditd_action_mail_acct"·>>·$AUDITCONFIG | 2119 | ··echo·"action_mail_acct·=·$var_auditd_action_mail_acct"·>>·$AUDITCONFIG |
| 2120 | fi | 2120 | fi |
| 2121 | #·END·fix·for·'auditd_data_retention_action_mail_acct' | 2121 | #·END·fix·for·'auditd_data_retention_action_mail_acct' |
| 2122 | ############################################################################### | 2122 | ############################################################################### |
| 2123 | #·BEGIN·fix·(48·/·94)·for·'auditd_data_retention_space_left_action' | 2123 | #·BEGIN·fix·(48·/·94)·for·'auditd_data_retention_admin_space_left_action' |
| 2124 | ############################################################################### | 2124 | ############################################################################### |
| 2125 | (>&2·echo·"Remediating·rule·48/94:·'auditd_data_retention_space_left_action'") | 2125 | (>&2·echo·"Remediating·rule·48/94:·'auditd_data_retention_admin_space_left_action'") |
| 2126 | var_auditd_space_left_action="suspend" | ||
| 2127 | grep·-q·^space_left_action·/etc/audit/auditd.conf·&&·\ | ||
| 2128 | ··sed·-i·"s/space_left_action.*/space_left_action·=·$var_auditd_space_left_action/g"·/etc/audit/auditd.conf | ||
| 2129 | if·!·[·$?·-eq·0·];·then | ||
| 2130 | ····echo·"space_left_action·=·$var_auditd_space_left_action"·>>·/etc/audit/auditd.conf | ||
| 2131 | fi | ||
| 2132 | #·END·fix·for·'auditd_data_retention_space_left_action' | ||
| 2133 | ############################################################################### | ||
| 2134 | #·BEGIN·fix·(49·/·94)·for·'auditd_data_retention_admin_space_left_action' | ||
| 2135 | ############################################################################### | ||
| 2136 | (>&2·echo·"Remediating·rule·49/94:·'auditd_data_retention_admin_space_left_action'") | ||
| 2137 | var_auditd_admin_space_left_action="suspend" | 2126 | var_auditd_admin_space_left_action="suspend" |
| 2138 | grep·-q·^admin_space_left_action·/etc/audit/auditd.conf·&&·\ | 2127 | grep·-q·^admin_space_left_action·/etc/audit/auditd.conf·&&·\ |
| 2139 | ··sed·-i·"s/admin_space_left_action.*/admin_space_left_action·=·$var_auditd_admin_space_left_action/g"·/etc/audit/auditd.conf | 2128 | ··sed·-i·"s/admin_space_left_action.*/admin_space_left_action·=·$var_auditd_admin_space_left_action/g"·/etc/audit/auditd.conf |
| 2140 | if·!·[·$?·-eq·0·];·then | 2129 | if·!·[·$?·-eq·0·];·then |
| 2141 | ····echo·"admin_space_left_action·=·$var_auditd_admin_space_left_action"·>>·/etc/audit/auditd.conf | 2130 | ····echo·"admin_space_left_action·=·$var_auditd_admin_space_left_action"·>>·/etc/audit/auditd.conf |
| 2142 | fi | 2131 | fi |
| 2143 | #·END·fix·for·'auditd_data_retention_admin_space_left_action' | 2132 | #·END·fix·for·'auditd_data_retention_admin_space_left_action' |
| 2144 | ############################################################################### | 2133 | ############################################################################### |
| 2145 | #·BEGIN·fix·( | 2134 | #·BEGIN·fix·(49·/·94)·for·'auditd_data_retention_max_log_file_action' |
| 2146 | ############################################################################### | 2135 | ############################################################################### |
| 2147 | (>&2·echo·"Remediating·rule· | 2136 | (>&2·echo·"Remediating·rule·49/94:·'auditd_data_retention_max_log_file_action'") |
| 2148 | var_auditd_ | 2137 | var_auditd_max_log_file_action="rotate" |
| 2149 | AUDITCONFIG=/etc/audit/auditd.conf | 2138 | AUDITCONFIG=/etc/audit/auditd.conf |
| 2150 | grep·-q·^ | 2139 | grep·-q·^max_log_file_action·$AUDITCONFIG·&&·\ |
| 2151 | ··sed·-i·'s/^ | 2140 | ··sed·-i·'s/^max_log_file_action.*/max_log_file_action·=·'"$var_auditd_max_log_file_action"'/g'·$AUDITCONFIG |
| 2152 | if·!·[·$?·-eq·0·];·then | 2141 | if·!·[·$?·-eq·0·];·then |
| 2153 | ··echo·" | 2142 | ··echo·"max_log_file_action·=·$var_auditd_max_log_file_action"·>>·$AUDITCONFIG |
| 2154 | fi | 2143 | fi |
| 2155 | #·END·fix·for·'auditd_data_retention_ | 2144 | #·END·fix·for·'auditd_data_retention_max_log_file_action' |
| 2156 | ############################################################################### | 2145 | ############################################################################### |
| 2157 | #·BEGIN·fix·(5 | 2146 | #·BEGIN·fix·(50·/·94)·for·'auditd_data_retention_space_left_action' |
| 2158 | ############################################################################### | 2147 | ############################################################################### |
| 2159 | (>&2·echo·"Remediating·rule·5 | 2148 | (>&2·echo·"Remediating·rule·50/94:·'auditd_data_retention_space_left_action'") |
| 2160 | var_auditd_ | 2149 | var_auditd_space_left_action="suspend" |
| 2150 | grep·-q·^space_left_action·/etc/audit/auditd.conf·&&·\ | ||
| 2151 | ··sed·-i·"s/space_left_action.*/space_left_action·=·$var_auditd_space_left_action/g"·/etc/audit/auditd.conf | ||
| 2152 | if·!·[·$?·-eq·0·];·then | ||
| 2153 | ····echo·"space_left_action·=·$var_auditd_space_left_action"·>>·/etc/audit/auditd.conf | ||
| 2154 | fi | ||
| 2155 | #·END·fix·for·'auditd_data_retention_space_left_action' | ||
| Max diff block lines reached; 54266/61706 bytes (87.94%) of diff not shown. | |||
| Offset 376, 17 lines modified | Offset 376, 19 lines modified | ||
| 376 | ··fi | 376 | ··fi |
| 377 | } | 377 | } |
| 378 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' | 378 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' |
| 379 | #·END·fix·for·'sshd_set_keepalive' | 379 | #·END·fix·for·'sshd_set_keepalive' |
| 380 | ############################################################################### | 380 | ############################################################################### |
| 381 | #·BEGIN·fix·(7·/·70)·for·'sshd_e | 381 | #·BEGIN·fix·(7·/·70)·for·'sshd_set_idle_timeout' |
| 382 | ############################################################################### | 382 | ############################################################################### |
| 383 | (>&2·echo·"Remediating·rule·7/70:·'sshd_e | 383 | (>&2·echo·"Remediating·rule·7/70:·'sshd_set_idle_timeout'") |
| 384 | sshd_idle_timeout_value="300" | ||
| 384 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 385 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 385 | #·it·does·not·exist. | 386 | #·it·does·not·exist. |
| 386 | # | 387 | # |
| 387 | #·Expects·arguments: | 388 | #·Expects·arguments: |
| 388 | # | 389 | # |
| 389 | #·config_file:» » Configuration·file·that·will·be·modified | 390 | #·config_file:» » Configuration·file·that·will·be·modified |
| 390 | #·key:» » » Configuration·option·to·change | 391 | #·key:» » » Configuration·option·to·change |
| Offset 457, 21 lines modified | Offset 459, 21 lines modified | ||
| 457 | ··else | 459 | ··else |
| 458 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 460 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 459 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 461 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 460 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 462 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 461 | ··fi | 463 | ··fi |
| 462 | } | 464 | } |
| 463 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 465 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s' |
| 464 | #·END·fix·for·'sshd_e | 466 | #·END·fix·for·'sshd_set_idle_timeout' |
| 465 | ############################################################################### | 467 | ############################################################################### |
| 466 | #·BEGIN·fix·(8·/·70)·for·'sshd_ | 468 | #·BEGIN·fix·(8·/·70)·for·'sshd_enable_warning_banner' |
| 467 | ############################################################################### | 469 | ############################################################################### |
| 468 | (>&2·echo·"Remediating·rule·8/70:·'sshd_ | 470 | (>&2·echo·"Remediating·rule·8/70:·'sshd_enable_warning_banner'") |
| 469 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 471 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 470 | #·it·does·not·exist. | 472 | #·it·does·not·exist. |
| 471 | # | 473 | # |
| 472 | #·Expects·arguments: | 474 | #·Expects·arguments: |
| 473 | # | 475 | # |
| 474 | #·config_file:» » Configuration·file·that·will·be·modified | 476 | #·config_file:» » Configuration·file·that·will·be·modified |
| 475 | #·key:» » » Configuration·option·to·change | 477 | #·key:» » » Configuration·option·to·change |
| Offset 542, 16 lines modified | Offset 544, 16 lines modified | ||
| 542 | ··else | 544 | ··else |
| 543 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 545 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 544 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 546 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 545 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 547 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 546 | ··fi | 548 | ··fi |
| 547 | } | 549 | } |
| 548 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 550 | replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s' |
| 549 | #·END·fix·for·'sshd_ | 551 | #·END·fix·for·'sshd_enable_warning_banner' |
| 550 | ############################################################################### | 552 | ############################################################################### |
| 551 | #·BEGIN·fix·(9·/·70)·for·'sshd_allow_only_protocol2' | 553 | #·BEGIN·fix·(9·/·70)·for·'sshd_allow_only_protocol2' |
| 552 | ############################################################################### | 554 | ############################################################################### |
| 553 | (>&2·echo·"Remediating·rule·9/70:·'sshd_allow_only_protocol2'") | 555 | (>&2·echo·"Remediating·rule·9/70:·'sshd_allow_only_protocol2'") |
| 554 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 556 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 555 | #·it·does·not·exist. | 557 | #·it·does·not·exist. |
| Offset 716, 19 lines modified | Offset 718, 17 lines modified | ||
| 716 | ··fi | 718 | ··fi |
| 717 | } | 719 | } |
| 718 | replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s' | 720 | replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s' |
| 719 | #·END·fix·for·'sshd_disable_rhosts' | 721 | #·END·fix·for·'sshd_disable_rhosts' |
| 720 | ############################################################################### | 722 | ############################################################################### |
| 721 | #·BEGIN·fix·(11·/·70)·for·'sshd_ | 723 | #·BEGIN·fix·(11·/·70)·for·'sshd_do_not_permit_user_env' |
| 722 | ############################################################################### | 724 | ############################################################################### |
| 723 | (>&2·echo·"Remediating·rule·11/70:·'sshd_ | 725 | (>&2·echo·"Remediating·rule·11/70:·'sshd_do_not_permit_user_env'") |
| 724 | sshd_idle_timeout_value="300" | ||
| 725 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 726 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 726 | #·it·does·not·exist. | 727 | #·it·does·not·exist. |
| 727 | # | 728 | # |
| 728 | #·Expects·arguments: | 729 | #·Expects·arguments: |
| 729 | # | 730 | # |
| 730 | #·config_file:» » Configuration·file·that·will·be·modified | 731 | #·config_file:» » Configuration·file·that·will·be·modified |
| 731 | #·key:» » » Configuration·option·to·change | 732 | #·key:» » » Configuration·option·to·change |
| Offset 799, 16 lines modified | Offset 799, 16 lines modified | ||
| 799 | ··else | 799 | ··else |
| 800 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 800 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 801 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 801 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 802 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 802 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 803 | ··fi | 803 | ··fi |
| 804 | } | 804 | } |
| 805 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 805 | replace_or_append·'/etc/ssh/sshd_config'·'^PermitUserEnvironment'·'no'·'CCE-27363-1'·'%s·%s' |
| 806 | #·END·fix·for·'sshd_ | 806 | #·END·fix·for·'sshd_do_not_permit_user_env' |
| 807 | ############################################################################### | 807 | ############################################################################### |
| 808 | #·BEGIN·fix·(12·/·70)·for·'sshd_use_approved_ciphers' | 808 | #·BEGIN·fix·(12·/·70)·for·'sshd_use_approved_ciphers' |
| 809 | ############################################################################### | 809 | ############################################################################### |
| 810 | (>&2·echo·"Remediating·rule·12/70:·'sshd_use_approved_ciphers'") | 810 | (>&2·echo·"Remediating·rule·12/70:·'sshd_use_approved_ciphers'") |
| 811 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 811 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 812 | #·it·does·not·exist. | 812 | #·it·does·not·exist. |
| Offset 1502, 26 lines modified | Offset 1502, 26 lines modified | ||
| 1502 | ··sed·-i·"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS·····$var_accounts_minimum_age_login_defs/g"·/etc/login.defs | 1502 | ··sed·-i·"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS·····$var_accounts_minimum_age_login_defs/g"·/etc/login.defs |
| 1503 | if·!·[·$?·-eq·0·];·then | 1503 | if·!·[·$?·-eq·0·];·then |
| 1504 | ····echo·"PASS_MIN_DAYS······$var_accounts_minimum_age_login_defs"·>>·/etc/login.defs | 1504 | ····echo·"PASS_MIN_DAYS······$var_accounts_minimum_age_login_defs"·>>·/etc/login.defs |
| 1505 | fi | 1505 | fi |
| 1506 | #·END·fix·for·'accounts_minimum_age_login_defs' | 1506 | #·END·fix·for·'accounts_minimum_age_login_defs' |
| 1507 | ############################################################################### | 1507 | ############################################################################### |
| 1508 | #·BEGIN·fix·(34·/·70)·for·' | 1508 | #·BEGIN·fix·(34·/·70)·for·'no_shelllogin_for_systemaccounts' |
| 1509 | ############################################################################### | 1509 | ############################################################################### |
| 1510 | (>&2·echo·"Remediating·rule·34/70:·' | 1510 | (>&2·echo·"Remediating·rule·34/70:·'no_shelllogin_for_systemaccounts'") |
| 1511 | 1511 | #·FIX·FOR·THIS·RULE·IS·MISSING | |
| 1512 | #·END·fix·for·' | 1512 | #·END·fix·for·'no_shelllogin_for_systemaccounts' |
| 1513 | ############################################################################### | 1513 | ############################################################################### |
| 1514 | #·BEGIN·fix·(35·/·70)·for·' | 1514 | #·BEGIN·fix·(35·/·70)·for·'accounts_no_uid_except_zero' |
| 1515 | ############################################################################### | 1515 | ############################################################################### |
| 1516 | (>&2·echo·"Remediating·rule·35/70:·' | 1516 | (>&2·echo·"Remediating·rule·35/70:·'accounts_no_uid_except_zero'") |
| 1517 | 1517 | awk·-F:·'$3·==·0·&&·$1·!=·"root"·{·print·$1·}'·/etc/passwd·|·xargs·passwd·-l | |
| 1518 | #·END·fix·for·' | 1518 | #·END·fix·for·'accounts_no_uid_except_zero' |
| 1519 | ############################################################################### | 1519 | ############################################################################### |
| 1520 | #·BEGIN·fix·(36·/·70)·for·'accounts_password_all_shadowed' | 1520 | #·BEGIN·fix·(36·/·70)·for·'accounts_password_all_shadowed' |
| 1521 | ############################################################################### | 1521 | ############################################################################### |
| 1522 | (>&2·echo·"Remediating·rule·36/70:·'accounts_password_all_shadowed'") | 1522 | (>&2·echo·"Remediating·rule·36/70:·'accounts_password_all_shadowed'") |
| 1523 | #·FIX·FOR·THIS·RULE·IS·MISSING | 1523 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 1524 | #·END·fix·for·'accounts_password_all_shadowed' | 1524 | #·END·fix·for·'accounts_password_all_shadowed' |
| Offset 2267, 37 lines modified | Offset 2267, 37 lines modified | ||
| 2267 | ############################################################################### | 2267 | ############################################################################### |
| 2268 | (>&2·echo·"Remediating·rule·66/70:·'file_permissions_etc_passwd'") | 2268 | (>&2·echo·"Remediating·rule·66/70:·'file_permissions_etc_passwd'") |
| 2269 | chmod·0644·/etc/passwd | 2269 | chmod·0644·/etc/passwd |
| Max diff block lines reached; 1963/8920 bytes (22.01%) of diff not shown. | |||
| Offset 1476, 158 lines modified | Offset 1476, 17 lines modified | ||
| 1476 | } | 1476 | } |
| 1477 | fix_audit_watch_rule·"auditctl"·"/usr/sbin/modprobe"·"x"·"modules" | 1477 | fix_audit_watch_rule·"auditctl"·"/usr/sbin/modprobe"·"x"·"modules" |
| 1478 | fix_audit_watch_rule·"augenrules"·"/usr/sbin/modprobe"·"x"·"modules" | 1478 | fix_audit_watch_rule·"augenrules"·"/usr/sbin/modprobe"·"x"·"modules" |
| 1479 | #·END·fix·for·'audit_rules_kernel_module_loading' | 1479 | #·END·fix·for·'audit_rules_kernel_module_loading' |
| 1480 | ############################################################################### | 1480 | ############################################################################### |
| 1481 | #·BEGIN·fix·(19·/·51)·for·'audit_rules_time_ | 1481 | #·BEGIN·fix·(19·/·51)·for·'audit_rules_time_stime' |
| 1482 | ############################################################################### | 1482 | ############################################################################### |
| 1483 | (>&2·echo·"Remediating·rule·19/51:·'audit_rules_time_ | 1483 | (>&2·echo·"Remediating·rule·19/51:·'audit_rules_time_stime'") |
| 1484 | #·Perform·the·remediation·for·both·possible·tools:·'auditctl'·and·'augenrules' | ||
| 1485 | #·Function·to·fix·audit·file·system·object·watch·rule·for·given·path: | ||
| 1486 | #·*·if·rule·exists,·also·verifies·the·-w·bits·match·the·requirements | ||
| 1487 | #·*·if·rule·doesn't·exist·yet,·appends·expected·rule·form·to·$files_to_inspect | ||
| 1488 | #···audit·rules·file,·depending·on·the·tool·which·was·used·to·load·audit·rules | ||
| 1489 | # | ||
| 1490 | #·Expects·four·arguments·(each·of·them·is·required)·in·the·form·of: | ||
| 1491 | #·*·audit·tool» » » » tool·used·to·load·audit·rules, | ||
| 1492 | #·» » » » » either·'auditctl',·or·'augenrules' | ||
| 1493 | #·*·path························» value·of·-w·audit·rule's·argument | ||
| 1494 | #·*·required·access·bits········» value·of·-p·audit·rule's·argument | ||
| 1495 | #·*·key·························» value·of·-k·audit·rule's·argument | ||
| 1496 | # | ||
| 1497 | #·Example·call: | ||
| 1498 | # | ||
| 1499 | #·······fix_audit_watch_rule·"auditctl"·"/etc/localtime"·"wa"·"audit_time_rules" | ||
| 1500 | # | ||
| 1501 | function·fix_audit_watch_rule·{ | ||
| 1502 | #·Load·function·arguments·into·local·variables | ||
| 1503 | local·tool="$1" | ||
| 1504 | local·path="$2" | ||
| 1505 | local·required_access_bits="$3" | ||
| 1506 | local·key="$4" | ||
| 1507 | #·Check·sanity·of·the·input | ||
| 1508 | if·[·$#·-ne·"4"·] | ||
| 1509 | then | ||
| 1510 | » echo·"Usage:·fix_audit_watch_rule·'tool'·'path'·'bits'·'key'" | ||
| 1511 | » echo·"Aborting." | ||
| 1512 | » exit·1 | ||
| 1513 | fi | ||
| 1514 | #·Create·a·list·of·audit·*.rules·files·that·should·be·inspected·for·presence·and·correctness | ||
| 1515 | #·of·a·particular·audit·rule.·The·scheme·is·as·follows: | ||
| 1516 | # | ||
| 1517 | #·----------------------------------------------------------------------------------------- | ||
| 1518 | #·Tool·used·to·load·audit·rules» |·Rule·already·defined» |··Audit·rules·file·to·inspect» ··| | ||
| 1519 | #·----------------------------------------------------------------------------------------- | ||
| 1520 | #» auditctl» » |·····Doesn't·matter»|··/etc/audit/audit.rules» ··| | ||
| 1521 | #·----------------------------------------------------------------------------------------- | ||
| 1522 | #·» augenrules» » |··········Yes»»|··/etc/audit/rules.d/*.rules» ··| | ||
| 1523 | #·» augenrules» » |··········No» » |··/etc/audit/rules.d/$key.rules··| | ||
| 1524 | #·----------------------------------------------------------------------------------------- | ||
| 1525 | declare·-a·files_to_inspect | ||
| 1526 | #·Check·sanity·of·the·specified·audit·tool | ||
| 1527 | if·[·"$tool"·!=·'auditctl'·]·&&·[·"$tool"·!=·'augenrules'·] | ||
| 1528 | then | ||
| 1529 | » echo·"Unknown·audit·rules·loading·tool:·$1.·Aborting." | ||
| 1530 | » echo·"Use·either·'auditctl'·or·'augenrules'!" | ||
| 1531 | » exit·1 | ||
| 1532 | #·If·the·audit·tool·is·'auditctl',·then·add·'/etc/audit/audit.rules' | ||
| 1533 | #·into·the·list·of·files·to·be·inspected | ||
| 1534 | elif·[·"$tool"·==·'auditctl'·] | ||
| 1535 | then | ||
| 1536 | » files_to_inspect=("${files_to_inspect[@]}"·'/etc/audit/audit.rules') | ||
| 1537 | #·If·the·audit·is·'augenrules',·then·check·if·rule·is·already·defined | ||
| 1538 | #·If·rule·is·defined,·add·'/etc/audit/rules.d/*.rules'·to·list·of·files·for·inspection. | ||
| 1539 | #·If·rule·isn't·defined,·add·'/etc/audit/rules.d/$key.rules'·to·list·of·files·for·inspection. | ||
| 1540 | elif·[·"$tool"·==·'augenrules'·] | ||
| 1541 | then | ||
| 1542 | » #·Case·when·particular·audit·rule·is·already·defined·in·some·of·/etc/audit/rules.d/*.rules·file | ||
| 1543 | » #·Get·pair·--·filepath·:·matching_row·into·@matches·array | ||
| 1544 | » IFS=$'\n'·matches=($(grep·-P·"[\s]*-w[\s]+$path"·/etc/audit/rules.d/*.rules)) | ||
| 1545 | » #·Reset·IFS·back·to·default | ||
| 1546 | » unset·IFS | ||
| 1547 | » #·For·each·of·the·matched·entries | ||
| 1548 | » for·match·in·"${matches[@]}" | ||
| 1549 | » do | ||
| 1550 | » » #·Extract·filepath·from·the·match | ||
| 1551 | » » rulesd_audit_file=$(echo·$match·|·cut·-f1·-d·':') | ||
| 1552 | » » #·Append·that·path·into·list·of·files·for·inspection | ||
| 1553 | » » files_to_inspect=("${files_to_inspect[@]}"·"$rulesd_audit_file") | ||
| 1554 | » done | ||
| 1555 | » #·Case·when·particular·audit·rule·isn't·defined·yet | ||
| 1556 | » if·[·${#files_to_inspect[@]}·-eq·"0"·] | ||
| 1557 | » then | ||
| 1558 | » » #·Append·'/etc/audit/rules.d/$key.rules'·into·list·of·files·for·inspection | ||
| 1559 | » » files_to_inspect="/etc/audit/rules.d/$key.rules" | ||
| 1560 | » » #·If·the·$key.rules·file·doesn't·exist·yet,·create·it·with·correct·permissions | ||
| 1561 | » » if·[·!·-e·"$files_to_inspect"·] | ||
| 1562 | » » then | ||
| 1563 | » » » touch·"$files_to_inspect" | ||
| 1564 | » » » chmod·0640·"$files_to_inspect" | ||
| 1565 | » » fi | ||
| 1566 | » fi | ||
| 1567 | fi | ||
| 1568 | #·Finally·perform·the·inspection·and·possible·subsequent·audit·rule | ||
| 1569 | #·correction·for·each·of·the·files·previously·identified·for·inspection | ||
| 1570 | for·audit_rules_file·in·"${files_to_inspect[@]}" | ||
| 1571 | do | ||
| 1572 | » #·Check·if·audit·watch·file·system·object·rule·for·given·path·already·present | ||
| 1573 | » if·grep·-q·-P·--·"[\s]*-w[\s]+$path"·"$audit_rules_file" | ||
| 1574 | » then | ||
| 1575 | » » #·Rule·is·found·=>·verify·yet·if·existing·rule·definition·contains | ||
| 1576 | » » #·all·of·the·required·access·type·bits | ||
| 1577 | » » #·Escape·slashes·in·path·for·use·in·sed·pattern·below | ||
| 1578 | » » local·esc_path=${path//$'/'/$'\/'} | ||
| 1579 | » » #·Define·BRE·whitespace·class·shortcut | ||
| 1580 | » » local·sp="[[:space:]]" | ||
| 1581 | » » #·Extract·current·permission·access·types·(e.g.·-p·[r|w|x|a]·values)·from·audit·rule | ||
| 1582 | » » current_access_bits=$(sed·-ne·"s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p"·"$audit_rules_file") | ||
| 1583 | » » #·Split·required·access·bits·string·into·characters·array | ||
| 1584 | » » #·(to·check·bit's·presence·for·one·bit·at·a·time) | ||
| 1585 | » » for·access_bit·in·$(echo·"$required_access_bits"·|·grep·-o·.) | ||
| 1586 | » » do | ||
| 1587 | » » » #·For·each·from·the·required·access·bits·(e.g.·'w',·'a')·check | ||
| 1588 | » » » #·if·they·are·already·present·in·current·access·bits·for·rule. | ||
| 1589 | » » » #·If·not,·append·that·bit·at·the·end | ||
| 1590 | » » » if·!·grep·-q·"$access_bit"·<<<·"$current_access_bits" | ||
| 1591 | » » » then | ||
| Max diff block lines reached; 47569/54366 bytes (87.50%) of diff not shown. | |||
| Offset 496, 17 lines modified | Offset 496, 17 lines modified | ||
| 496 | #·BEGIN·fix·(22·/·243)·for·'mount_option_nosuid_remote_filesystems' | 496 | #·BEGIN·fix·(22·/·243)·for·'mount_option_nosuid_remote_filesystems' |
| 497 | ############################################################################### | 497 | ############################################################################### |
| 498 | (>&2·echo·"Remediating·rule·22/243:·'mount_option_nosuid_remote_filesystems'") | 498 | (>&2·echo·"Remediating·rule·22/243:·'mount_option_nosuid_remote_filesystems'") |
| 499 | #·FIX·FOR·THIS·RULE·IS·MISSING | 499 | #·FIX·FOR·THIS·RULE·IS·MISSING |
| 500 | #·END·fix·for·'mount_option_nosuid_remote_filesystems' | 500 | #·END·fix·for·'mount_option_nosuid_remote_filesystems' |
| 501 | ############################################################################### | 501 | ############################################################################### |
| 502 | #·BEGIN·fix·(23·/·243)·for·'sshd_ | 502 | #·BEGIN·fix·(23·/·243)·for·'sshd_enable_strictmodes' |
| 503 | ############################################################################### | 503 | ############################################################################### |
| 504 | (>&2·echo·"Remediating·rule·23/243:·'sshd_ | 504 | (>&2·echo·"Remediating·rule·23/243:·'sshd_enable_strictmodes'") |
| 505 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 505 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 506 | #·it·does·not·exist. | 506 | #·it·does·not·exist. |
| 507 | # | 507 | # |
| 508 | #·Expects·arguments: | 508 | #·Expects·arguments: |
| 509 | # | 509 | # |
| 510 | #·config_file:» » Configuration·file·that·will·be·modified | 510 | #·config_file:» » Configuration·file·that·will·be·modified |
| 511 | #·key:» » » Configuration·option·to·change | 511 | #·key:» » » Configuration·option·to·change |
| Offset 577, 21 lines modified | Offset 577, 21 lines modified | ||
| 577 | ··else | 577 | ··else |
| 578 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 578 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 579 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 579 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 580 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 580 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 581 | ··fi | 581 | ··fi |
| 582 | } | 582 | } |
| 583 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 583 | replace_or_append·'/etc/ssh/sshd_config'·'^StrictModes'·'yes'·'CCE-80222-3'·'%s·%s' |
| 584 | #·END·fix·for·'sshd_ | 584 | #·END·fix·for·'sshd_enable_strictmodes' |
| 585 | ############################################################################### | 585 | ############################################################################### |
| 586 | #·BEGIN·fix·(24·/·243)·for·'sshd_disable_ | 586 | #·BEGIN·fix·(24·/·243)·for·'sshd_disable_user_known_hosts' |
| 587 | ############################################################################### | 587 | ############################################################################### |
| 588 | (>&2·echo·"Remediating·rule·24/243:·'sshd_disable_ | 588 | (>&2·echo·"Remediating·rule·24/243:·'sshd_disable_user_known_hosts'") |
| 589 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 589 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 590 | #·it·does·not·exist. | 590 | #·it·does·not·exist. |
| 591 | # | 591 | # |
| 592 | #·Expects·arguments: | 592 | #·Expects·arguments: |
| 593 | # | 593 | # |
| 594 | #·config_file:» » Configuration·file·that·will·be·modified | 594 | #·config_file:» » Configuration·file·that·will·be·modified |
| 595 | #·key:» » » Configuration·option·to·change | 595 | #·key:» » » Configuration·option·to·change |
| Offset 662, 21 lines modified | Offset 662, 21 lines modified | ||
| 662 | ··else | 662 | ··else |
| 663 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 663 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 664 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 664 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 665 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 665 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 666 | ··fi | 666 | ··fi |
| 667 | } | 667 | } |
| 668 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 668 | replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreUserKnownHosts'·'yes'·'CCE-80372-6'·'%s·%s' |
| 669 | #·END·fix·for·'sshd_disable_ | 669 | #·END·fix·for·'sshd_disable_user_known_hosts' |
| 670 | ############################################################################### | 670 | ############################################################################### |
| 671 | #·BEGIN·fix·(25·/·243)·for·'sshd_set_ | 671 | #·BEGIN·fix·(25·/·243)·for·'sshd_disable_empty_passwords' |
| 672 | ############################################################################### | 672 | ############################################################################### |
| 673 | (>&2·echo·"Remediating·rule·25/243:·'sshd_set_ | 673 | (>&2·echo·"Remediating·rule·25/243:·'sshd_disable_empty_passwords'") |
| 674 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 674 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 675 | #·it·does·not·exist. | 675 | #·it·does·not·exist. |
| 676 | # | 676 | # |
| 677 | #·Expects·arguments: | 677 | #·Expects·arguments: |
| 678 | # | 678 | # |
| 679 | #·config_file:» » Configuration·file·that·will·be·modified | 679 | #·config_file:» » Configuration·file·that·will·be·modified |
| 680 | #·key:» » » Configuration·option·to·change | 680 | #·key:» » » Configuration·option·to·change |
| Offset 747, 21 lines modified | Offset 747, 21 lines modified | ||
| 747 | ··else | 747 | ··else |
| 748 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 748 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 749 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 749 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 750 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 750 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 751 | ··fi | 751 | ··fi |
| 752 | } | 752 | } |
| 753 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 753 | replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s' |
| 754 | #·END·fix·for·'sshd_set_ | 754 | #·END·fix·for·'sshd_disable_empty_passwords' |
| 755 | ############################################################################### | 755 | ############################################################################### |
| 756 | #·BEGIN·fix·(26·/·243)·for·'sshd_ | 756 | #·BEGIN·fix·(26·/·243)·for·'sshd_set_keepalive' |
| 757 | ############################################################################### | 757 | ############################################################################### |
| 758 | (>&2·echo·"Remediating·rule·26/243:·'sshd_ | 758 | (>&2·echo·"Remediating·rule·26/243:·'sshd_set_keepalive'") |
| 759 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 759 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 760 | #·it·does·not·exist. | 760 | #·it·does·not·exist. |
| 761 | # | 761 | # |
| 762 | #·Expects·arguments: | 762 | #·Expects·arguments: |
| 763 | # | 763 | # |
| 764 | #·config_file:» » Configuration·file·that·will·be·modified | 764 | #·config_file:» » Configuration·file·that·will·be·modified |
| 765 | #·key:» » » Configuration·option·to·change | 765 | #·key:» » » Configuration·option·to·change |
| Offset 832, 21 lines modified | Offset 832, 23 lines modified | ||
| 832 | ··else | 832 | ··else |
| 833 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 833 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 834 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 834 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 835 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 835 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 836 | ··fi | 836 | ··fi |
| 837 | } | 837 | } |
| 838 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 838 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s' |
| 839 | #·END·fix·for·'sshd_ | 839 | #·END·fix·for·'sshd_set_keepalive' |
| 840 | ############################################################################### | 840 | ############################################################################### |
| 841 | #·BEGIN·fix·(27·/·243)·for·'sshd_e | 841 | #·BEGIN·fix·(27·/·243)·for·'sshd_set_idle_timeout' |
| 842 | ############################################################################### | 842 | ############################################################################### |
| 843 | (>&2·echo·"Remediating·rule·27/243:·'sshd_e | 843 | (>&2·echo·"Remediating·rule·27/243:·'sshd_set_idle_timeout'") |
| 844 | sshd_idle_timeout_value="600" | ||
| 844 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 845 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 845 | #·it·does·not·exist. | 846 | #·it·does·not·exist. |
| 846 | # | 847 | # |
| 847 | #·Expects·arguments: | 848 | #·Expects·arguments: |
| 848 | # | 849 | # |
| 849 | #·config_file:» » Configuration·file·that·will·be·modified | 850 | #·config_file:» » Configuration·file·that·will·be·modified |
| 850 | #·key:» » » Configuration·option·to·change | 851 | #·key:» » » Configuration·option·to·change |
| Offset 917, 23 lines modified | Offset 919, 21 lines modified | ||
| 917 | ··else | 919 | ··else |
| 918 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline | 920 | ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline |
| 919 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" | 921 | ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file" |
| 920 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" | 922 | ····printf·'%s\n'·"$formatted_output"·>>·"$config_file" |
| 921 | ··fi | 923 | ··fi |
| 922 | } | 924 | } |
| 923 | replace_or_append·'/etc/ssh/sshd_config'·'^ | 925 | replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s' |
| 924 | #·END·fix·for·'sshd_e | 926 | #·END·fix·for·'sshd_set_idle_timeout' |
| 925 | ############################################################################### | 927 | ############################################################################### |
| 926 | #·BEGIN·fix·(28·/·243)·for·'sshd_ | 928 | #·BEGIN·fix·(28·/·243)·for·'sshd_enable_warning_banner' |
| 927 | ############################################################################### | 929 | ############################################################################### |
| 928 | (>&2·echo·"Remediating·rule·28/243:·'sshd_ | 930 | (>&2·echo·"Remediating·rule·28/243:·'sshd_enable_warning_banner'") |
| 929 | sshd_approved_macs="hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com" | ||
| 930 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if | 931 | #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if |
| 931 | #·it·does·not·exist. | 932 | #·it·does·not·exist. |
| 932 | # | 933 | # |
| Max diff block lines reached; 122126/129181 bytes (94.54%) of diff not shown. | |||
| Offset 26, 21 lines modified | Offset 26, 21 lines modified | ||
| 26 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml"/> | 26 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml"/> |
| 27 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml"/> | 27 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml"/> |
| 28 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-cpe-oval.xml"/> | 28 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-cpe-oval.xml"/> |
| 29 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml000"/> | 29 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml000"/> |
| 30 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml000"/> | 30 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml000"/> |
| 31 | ····</ns0:checks> | 31 | ····</ns0:checks> |
| 32 | ··</ns0:data-stream> | 32 | ··</ns0:data-stream> |
| 33 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-oval.xml"·timestamp="2020-07-1 | 33 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-oval.xml"·timestamp="2020-07-12T18:46:00"> |
| 34 | ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 34 | ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 35 | ······<ns3:generator> | 35 | ······<ns3:generator> |
| 36 | ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name> | 36 | ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name> |
| 37 | ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version> | 37 | ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version> |
| 38 | ········<ns5:schema_version>5.11</ns5:schema_version> | 38 | ········<ns5:schema_version>5.11</ns5:schema_version> |
| 39 | ········<ns5:timestamp>2020-07-12T0 | 39 | ········<ns5:timestamp>2020-07-12T04:27:48</ns5:timestamp> |
| 40 | ······</ns3:generator> | 40 | ······</ns3:generator> |
| 41 | ······<ns3:definitions> | 41 | ······<ns3:definitions> |
| 42 | ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1"> | 42 | ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1"> |
| 43 | ··········<ns3:metadata> | 43 | ··········<ns3:metadata> |
| 44 | ············<ns3:title>Set·Password·dcredit·Requirements</ns3:title> | 44 | ············<ns3:title>Set·Password·dcredit·Requirements</ns3:title> |
| 45 | ············<ns3:affected·family="unix"> | 45 | ············<ns3:affected·family="unix"> |
| 46 | ··············<ns3:platform>Red·Hat·Enterprise·Linux·6</ns3:platform> | 46 | ··············<ns3:platform>Red·Hat·Enterprise·Linux·6</ns3:platform> |
| Offset 27893, 87 lines modified | Offset 27893, 99 lines modified | ||
| 27893 | ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> | 27893 | ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> |
| 27894 | ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> | 27894 | ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> |
| 27895 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> | 27895 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> |
| 27896 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> | 27896 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> |
| 27897 | ······</ns3:variables> | 27897 | ······</ns3:variables> |
| 27898 | ····</ns3:oval_definitions> | 27898 | ····</ns3:oval_definitions> |
| 27899 | ··</ns0:component> | 27899 | ··</ns0:component> |
| 27900 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-ocil.xml"·timestamp="2020-07-1 | 27900 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-ocil.xml"·timestamp="2020-07-12T18:46:00"> |
| 27901 | ····<ns9:ocil> | 27901 | ····<ns9:ocil> |
| 27902 | ······<ns9:generator> | 27902 | ······<ns9:generator> |
| 27903 | ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name> | 27903 | ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name> |
| 27904 | ········<ns9:product_version>ssg:·0.1.39</ns9:product_version> | 27904 | ········<ns9:product_version>ssg:·0.1.39</ns9:product_version> |
| 27905 | ········<ns9:schema_version>2.0</ns9:schema_version> | 27905 | ········<ns9:schema_version>2.0</ns9:schema_version> |
| 27906 | ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp> | 27906 | ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp> |
| 27907 | ······</ns9:generator> | 27907 | ······</ns9:generator> |
| 27908 | ······<ns9:questionnaires> | 27908 | ······<ns9:questionnaires> |
| 27909 | ········<ns9:questionnaire·id="ocil:ssg- | 27909 | ········<ns9:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1"> |
| 27910 | ··········<ns9:title> | 27910 | ··········<ns9:title>Enable·Logging·of·All·FTP·Transactions</ns9:title> |
| 27911 | ··········<ns9:actions> | ||
| 27912 | ············<ns9:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ns9:test_action_ref> | ||
| 27913 | ··········</ns9:actions> | ||
| 27914 | ········</ns9:questionnaire> | ||
| 27915 | ········<ns9:questionnaire·id="ocil:ssg-package_samba_removed_ocil:questionnaire:1"> | ||
| 27916 | ··········<ns9:title>Uninstall·samba·Package</ns9:title> | ||
| 27917 | ··········<ns9:actions> | 27911 | ··········<ns9:actions> |
| 27918 | ············<ns9:test_action_ref>ocil:ssg- | 27912 | ············<ns9:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns9:test_action_ref> |
| 27919 | ··········</ns9:actions> | 27913 | ··········</ns9:actions> |
| 27920 | ········</ns9:questionnaire> | 27914 | ········</ns9:questionnaire> |
| 27921 | ········<ns9:questionnaire·id="ocil:ssg- | 27915 | ········<ns9:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1"> |
| 27922 | ··········<ns9:title> | 27916 | ··········<ns9:title>Create·Warning·Banners·for·All·FTP·Users</ns9:title> |
| 27923 | ··········<ns9:actions> | 27917 | ··········<ns9:actions> |
| 27924 | ············<ns9:test_action_ref>ocil:ssg- | 27918 | ············<ns9:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns9:test_action_ref> |
| 27925 | ··········</ns9:actions> | 27919 | ··········</ns9:actions> |
| 27926 | ········</ns9:questionnaire> | 27920 | ········</ns9:questionnaire> |
| 27927 | ········<ns9:questionnaire·id="ocil:ssg- | 27921 | ········<ns9:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1"> |
| 27928 | ··········<ns9:title> | 27922 | ··········<ns9:title>Disable·vsftpd·Service</ns9:title> |
| 27929 | ··········<ns9:actions> | 27923 | ··········<ns9:actions> |
| 27930 | ············<ns9:test_action_ref>ocil:ssg- | 27924 | ············<ns9:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns9:test_action_ref> |
| 27931 | ··········</ns9:actions> | 27925 | ··········</ns9:actions> |
| 27932 | ········</ns9:questionnaire> | 27926 | ········</ns9:questionnaire> |
| 27933 | ········<ns9:questionnaire·id="ocil:ssg- | 27927 | ········<ns9:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1"> |
| 27934 | ··········<ns9:title> | 27928 | ··········<ns9:title>Uninstall·vsftpd·Package</ns9:title> |
| 27935 | ··········<ns9:actions> | 27929 | ··········<ns9:actions> |
| 27936 | ············<ns9:test_action_ref>ocil:ssg- | 27930 | ············<ns9:test_action_ref>ocil:ssg-package_vsftpd_removed_action:testaction:1</ns9:test_action_ref> |
| 27937 | ··········</ns9:actions> | 27931 | ··········</ns9:actions> |
| 27938 | ········</ns9:questionnaire> | 27932 | ········</ns9:questionnaire> |
| 27939 | ········<ns9:questionnaire·id="ocil:ssg-service_httpd_disabled_ocil:questionnaire:1"> | 27933 | ········<ns9:questionnaire·id="ocil:ssg-service_httpd_disabled_ocil:questionnaire:1"> |
| 27940 | ··········<ns9:title>Disable·httpd·Service</ns9:title> | 27934 | ··········<ns9:title>Disable·httpd·Service</ns9:title> |
| 27941 | ··········<ns9:actions> | 27935 | ··········<ns9:actions> |
| 27942 | ············<ns9:test_action_ref>ocil:ssg-service_httpd_disabled_action:testaction:1</ns9:test_action_ref> | 27936 | ············<ns9:test_action_ref>ocil:ssg-service_httpd_disabled_action:testaction:1</ns9:test_action_ref> |
| 27943 | ··········</ns9:actions> | 27937 | ··········</ns9:actions> |
| 27944 | ········</ns9:questionnaire> | 27938 | ········</ns9:questionnaire> |
| 27945 | ········<ns9:questionnaire·id="ocil:ssg-package_httpd_removed_ocil:questionnaire:1"> | 27939 | ········<ns9:questionnaire·id="ocil:ssg-package_httpd_removed_ocil:questionnaire:1"> |
| 27946 | ··········<ns9:title>Uninstall·httpd·Package</ns9:title> | 27940 | ··········<ns9:title>Uninstall·httpd·Package</ns9:title> |
| 27947 | ··········<ns9:actions> | 27941 | ··········<ns9:actions> |
| 27948 | ············<ns9:test_action_ref>ocil:ssg-package_httpd_removed_action:testaction:1</ns9:test_action_ref> | 27942 | ············<ns9:test_action_ref>ocil:ssg-package_httpd_removed_action:testaction:1</ns9:test_action_ref> |
| 27949 | ··········</ns9:actions> | 27943 | ··········</ns9:actions> |
| 27950 | ········</ns9:questionnaire> | 27944 | ········</ns9:questionnaire> |
| 27951 | ········<ns9:questionnaire·id="ocil:ssg- | 27945 | ········<ns9:questionnaire·id="ocil:ssg-service_named_disabled_ocil:questionnaire:1"> |
| 27952 | ··········<ns9:title> | 27946 | ··········<ns9:title>Disable·DNS·Server</ns9:title> |
| 27953 | ··········<ns9:actions> | 27947 | ··········<ns9:actions> |
| 27954 | ············<ns9:test_action_ref>ocil:ssg- | 27948 | ············<ns9:test_action_ref>ocil:ssg-service_named_disabled_action:testaction:1</ns9:test_action_ref> |
| 27955 | ··········</ns9:actions> | 27949 | ··········</ns9:actions> |
| 27956 | ········</ns9:questionnaire> | 27950 | ········</ns9:questionnaire> |
| 27957 | ········<ns9:questionnaire·id="ocil:ssg-p | 27951 | ········<ns9:questionnaire·id="ocil:ssg-package_bind_removed_ocil:questionnaire:1"> |
| 27958 | ··········<ns9:title> | 27952 | ··········<ns9:title>Uninstall·bind·Package</ns9:title> |
| 27959 | ··········<ns9:actions> | 27953 | ··········<ns9:actions> |
| 27960 | ············<ns9:test_action_ref>ocil:ssg-p | 27954 | ············<ns9:test_action_ref>ocil:ssg-package_bind_removed_action:testaction:1</ns9:test_action_ref> |
| 27961 | ··········</ns9:actions> | 27955 | ··········</ns9:actions> |
| 27962 | ········</ns9:questionnaire> | 27956 | ········</ns9:questionnaire> |
| 27963 | ········<ns9:questionnaire·id="ocil:ssg- | 27957 | ········<ns9:questionnaire·id="ocil:ssg-service_smb_disabled_ocil:questionnaire:1"> |
| 27964 | ··········<ns9:title> | 27958 | ··········<ns9:title>Disable·Samba</ns9:title> |
| 27965 | ··········<ns9:actions> | 27959 | ··········<ns9:actions> |
| 27966 | ············<ns9:test_action_ref>ocil:ssg- | 27960 | ············<ns9:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ns9:test_action_ref> |
| 27967 | ··········</ns9:actions> | 27961 | ··········</ns9:actions> |
| 27968 | ········</ns9:questionnaire> | 27962 | ········</ns9:questionnaire> |
| 27969 | ········<ns9:questionnaire·id="ocil:ssg- | 27963 | ········<ns9:questionnaire·id="ocil:ssg-package_samba_removed_ocil:questionnaire:1"> |
| 27970 | ··········<ns9:title> | 27964 | ··········<ns9:title>Uninstall·samba·Package</ns9:title> |
| 27971 | ··········<ns9:actions> | 27965 | ··········<ns9:actions> |
| 27972 | ············<ns9:test_action_ref>ocil:ssg- | 27966 | ············<ns9:test_action_ref>ocil:ssg-package_samba_removed_action:testaction:1</ns9:test_action_ref> |
| 27967 | ··········</ns9:actions> | ||
| 27968 | ········</ns9:questionnaire> | ||
| 27969 | ········<ns9:questionnaire·id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1"> | ||
| 27970 | ··········<ns9:title>Install·the·Samba·Common·Package</ns9:title> | ||
| 27971 | ··········<ns9:actions> | ||
| 27972 | ············<ns9:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ns9:test_action_ref> | ||
| 27973 | ··········</ns9:actions> | ||
| 27974 | ········</ns9:questionnaire> | ||
| 27975 | ········<ns9:questionnaire·id="ocil:ssg-require_smb_client_signing_ocil:questionnaire:1"> | ||
| 27976 | ··········<ns9:title>Require·Client·SMB·Packet·Signing,·if·using·smbclient</ns9:title> | ||
| 27977 | ··········<ns9:actions> | ||
| 27978 | ············<ns9:test_action_ref>ocil:ssg-require_smb_client_signing_action:testaction:1</ns9:test_action_ref> | ||
| 27979 | ··········</ns9:actions> | ||
| 27980 | ········</ns9:questionnaire> | ||
| 27981 | ········<ns9:questionnaire·id="ocil:ssg-mount_option_smb_client_signing_ocil:questionnaire:1"> | ||
| 27982 | ··········<ns9:title>Require·Client·SMB·Packet·Signing,·if·using·mount.cifs</ns9:title> | ||
| 27983 | ··········<ns9:actions> | ||
| 27984 | ············<ns9:test_action_ref>ocil:ssg-mount_option_smb_client_signing_action:testaction:1</ns9:test_action_ref> | ||
| 27973 | ··········</ns9:actions> | 27985 | ··········</ns9:actions> |
| 27974 | ········</ns9:questionnaire> | 27986 | ········</ns9:questionnaire> |
| 27975 | ········<ns9:questionnaire·id="ocil:ssg-sssd_memcache_timeout_ocil:questionnaire:1"> | 27987 | ········<ns9:questionnaire·id="ocil:ssg-sssd_memcache_timeout_ocil:questionnaire:1"> |
| 27976 | ··········<ns9:title>Configure·SSSD's·Memory·Cache·to·Expire</ns9:title> | 27988 | ··········<ns9:title>Configure·SSSD's·Memory·Cache·to·Expire</ns9:title> |
| 27977 | ··········<ns9:actions> | 27989 | ··········<ns9:actions> |
| 27978 | ············<ns9:test_action_ref>ocil:ssg-sssd_memcache_timeout_action:testaction:1</ns9:test_action_ref> | 27990 | ············<ns9:test_action_ref>ocil:ssg-sssd_memcache_timeout_action:testaction:1</ns9:test_action_ref> |
| 27979 | ··········</ns9:actions> | 27991 | ··········</ns9:actions> |
| Max diff block lines reached; 3871933/3882742 bytes (99.72%) of diff not shown. | |||
| Offset 213, 1325 lines modified | Offset 213, 14 lines modified | ||
| 213 | ····<dc:contributor>Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> | 213 | ····<dc:contributor>Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> |
| 214 | ····<dc:contributor>Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> | 214 | ····<dc:contributor>Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> |
| 215 | ····<dc:contributor>Jan·Černý·<jcerny@redhat.com></dc:contributor> | 215 | ····<dc:contributor>Jan·Černý·<jcerny@redhat.com></dc:contributor> |
| 216 | ····<dc:contributor>Michal·Šrubař·<msrubar@redhat.com></dc:contributor> | 216 | ····<dc:contributor>Michal·Šrubař·<msrubar@redhat.com></dc:contributor> |
| 217 | ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> | 217 | ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> |
| 218 | ··</ns0:metadata> | 218 | ··</ns0:metadata> |
| 219 | ··<ns0:model·system="urn:xccdf:scoring:default"/> | 219 | ··<ns0:model·system="urn:xccdf:scoring:default"/> |
| 220 | ··<ns0:Profile·id="usgcb-rhel6-server"> | ||
| 221 | ····<ns0:title·override="true"·xml:lang="en-US">United·States·Government·Configuration·Baseline·(USGCB)</ns0:title> | ||
| 222 | ····<ns0:description·override="true"·xml:lang="en-US">This·profile·is·a·working·draft·for·a·USGCB·submission·against | ||
| 223 | RHEL6·Server.</ns0:description> | ||
| 224 | ····<ns0:select·idref="kernel_disable_entropy_contribution_for_solid_state_drives"·selected="true"/> | ||
| 225 | ····<ns0:select·idref="partition_for_tmp"·selected="true"/> | ||
| 226 | ····<ns0:select·idref="partition_for_var"·selected="true"/> | ||
| 227 | ····<ns0:select·idref="partition_for_var_log"·selected="true"/> | ||
| 228 | ····<ns0:select·idref="partition_for_var_log_audit"·selected="true"/> | ||
| 229 | ····<ns0:select·idref="partition_for_home"·selected="true"/> | ||
| 230 | ····<ns0:select·idref="ensure_redhat_gpgkey_installed"·selected="true"/> | ||
| 231 | ····<ns0:select·idref="service_rhnsd_disabled"·selected="true"/> | ||
| 232 | ····<ns0:select·idref="security_patches_up_to_date"·selected="true"/> | ||
| 233 | ····<ns0:select·idref="ensure_gpgcheck_globally_activated"·selected="true"/> | ||
| 234 | ····<ns0:select·idref="ensure_gpgcheck_never_disabled"·selected="true"/> | ||
| 235 | ····<ns0:select·idref="package_aide_installed"·selected="true"/> | ||
| 236 | ····<ns0:select·idref="rpm_verify_permissions"·selected="true"/> | ||
| 237 | ····<ns0:select·idref="rpm_verify_hashes"·selected="true"/> | ||
| 238 | ····<ns0:select·idref="mount_option_nodev_nonroot_local_partitions"·selected="true"/> | ||
| 239 | ····<ns0:select·idref="mount_option_nodev_removable_partitions"·selected="true"/> | ||
| 240 | ····<ns0:select·idref="mount_option_noexec_removable_partitions"·selected="true"/> | ||
| 241 | ····<ns0:select·idref="mount_option_nosuid_removable_partitions"·selected="true"/> | ||
| 242 | ····<ns0:select·idref="mount_option_tmp_nodev"·selected="true"/> | ||
| 243 | ····<ns0:select·idref="mount_option_tmp_nosuid"·selected="true"/> | ||
| 244 | ····<ns0:select·idref="mount_option_tmp_noexec"·selected="true"/> | ||
| 245 | ····<ns0:select·idref="mount_option_dev_shm_nodev"·selected="true"/> | ||
| 246 | ····<ns0:select·idref="mount_option_dev_shm_nosuid"·selected="true"/> | ||
| 247 | ····<ns0:select·idref="mount_option_dev_shm_noexec"·selected="true"/> | ||
| 248 | ····<ns0:select·idref="mount_option_var_tmp_bind"·selected="true"/> | ||
| 249 | ····<ns0:select·idref="kernel_module_cramfs_disabled"·selected="true"/> | ||
| 250 | ····<ns0:select·idref="kernel_module_freevxfs_disabled"·selected="true"/> | ||
| 251 | ····<ns0:select·idref="kernel_module_hfs_disabled"·selected="true"/> | ||
| 252 | ····<ns0:select·idref="kernel_module_hfsplus_disabled"·selected="true"/> | ||
| 253 | ····<ns0:select·idref="kernel_module_jffs2_disabled"·selected="true"/> | ||
| 254 | ····<ns0:select·idref="kernel_module_squashfs_disabled"·selected="true"/> | ||
| 255 | ····<ns0:select·idref="kernel_module_udf_disabled"·selected="true"/> | ||
| 256 | ····<ns0:select·idref="file_permissions_etc_gshadow"·selected="true"/> | ||
| 257 | ····<ns0:select·idref="file_owner_etc_gshadow"·selected="true"/> | ||
| 258 | ····<ns0:select·idref="file_groupowner_etc_gshadow"·selected="true"/> | ||
| 259 | ····<ns0:select·idref="file_permissions_etc_shadow"·selected="true"/> | ||
| 260 | ····<ns0:select·idref="userowner_shadow_file"·selected="true"/> | ||
| 261 | ····<ns0:select·idref="groupowner_shadow_file"·selected="true"/> | ||
| 262 | ····<ns0:select·idref="file_permissions_etc_group"·selected="true"/> | ||
| 263 | ····<ns0:select·idref="file_owner_etc_group"·selected="true"/> | ||
| 264 | ····<ns0:select·idref="file_groupowner_etc_group"·selected="true"/> | ||
| 265 | ····<ns0:select·idref="file_permissions_etc_passwd"·selected="true"/> | ||
| 266 | ····<ns0:select·idref="file_owner_etc_passwd"·selected="true"/> | ||
| 267 | ····<ns0:select·idref="file_groupowner_etc_passwd"·selected="true"/> | ||
| 268 | ····<ns0:select·idref="dir_perms_world_writable_sticky_bits"·selected="true"/> | ||
| 269 | ····<ns0:select·idref="file_permissions_unauthorized_world_writable"·selected="true"/> | ||
| 270 | ····<ns0:select·idref="file_permissions_unauthorized_sgid"·selected="true"/> | ||
| 271 | ····<ns0:select·idref="file_permissions_unauthorized_suid"·selected="true"/> | ||
| 272 | ····<ns0:select·idref="no_files_unowned_by_user"·selected="true"/> | ||
| 273 | ····<ns0:select·idref="file_permissions_ungroupowned"·selected="true"/> | ||
| 274 | ····<ns0:select·idref="dir_perms_world_writable_system_owned"·selected="true"/> | ||
| 275 | ····<ns0:select·idref="umask_for_daemons"·selected="true"/> | ||
| 276 | ····<ns0:select·idref="sysctl_fs_suid_dumpable"·selected="true"/> | ||
| 277 | ····<ns0:select·idref="disable_users_coredumps"·selected="true"/> | ||
| 278 | ····<ns0:select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> | ||
| 279 | ····<ns0:select·idref="sysctl_kernel_exec_shield"·selected="true"/> | ||
| 280 | ····<ns0:select·idref="install_PAE_kernel_on_x86-32"·selected="true"/> | ||
| 281 | ····<ns0:select·idref="securetty_root_login_console_only"·selected="true"/> | ||
| 282 | ····<ns0:select·idref="restrict_serial_port_logins"·selected="true"/> | ||
| 283 | ····<ns0:select·idref="no_empty_passwords"·selected="true"/> | ||
| 284 | ····<ns0:select·idref="accounts_password_all_shadowed"·selected="true"/> | ||
| 285 | ····<ns0:select·idref="accounts_no_uid_except_zero"·selected="true"/> | ||
| 286 | ····<ns0:select·idref="accounts_password_warn_age_login_defs"·selected="true"/> | ||
| 287 | ····<ns0:select·idref="accounts_maximum_age_login_defs"·selected="true"/> | ||
| 288 | ····<ns0:select·idref="accounts_password_minlen_login_defs"·selected="true"/> | ||
| 289 | ····<ns0:select·idref="accounts_password_pam_retry"·selected="true"/> | ||
| 290 | ····<ns0:select·idref="accounts_password_pam_dcredit"·selected="true"/> | ||
| 291 | ····<ns0:select·idref="accounts_password_pam_ucredit"·selected="true"/> | ||
| 292 | ····<ns0:select·idref="accounts_password_pam_lcredit"·selected="true"/> | ||
| 293 | ····<ns0:select·idref="accounts_password_pam_ocredit"·selected="true"/> | ||
| 294 | ····<ns0:select·idref="accounts_password_pam_difok"·selected="true"/> | ||
| 295 | ····<ns0:select·idref="accounts_passwords_pam_faillock_deny"·selected="true"/> | ||
| 296 | ····<ns0:select·idref="set_password_hashing_algorithm_systemauth"·selected="true"/> | ||
| 297 | ····<ns0:select·idref="set_password_hashing_algorithm_logindefs"·selected="true"/> | ||
| 298 | ····<ns0:select·idref="accounts_password_pam_unix_remember"·selected="true"/> | ||
| 299 | ····<ns0:select·idref="root_path_no_dot"·selected="true"/> | ||
| 300 | ····<ns0:select·idref="accounts_root_path_dirs_no_write"·selected="true"/> | ||
| 301 | ····<ns0:select·idref="file_permissions_home_dirs"·selected="true"/> | ||
| 302 | ····<ns0:select·idref="accounts_umask_etc_bashrc"·selected="true"/> | ||
| 303 | ····<ns0:select·idref="accounts_umask_etc_csh_cshrc"·selected="true"/> | ||
| 304 | ····<ns0:select·idref="accounts_umask_etc_profile"·selected="true"/> | ||
| 305 | ····<ns0:select·idref="accounts_umask_etc_login_defs"·selected="true"/> | ||
| 306 | ····<ns0:select·idref="file_user_owner_grub_conf"·selected="true"/> | ||
| 307 | ····<ns0:select·idref="file_group_owner_grub_conf"·selected="true"/> | ||
| 308 | ····<ns0:select·idref="file_permissions_grub_conf"·selected="true"/> | ||
| 309 | ····<ns0:select·idref="bootloader_password"·selected="true"/> | ||
| 310 | ····<ns0:select·idref="disable_interactive_boot"·selected="true"/> | ||
| 311 | ····<ns0:select·idref="gconf_gnome_screensaver_idle_delay"·selected="true"/> | ||
| 312 | ····<ns0:select·idref="gconf_gnome_screensaver_idle_activation_enabled"·selected="true"/> | ||
| 313 | ····<ns0:select·idref="gconf_gnome_screensaver_lock_enabled"·selected="true"/> | ||
| 314 | ····<ns0:select·idref="gconf_gnome_screensaver_mode_blank"·selected="true"/> | ||
| 315 | ····<ns0:select·idref="banner_etc_issue"·selected="true"/> | ||
| 316 | ····<ns0:select·idref="selinux_state"·selected="true"/> | ||
| 317 | ····<ns0:select·idref="selinux_policytype"·selected="true"/> | ||
| 318 | ····<ns0:select·idref="enable_selinux_bootloader"·selected="true"/> | ||
| 319 | ····<ns0:select·idref="selinux_confinement_of_daemons"·selected="true"/> | ||
| 320 | ····<ns0:select·idref="selinux_all_devicefiles_labeled"·selected="true"/> | ||
| 321 | ····<ns0:select·idref="sysctl_net_ipv4_ip_forward"·selected="true"/> | ||
| 322 | ····<ns0:select·idref="sysctl_net_ipv4_conf_all_send_redirects"·selected="true"/> | ||
| 323 | ····<ns0:select·idref="sysctl_net_ipv4_conf_default_send_redirects"·selected="true"/> | ||
| 324 | ····<ns0:select·idref="sysctl_net_ipv4_conf_all_secure_redirects"·selected="true"/> | ||
| 325 | ····<ns0:select·idref="sysctl_net_ipv4_conf_all_accept_redirects"·selected="true"/> | ||
| 326 | ····<ns0:select·idref="sysctl_net_ipv4_conf_default_accept_source_route"·selected="true"/> | ||
| 327 | ····<ns0:select·idref="sysctl_net_ipv4_conf_default_secure_redirects"·selected="true"/> | ||
| 328 | ····<ns0:select·idref="sysctl_net_ipv4_conf_default_accept_redirects"·selected="true"/> | ||
| 329 | ····<ns0:select·idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses"·selected="true"/> | ||
| 330 | ····<ns0:select·idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts"·selected="true"/> | ||
| 331 | ····<ns0:select·idref="sysctl_net_ipv4_conf_all_log_martians"·selected="true"/> | ||
| 332 | ····<ns0:select·idref="sysctl_net_ipv4_conf_all_rp_filter"·selected="true"/> | ||
| 333 | ····<ns0:select·idref="sysctl_net_ipv4_tcp_syncookies"·selected="true"/> | ||
| 334 | ····<ns0:select·idref="sysctl_net_ipv4_conf_default_rp_filter"·selected="true"/> | ||
| 335 | ····<ns0:select·idref="wireless_disable_in_bios"·selected="true"/> | ||
| 336 | ····<ns0:select·idref="service_bluetooth_disabled"·selected="true"/> | ||
| 337 | ····<ns0:select·idref="network_ipv6_disable_rpc"·selected="true"/> | ||
| 338 | ····<ns0:select·idref="sysctl_net_ipv6_conf_default_accept_ra"·selected="true"/> | ||
| 339 | ····<ns0:select·idref="sysctl_net_ipv6_conf_default_accept_redirects"·selected="true"/> | ||
| Max diff block lines reached; 1662681/1756404 bytes (94.66%) of diff not shown. | |||
| Offset 26, 21 lines modified | Offset 26, 21 lines modified | ||
| 26 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/> | 26 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/> |
| 27 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml"/> | 27 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml"/> |
| 28 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-cpe-oval.xml"/> | 28 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-cpe-oval.xml"/> |
| 29 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml000"/> | 29 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml000"/> |
| 30 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml000"/> | 30 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml000"/> |
| 31 | ····</ns0:checks> | 31 | ····</ns0:checks> |
| 32 | ··</ns0:data-stream> | 32 | ··</ns0:data-stream> |
| 33 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"·timestamp="2020-07-1 | 33 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"·timestamp="2020-07-12T18:46:05"> |
| 34 | ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 34 | ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 35 | ······<ns3:generator> | 35 | ······<ns3:generator> |
| 36 | ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name> | 36 | ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name> |
| 37 | ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version> | 37 | ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version> |
| 38 | ········<ns5:schema_version>5.11</ns5:schema_version> | 38 | ········<ns5:schema_version>5.11</ns5:schema_version> |
| 39 | ········<ns5:timestamp>2020-07-12T0 | 39 | ········<ns5:timestamp>2020-07-12T04:32:03</ns5:timestamp> |
| 40 | ······</ns3:generator> | 40 | ······</ns3:generator> |
| 41 | ······<ns3:definitions> | 41 | ······<ns3:definitions> |
| 42 | ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1"> | 42 | ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1"> |
| 43 | ··········<ns3:metadata> | 43 | ··········<ns3:metadata> |
| 44 | ············<ns3:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns3:title> | 44 | ············<ns3:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns3:title> |
| 45 | ············<ns3:affected·family="unix"> | 45 | ············<ns3:affected·family="unix"> |
| 46 | ··············<ns3:platform>Red·Hat·Enterprise·Linux·7</ns3:platform> | 46 | ··············<ns3:platform>Red·Hat·Enterprise·Linux·7</ns3:platform> |
| Offset 31871, 29 lines modified | Offset 31871, 23 lines modified | ||
| 31871 | ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> | 31871 | ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> |
| 31872 | ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> | 31872 | ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> |
| 31873 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> | 31873 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> |
| 31874 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> | 31874 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> |
| 31875 | ······</ns3:variables> | 31875 | ······</ns3:variables> |
| 31876 | ····</ns3:oval_definitions> | 31876 | ····</ns3:oval_definitions> |
| 31877 | ··</ns0:component> | 31877 | ··</ns0:component> |
| 31878 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-ocil.xml"·timestamp="2020-07-1 | 31878 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-ocil.xml"·timestamp="2020-07-12T18:46:05"> |
| 31879 | ····<ns9:ocil> | 31879 | ····<ns9:ocil> |
| 31880 | ······<ns9:generator> | 31880 | ······<ns9:generator> |
| 31881 | ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name> | 31881 | ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name> |
| 31882 | ········<ns9:product_version>ssg:·0.1.39</ns9:product_version> | 31882 | ········<ns9:product_version>ssg:·0.1.39</ns9:product_version> |
| 31883 | ········<ns9:schema_version>2.0</ns9:schema_version> | 31883 | ········<ns9:schema_version>2.0</ns9:schema_version> |
| 31884 | ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp> | 31884 | ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp> |
| 31885 | ······</ns9:generator> | 31885 | ······</ns9:generator> |
| 31886 | ······<ns9:questionnaires> | 31886 | ······<ns9:questionnaires> |
| 31887 | ········<ns9:questionnaire·id="ocil:ssg-service_docker_enabled_ocil:questionnaire:1"> | ||
| 31888 | ··········<ns9:title>Enable·the·Docker·service</ns9:title> | ||
| 31889 | ··········<ns9:actions> | ||
| 31890 | ············<ns9:test_action_ref>ocil:ssg-service_docker_enabled_action:testaction:1</ns9:test_action_ref> | ||
| 31891 | ··········</ns9:actions> | ||
| 31892 | ········</ns9:questionnaire> | ||
| 31893 | ········<ns9:questionnaire·id="ocil:ssg-package_rsh_removed_ocil:questionnaire:1"> | 31887 | ········<ns9:questionnaire·id="ocil:ssg-package_rsh_removed_ocil:questionnaire:1"> |
| 31894 | ··········<ns9:title>Uninstall·rsh·Package</ns9:title> | 31888 | ··········<ns9:title>Uninstall·rsh·Package</ns9:title> |
| 31895 | ··········<ns9:actions> | 31889 | ··········<ns9:actions> |
| 31896 | ············<ns9:test_action_ref>ocil:ssg-package_rsh_removed_action:testaction:1</ns9:test_action_ref> | 31890 | ············<ns9:test_action_ref>ocil:ssg-package_rsh_removed_action:testaction:1</ns9:test_action_ref> |
| 31897 | ··········</ns9:actions> | 31891 | ··········</ns9:actions> |
| 31898 | ········</ns9:questionnaire> | 31892 | ········</ns9:questionnaire> |
| 31899 | ········<ns9:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1"> | 31893 | ········<ns9:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1"> |
| Offset 31952, 26 lines modified | Offset 31946, 26 lines modified | ||
| 31952 | ········</ns9:questionnaire> | 31946 | ········</ns9:questionnaire> |
| 31953 | ········<ns9:questionnaire·id="ocil:ssg-package_telnet-server_removed_ocil:questionnaire:1"> | 31947 | ········<ns9:questionnaire·id="ocil:ssg-package_telnet-server_removed_ocil:questionnaire:1"> |
| 31954 | ··········<ns9:title>Uninstall·telnet-server·Package</ns9:title> | 31948 | ··········<ns9:title>Uninstall·telnet-server·Package</ns9:title> |
| 31955 | ··········<ns9:actions> | 31949 | ··········<ns9:actions> |
| 31956 | ············<ns9:test_action_ref>ocil:ssg-package_telnet-server_removed_action:testaction:1</ns9:test_action_ref> | 31950 | ············<ns9:test_action_ref>ocil:ssg-package_telnet-server_removed_action:testaction:1</ns9:test_action_ref> |
| 31957 | ··········</ns9:actions> | 31951 | ··········</ns9:actions> |
| 31958 | ········</ns9:questionnaire> | 31952 | ········</ns9:questionnaire> |
| 31959 | ········<ns9:questionnaire·id="ocil:ssg-service_ypbind_disabled_ocil:questionnaire:1"> | ||
| 31960 | ··········<ns9:title>Disable·ypbind·Service</ns9:title> | ||
| 31961 | ··········<ns9:actions> | ||
| 31962 | ············<ns9:test_action_ref>ocil:ssg-service_ypbind_disabled_action:testaction:1</ns9:test_action_ref> | ||
| 31963 | ··········</ns9:actions> | ||
| 31964 | ········</ns9:questionnaire> | ||
| 31965 | ········<ns9:questionnaire·id="ocil:ssg-package_ypbind_removed_ocil:questionnaire:1"> | 31953 | ········<ns9:questionnaire·id="ocil:ssg-package_ypbind_removed_ocil:questionnaire:1"> |
| 31966 | ··········<ns9:title>Remove·NIS·Client</ns9:title> | 31954 | ··········<ns9:title>Remove·NIS·Client</ns9:title> |
| 31967 | ··········<ns9:actions> | 31955 | ··········<ns9:actions> |
| 31968 | ············<ns9:test_action_ref>ocil:ssg-package_ypbind_removed_action:testaction:1</ns9:test_action_ref> | 31956 | ············<ns9:test_action_ref>ocil:ssg-package_ypbind_removed_action:testaction:1</ns9:test_action_ref> |
| 31969 | ··········</ns9:actions> | 31957 | ··········</ns9:actions> |
| 31970 | ········</ns9:questionnaire> | 31958 | ········</ns9:questionnaire> |
| 31959 | ········<ns9:questionnaire·id="ocil:ssg-service_ypbind_disabled_ocil:questionnaire:1"> | ||
| 31960 | ··········<ns9:title>Disable·ypbind·Service</ns9:title> | ||
| 31961 | ··········<ns9:actions> | ||
| 31962 | ············<ns9:test_action_ref>ocil:ssg-service_ypbind_disabled_action:testaction:1</ns9:test_action_ref> | ||
| 31963 | ··········</ns9:actions> | ||
| 31964 | ········</ns9:questionnaire> | ||
| 31971 | ········<ns9:questionnaire·id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1"> | 31965 | ········<ns9:questionnaire·id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1"> |
| 31972 | ··········<ns9:title>Uninstall·ypserv·Package</ns9:title> | 31966 | ··········<ns9:title>Uninstall·ypserv·Package</ns9:title> |
| 31973 | ··········<ns9:actions> | 31967 | ··········<ns9:actions> |
| 31974 | ············<ns9:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ns9:test_action_ref> | 31968 | ············<ns9:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ns9:test_action_ref> |
| 31975 | ··········</ns9:actions> | 31969 | ··········</ns9:actions> |
| 31976 | ········</ns9:questionnaire> | 31970 | ········</ns9:questionnaire> |
| 31977 | ········<ns9:questionnaire·id="ocil:ssg-package_tftp_removed_ocil:questionnaire:1"> | 31971 | ········<ns9:questionnaire·id="ocil:ssg-package_tftp_removed_ocil:questionnaire:1"> |
| Offset 31994, 26 lines modified | Offset 31988, 26 lines modified | ||
| 31994 | ········</ns9:questionnaire> | 31988 | ········</ns9:questionnaire> |
| 31995 | ········<ns9:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1"> | 31989 | ········<ns9:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1"> |
| 31996 | ··········<ns9:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns9:title> | 31990 | ··········<ns9:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns9:title> |
| 31997 | ··········<ns9:actions> | 31991 | ··········<ns9:actions> |
| 31998 | ············<ns9:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns9:test_action_ref> | 31992 | ············<ns9:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns9:test_action_ref> |
| 31999 | ··········</ns9:actions> | 31993 | ··········</ns9:actions> |
| 32000 | ········</ns9:questionnaire> | 31994 | ········</ns9:questionnaire> |
| 32001 | ········<ns9:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> | ||
| 32002 | ··········<ns9:title>Disable·xinetd·Service</ns9:title> | ||
| 32003 | ··········<ns9:actions> | ||
| 32004 | ············<ns9:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns9:test_action_ref> | ||
| 32005 | ··········</ns9:actions> | ||
| 32006 | ········</ns9:questionnaire> | ||
| 32007 | ········<ns9:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1"> | 31995 | ········<ns9:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1"> |
| 32008 | ··········<ns9:title>Install·tcp_wrappers·Package</ns9:title> | 31996 | ··········<ns9:title>Install·tcp_wrappers·Package</ns9:title> |
| 32009 | ··········<ns9:actions> | 31997 | ··········<ns9:actions> |
| 32010 | ············<ns9:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns9:test_action_ref> | 31998 | ············<ns9:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns9:test_action_ref> |
| 32011 | ··········</ns9:actions> | 31999 | ··········</ns9:actions> |
| 32012 | ········</ns9:questionnaire> | 32000 | ········</ns9:questionnaire> |
| 32001 | ········<ns9:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> | ||
| 32002 | ··········<ns9:title>Disable·xinetd·Service</ns9:title> | ||
| 32003 | ··········<ns9:actions> | ||
| 32004 | ············<ns9:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns9:test_action_ref> | ||
| 32005 | ··········</ns9:actions> | ||
| 32006 | ········</ns9:questionnaire> | ||
| 32013 | ········<ns9:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1"> | 32007 | ········<ns9:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1"> |
| 32014 | ··········<ns9:title>Uninstall·xinetd·Package</ns9:title> | 32008 | ··········<ns9:title>Uninstall·xinetd·Package</ns9:title> |
| 32015 | ··········<ns9:actions> | 32009 | ··········<ns9:actions> |
| 32016 | ············<ns9:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns9:test_action_ref> | 32010 | ············<ns9:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns9:test_action_ref> |
| 32017 | ··········</ns9:actions> | 32011 | ··········</ns9:actions> |
| 32018 | ········</ns9:questionnaire> | 32012 | ········</ns9:questionnaire> |
| 32019 | ········<ns9:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1"> | 32013 | ········<ns9:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1"> |
| Offset 32024, 26 lines modified | Offset 32018, 38 lines modified | ||
| 32024 | ········</ns9:questionnaire> | 32018 | ········</ns9:questionnaire> |
| 32025 | ········<ns9:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1"> | 32019 | ········<ns9:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1"> |
| 32026 | ··········<ns9:title>Uninstall·talk-server·Package</ns9:title> | 32020 | ··········<ns9:title>Uninstall·talk-server·Package</ns9:title> |
| 32027 | ··········<ns9:actions> | 32021 | ··········<ns9:actions> |
| 32028 | ············<ns9:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns9:test_action_ref> | 32022 | ············<ns9:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns9:test_action_ref> |
| 32029 | ··········</ns9:actions> | 32023 | ··········</ns9:actions> |
| 32030 | ········</ns9:questionnaire> | 32024 | ········</ns9:questionnaire> |
| 32031 | ········<ns9:questionnaire·id="ocil:ssg- | 32025 | ········<ns9:questionnaire·id="ocil:ssg-service_dovecot_disabled_ocil:questionnaire:1"> |
| 32032 | ··········<ns9:title> | 32026 | ··········<ns9:title>Disable·Dovecot·Service</ns9:title> |
| Max diff block lines reached; 5529958/5538602 bytes (99.84%) of diff not shown. | |||
| Offset 213, 348 lines modified | Offset 213, 14 lines modified | ||
| 213 | ····<dc:contributor>Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> | 213 | ····<dc:contributor>Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> |
| 214 | ····<dc:contributor>Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> | 214 | ····<dc:contributor>Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> |
| 215 | ····<dc:contributor>Jan·Černý·<jcerny@redhat.com></dc:contributor> | 215 | ····<dc:contributor>Jan·Černý·<jcerny@redhat.com></dc:contributor> |
| 216 | ····<dc:contributor>Michal·Šrubař·<msrubar@redhat.com></dc:contributor> | 216 | ····<dc:contributor>Michal·Šrubař·<msrubar@redhat.com></dc:contributor> |
| 217 | ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> | 217 | ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> |
| 218 | ··</ns0:metadata> | 218 | ··</ns0:metadata> |
| 219 | ··<ns0:model·system="urn:xccdf:scoring:default"/> | 219 | ··<ns0:model·system="urn:xccdf:scoring:default"/> |
| 220 | ··<ns0:Profile·id="hipaa"> | ||
| 221 | ····<ns0:title·override="true"·xml:lang="en-US">Health·Insurance·Portability·and·Accountability·Act·(HIPAA)</ns0:title> | ||
| 222 | ····<ns0:description·override="true"·xml:lang="en-US">The·HIPAA·Security·Rule·establishes·U.S.·national·standards·to·protect·individuals’ | ||
| 223 | electronic·personal·health·information·that·is·created,·received,·used,·or | ||
| 224 | maintained·by·a·covered·entity.·The·Security·Rule·requires·appropriate | ||
| 225 | administrative,·physical·and·technical·safeguards·to·ensure·the | ||
| 226 | confidentiality,·integrity,·and·security·of·electronic·protected·health | ||
| 227 | information. | ||
| 228 | This·profile·configures·Red·Hat·Enterprise·Linux·7·to·the·HIPAA·Security | ||
| 229 | Rule·identified·for·securing·of·electronic·protected·health·information.</ns0:description> | ||
| 230 | ····<ns0:select·idref="bootloader_password"·selected="true"/> | ||
| 231 | ····<ns0:select·idref="bootloader_uefi_password"·selected="true"/> | ||
| 232 | ····<ns0:select·idref="file_group_owner_grub2_cfg"·selected="true"/> | ||
| 233 | ····<ns0:select·idref="file_permissions_grub2_cfg"·selected="true"/> | ||
| 234 | ····<ns0:select·idref="file_user_owner_grub2_cfg"·selected="true"/> | ||
| 235 | ····<ns0:select·idref="disable_interactive_boot"·selected="true"/> | ||
| 236 | ····<ns0:select·idref="no_direct_root_logins"·selected="true"/> | ||
| 237 | ····<ns0:select·idref="no_empty_passwords"·selected="true"/> | ||
| 238 | ····<ns0:select·idref="require_singleuser_auth"·selected="true"/> | ||
| 239 | ····<ns0:select·idref="restrict_serial_port_logins"·selected="true"/> | ||
| 240 | ····<ns0:select·idref="securetty_root_login_console_only"·selected="true"/> | ||
| 241 | ····<ns0:select·idref="service_debug-shell_disabled"·selected="true"/> | ||
| 242 | ····<ns0:select·idref="disable_ctrlaltdel_reboot"·selected="true"/> | ||
| 243 | ····<ns0:select·idref="disable_ctrlaltdel_burstaction"·selected="true"/> | ||
| 244 | ····<ns0:select·idref="dconf_gnome_remote_access_credential_prompt"·selected="true"/> | ||
| 245 | ····<ns0:select·idref="dconf_gnome_remote_access_encryption"·selected="true"/> | ||
| 246 | ····<ns0:select·idref="sshd_disable_empty_passwords"·selected="true"/> | ||
| 247 | ····<ns0:select·idref="sshd_disable_root_login"·selected="true"/> | ||
| 248 | ····<ns0:select·idref="libreswan_approved_tunnels"·selected="true"/> | ||
| 249 | ····<ns0:select·idref="no_rsh_trust_files"·selected="true"/> | ||
| 250 | ····<ns0:select·idref="package_rsh_removed"·selected="true"/> | ||
| 251 | ····<ns0:select·idref="package_rsh-server_removed"·selected="true"/> | ||
| 252 | ····<ns0:select·idref="package_talk_removed"·selected="true"/> | ||
| 253 | ····<ns0:select·idref="package_talk-server_removed"·selected="true"/> | ||
| 254 | ····<ns0:select·idref="package_telnet_removed"·selected="true"/> | ||
| 255 | ····<ns0:select·idref="package_telnet-server_removed"·selected="true"/> | ||
| 256 | ····<ns0:select·idref="package_xinetd_removed"·selected="true"/> | ||
| 257 | ····<ns0:select·idref="package_ypbind_removed"·selected="true"/> | ||
| 258 | ····<ns0:select·idref="package_ypserv_removed"·selected="true"/> | ||
| 259 | ····<ns0:select·idref="service_crond_enabled"·selected="true"/> | ||
| 260 | ····<ns0:select·idref="service_rexec_disabled"·selected="true"/> | ||
| 261 | ····<ns0:select·idref="service_rlogin_disabled"·selected="true"/> | ||
| 262 | ····<ns0:select·idref="service_rsh_disabled"·selected="true"/> | ||
| 263 | ····<ns0:select·idref="service_telnet_disabled"·selected="true"/> | ||
| 264 | ····<ns0:select·idref="service_xinetd_disabled"·selected="true"/> | ||
| 265 | ····<ns0:select·idref="service_ypbind_disabled"·selected="true"/> | ||
| 266 | ····<ns0:select·idref="service_zebra_disabled"·selected="true"/> | ||
| 267 | ····<ns0:select·idref="use_kerberos_security_all_exports"·selected="true"/> | ||
| 268 | ····<ns0:select·idref="disable_host_auth"·selected="true"/> | ||
| 269 | ····<ns0:select·idref="sshd_allow_only_protocol2"·selected="true"/> | ||
| 270 | ····<ns0:select·idref="sshd_disable_compression"·selected="true"/> | ||
| 271 | ····<ns0:select·idref="sshd_disable_gssapi_auth"·selected="true"/> | ||
| 272 | ····<ns0:select·idref="sshd_disable_kerb_auth"·selected="true"/> | ||
| 273 | ····<ns0:select·idref="sshd_disable_rhosts_rsa"·selected="true"/> | ||
| 274 | ····<ns0:select·idref="sshd_disable_rhosts"·selected="true"/> | ||
| 275 | ····<ns0:select·idref="sshd_disable_user_known_hosts"·selected="true"/> | ||
| 276 | ····<ns0:select·idref="sshd_do_not_permit_user_env"·selected="true"/> | ||
| 277 | ····<ns0:select·idref="sshd_enable_strictmodes"·selected="true"/> | ||
| 278 | ····<ns0:select·idref="sshd_enable_warning_banner"·selected="true"/> | ||
| 279 | ····<ns0:select·idref="sshd_set_keepalive"·selected="true"/> | ||
| 280 | ····<ns0:select·idref="sshd_use_priv_separation"·selected="true"/> | ||
| 281 | ····<ns0:select·idref="encrypt_partitions"·selected="true"/> | ||
| 282 | ····<ns0:select·idref="sshd_use_approved_ciphers"·selected="true"/> | ||
| 283 | ····<ns0:select·idref="sshd_use_approved_macs"·selected="true"/> | ||
| 284 | ····<ns0:select·idref="enable_selinux_bootloader"·selected="true"/> | ||
| 285 | ····<ns0:select·idref="sebool_selinuxuser_execheap"·selected="true"/> | ||
| 286 | ····<ns0:select·idref="sebool_selinuxuser_execmod"·selected="true"/> | ||
| 287 | ····<ns0:select·idref="sebool_selinuxuser_execstack"·selected="true"/> | ||
| 288 | ····<ns0:select·idref="selinux_confinement_of_daemons"·selected="true"/> | ||
| 289 | ····<ns0:select·idref="selinux_policytype"·selected="true"/> | ||
| 290 | ····<ns0:select·idref="selinux_state"·selected="true"/> | ||
| 291 | ····<ns0:select·idref="service_kdump_disabled"·selected="true"/> | ||
| 292 | ····<ns0:select·idref="sysctl_fs_suid_dumpable"·selected="true"/> | ||
| 293 | ····<ns0:select·idref="sysctl_kernel_dmesg_restrict"·selected="true"/> | ||
| 294 | ····<ns0:select·idref="sysctl_kernel_exec_shield"·selected="true"/> | ||
| 295 | ····<ns0:select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> | ||
| 296 | ····<ns0:select·idref="rpm_verify_hashes"·selected="true"/> | ||
| 297 | ····<ns0:select·idref="rpm_verify_permissions"·selected="true"/> | ||
| 298 | ····<ns0:select·idref="ensure_redhat_gpgkey_installed"·selected="true"/> | ||
| 299 | ····<ns0:select·idref="ensure_gpgcheck_globally_activated"·selected="true"/> | ||
| 300 | ····<ns0:select·idref="ensure_gpgcheck_never_disabled"·selected="true"/> | ||
| 301 | ····<ns0:select·idref="ensure_gpgcheck_repo_metadata"·selected="true"/> | ||
| 302 | ····<ns0:select·idref="ensure_gpgcheck_local_packages"·selected="true"/> | ||
| 303 | ····<ns0:select·idref="bootloader_audit_argument"·selected="true"/> | ||
| 304 | ····<ns0:select·idref="service_auditd_enabled"·selected="true"/> | ||
| 305 | ····<ns0:select·idref="audit_rules_privileged_commands_sudo"·selected="true"/> | ||
| 306 | ····<ns0:select·idref="audit_rules_privileged_commands_su"·selected="true"/> | ||
| 307 | ····<ns0:select·idref="audit_rules_immutable"·selected="true"/> | ||
| 308 | ····<ns0:select·idref="kernel_module_usb-storage_disabled"·selected="true"/> | ||
| 309 | ····<ns0:select·idref="service_autofs_disabled"·selected="true"/> | ||
| 310 | ····<ns0:select·idref="auditd_audispd_syslog_plugin_activated"·selected="true"/> | ||
| 311 | ····<ns0:select·idref="rsyslog_remote_loghost"·selected="true"/> | ||
| 312 | ····<ns0:select·idref="auditd_data_retention_flush"·selected="true"/> | ||
| 313 | ····<ns0:select·idref="audit_rules_dac_modification_chmod"·selected="true"/> | ||
| 314 | ····<ns0:select·idref="audit_rules_dac_modification_chown"·selected="true"/> | ||
| 315 | ····<ns0:select·idref="audit_rules_dac_modification_fchmodat"·selected="true"/> | ||
| 316 | ····<ns0:select·idref="audit_rules_dac_modification_fchmod"·selected="true"/> | ||
| 317 | ····<ns0:select·idref="audit_rules_dac_modification_fchownat"·selected="true"/> | ||
| 318 | ····<ns0:select·idref="audit_rules_dac_modification_fchown"·selected="true"/> | ||
| 319 | ····<ns0:select·idref="audit_rules_dac_modification_fremovexattr"·selected="true"/> | ||
| 320 | ····<ns0:select·idref="audit_rules_dac_modification_fsetxattr"·selected="true"/> | ||
| 321 | ····<ns0:select·idref="audit_rules_dac_modification_lchown"·selected="true"/> | ||
| 322 | ····<ns0:select·idref="audit_rules_dac_modification_lremovexattr"·selected="true"/> | ||
| 323 | ····<ns0:select·idref="audit_rules_dac_modification_lsetxattr"·selected="true"/> | ||
| 324 | ····<ns0:select·idref="audit_rules_dac_modification_removexattr"·selected="true"/> | ||
| 325 | ····<ns0:select·idref="audit_rules_dac_modification_setxattr"·selected="true"/> | ||
| 326 | ····<ns0:select·idref="audit_rules_execution_chcon"·selected="true"/> | ||
| 327 | ····<ns0:select·idref="audit_rules_execution_restorecon"·selected="true"/> | ||
| 328 | ····<ns0:select·idref="audit_rules_execution_semanage"·selected="true"/> | ||
| 329 | ····<ns0:select·idref="audit_rules_execution_setsebool"·selected="true"/> | ||
| 330 | ····<ns0:select·idref="audit_rules_file_deletion_events_renameat"·selected="true"/> | ||
| 331 | ····<ns0:select·idref="audit_rules_file_deletion_events_rename"·selected="true"/> | ||
| 332 | ····<ns0:select·idref="audit_rules_file_deletion_events_rmdir"·selected="true"/> | ||
| 333 | ····<ns0:select·idref="audit_rules_file_deletion_events_unlinkat"·selected="true"/> | ||
| 334 | ····<ns0:select·idref="audit_rules_file_deletion_events_unlink"·selected="true"/> | ||
| 335 | ····<ns0:select·idref="audit_rules_kernel_module_loading_delete"·selected="true"/> | ||
| 336 | ····<ns0:select·idref="audit_rules_kernel_module_loading_init"·selected="true"/> | ||
| 337 | ····<ns0:select·idref="audit_rules_kernel_module_loading_insmod"·selected="true"/> | ||
| 338 | ····<ns0:select·idref="audit_rules_kernel_module_loading_modprobe"·selected="true"/> | ||
| Max diff block lines reached; 1966174/1989941 bytes (98.81%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>2020-07-12T0 | 7 | ····<ns2:timestamp>2020-07-12T04:27:33</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_rhel7:def:1"·version="1"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_rhel7:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Red·Hat·Enterprise·Linux·7</ns0:title> | 12 | ········<ns0:title>Red·Hat·Enterprise·Linux·7</ns0:title> |
| 13 | ········<ns0:affected·family="unix"/> | 13 | ········<ns0:affected·family="unix"/> |
| 14 | ········<ns0:reference·ref_id="cpe:/o:redhat:enterprise_linux:7"·source="CPE"/> | 14 | ········<ns0:reference·ref_id="cpe:/o:redhat:enterprise_linux:7"·source="CPE"/> |
| Offset 18, 21 lines modified | Offset 18, 21 lines modified | ||
| 18 | ····</ds:checklists> | 18 | ····</ds:checklists> |
| 19 | ····<ds:checks> | 19 | ····<ds:checks> |
| 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel-osp7-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel-osp7-oval.xml"/> | 20 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel-osp7-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel-osp7-oval.xml"/> |
| 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel-osp7-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel-osp7-ocil.xml"/> | 21 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel-osp7-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel-osp7-ocil.xml"/> |
| 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel-osp7-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel-osp7-cpe-oval.xml"/> | 22 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel-osp7-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel-osp7-cpe-oval.xml"/> |
| 23 | ····</ds:checks> | 23 | ····</ds:checks> |
| 24 | ··</ds:data-stream> | 24 | ··</ds:data-stream> |
| 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel-osp7-oval.xml"·timestamp="2020-07-1 | 25 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel-osp7-oval.xml"·timestamp="2020-07-12T18:45:51"> |
| 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 26 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 27 | ······<ns0:generator> | 27 | ······<ns0:generator> |
| 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 28 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 29 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 30 | ········<ns2:schema_version>5.11</ns2:schema_version> | 30 | ········<ns2:schema_version>5.11</ns2:schema_version> |
| 31 | ········<ns2:timestamp>2020-07-12T0 | 31 | ········<ns2:timestamp>2020-07-12T04:27:33</ns2:timestamp> |
| 32 | ······</ns0:generator> | 32 | ······</ns0:generator> |
| 33 | ······<ns0:definitions> | 33 | ······<ns0:definitions> |
| 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-horizon_csrf_cookie_secure:def:1"·version="1"> | 34 | ········<ns0:definition·class="compliance"·id="oval:ssg-horizon_csrf_cookie_secure:def:1"·version="1"> |
| 35 | ··········<ns0:metadata> | 35 | ··········<ns0:metadata> |
| 36 | ············<ns0:title>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:title> | 36 | ············<ns0:title>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:title> |
| 37 | ············<ns0:affected·family="unix"/> | 37 | ············<ns0:affected·family="unix"/> |
| 38 | ············<ns0:description>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:description> | 38 | ············<ns0:description>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:description> |
| Offset 4847, 27 lines modified | Offset 4847, 27 lines modified | ||
| 4847 | ········</ns3:textfilecontent54_state> | 4847 | ········</ns3:textfilecontent54_state> |
| 4848 | ········<ns3:textfilecontent54_state·id="oval:ssg-state_remote_filesystem_nosuid:ste:1"·version="1"> | 4848 | ········<ns3:textfilecontent54_state·id="oval:ssg-state_remote_filesystem_nosuid:ste:1"·version="1"> |
| 4849 | ··········<ns3:subexpression·operation="pattern·match">^.*nosuid.*$</ns3:subexpression> | 4849 | ··········<ns3:subexpression·operation="pattern·match">^.*nosuid.*$</ns3:subexpression> |
| 4850 | ········</ns3:textfilecontent54_state> | 4850 | ········</ns3:textfilecontent54_state> |
| 4851 | ······</ns0:states> | 4851 | ······</ns0:states> |
| 4852 | ····</ns0:oval_definitions> | 4852 | ····</ns0:oval_definitions> |
| 4853 | ··</ds:component> | 4853 | ··</ds:component> |
| 4854 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel-osp7-ocil.xml"·timestamp="2020-07-1 | 4854 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel-osp7-ocil.xml"·timestamp="2020-07-12T18:45:55"> |
| 4855 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> | 4855 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> |
| 4856 | ······<ns0:generator> | 4856 | ······<ns0:generator> |
| 4857 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 4857 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 4858 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 4858 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 4859 | ········<ns0:schema_version>2.0</ns0:schema_version> | 4859 | ········<ns0:schema_version>2.0</ns0:schema_version> |
| 4860 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 4860 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 4861 | ······</ns0:generator> | 4861 | ······</ns0:generator> |
| 4862 | ······<ns0:questionnaires> | 4862 | ······<ns0:questionnaires> |
| 4863 | ········<ns0:questionnaire·id="ocil:ssg-sshd_ | 4863 | ········<ns0:questionnaire·id="ocil:ssg-sshd_enable_strictmodes_ocil:questionnaire:1"> |
| 4864 | ··········<ns0:title> | 4864 | ··········<ns0:title>Enable·Use·of·Strict·Mode·Checking</ns0:title> |
| 4865 | ··········<ns0:actions> | 4865 | ··········<ns0:actions> |
| 4866 | ············<ns0:test_action_ref>ocil:ssg-sshd_ | 4866 | ············<ns0:test_action_ref>ocil:ssg-sshd_enable_strictmodes_action:testaction:1</ns0:test_action_ref> |
| 4867 | ··········</ns0:actions> | 4867 | ··········</ns0:actions> |
| 4868 | ········</ns0:questionnaire> | 4868 | ········</ns0:questionnaire> |
| 4869 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_user_known_hosts_ocil:questionnaire:1"> | 4869 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_user_known_hosts_ocil:questionnaire:1"> |
| 4870 | ··········<ns0:title>Disable·SSH·Support·for·User·Known·Hosts</ns0:title> | 4870 | ··········<ns0:title>Disable·SSH·Support·for·User·Known·Hosts</ns0:title> |
| 4871 | ··········<ns0:actions> | 4871 | ··········<ns0:actions> |
| 4872 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_user_known_hosts_action:testaction:1</ns0:test_action_ref> | 4872 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_user_known_hosts_action:testaction:1</ns0:test_action_ref> |
| 4873 | ··········</ns0:actions> | 4873 | ··········</ns0:actions> |
| Offset 4880, 36 lines modified | Offset 4880, 36 lines modified | ||
| 4880 | ········</ns0:questionnaire> | 4880 | ········</ns0:questionnaire> |
| 4881 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1"> | 4881 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1"> |
| 4882 | ··········<ns0:title>Set·SSH·Client·Alive·Count</ns0:title> | 4882 | ··········<ns0:title>Set·SSH·Client·Alive·Count</ns0:title> |
| 4883 | ··········<ns0:actions> | 4883 | ··········<ns0:actions> |
| 4884 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref> | 4884 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref> |
| 4885 | ··········</ns0:actions> | 4885 | ··········</ns0:actions> |
| 4886 | ········</ns0:questionnaire> | 4886 | ········</ns0:questionnaire> |
| 4887 | ········<ns0:questionnaire·id="ocil:ssg-sshd_ | 4887 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> |
| 4888 | ··········<ns0:title> | 4888 | ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> |
| 4889 | ··········<ns0:actions> | 4889 | ··········<ns0:actions> |
| 4890 | ············<ns0:test_action_ref>ocil:ssg-sshd_ | 4890 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> |
| 4891 | ··········</ns0:actions> | 4891 | ··········</ns0:actions> |
| 4892 | ········</ns0:questionnaire> | 4892 | ········</ns0:questionnaire> |
| 4893 | ········<ns0:questionnaire·id="ocil:ssg-sshd_enable_warning_banner_ocil:questionnaire:1"> | 4893 | ········<ns0:questionnaire·id="ocil:ssg-sshd_enable_warning_banner_ocil:questionnaire:1"> |
| 4894 | ··········<ns0:title>Enable·SSH·Warning·Banner</ns0:title> | 4894 | ··········<ns0:title>Enable·SSH·Warning·Banner</ns0:title> |
| 4895 | ··········<ns0:actions> | 4895 | ··········<ns0:actions> |
| 4896 | ············<ns0:test_action_ref>ocil:ssg-sshd_enable_warning_banner_action:testaction:1</ns0:test_action_ref> | 4896 | ············<ns0:test_action_ref>ocil:ssg-sshd_enable_warning_banner_action:testaction:1</ns0:test_action_ref> |
| 4897 | ··········</ns0:actions> | 4897 | ··········</ns0:actions> |
| 4898 | ········</ns0:questionnaire> | 4898 | ········</ns0:questionnaire> |
| 4899 | ········<ns0:questionnaire·id="ocil:ssg-sshd_use_approved_macs_ocil:questionnaire:1"> | 4899 | ········<ns0:questionnaire·id="ocil:ssg-sshd_use_approved_macs_ocil:questionnaire:1"> |
| 4900 | ··········<ns0:title>Use·Only·FIPS·140-2·Validated·MACs</ns0:title> | 4900 | ··········<ns0:title>Use·Only·FIPS·140-2·Validated·MACs</ns0:title> |
| 4901 | ··········<ns0:actions> | 4901 | ··········<ns0:actions> |
| 4902 | ············<ns0:test_action_ref>ocil:ssg-sshd_use_approved_macs_action:testaction:1</ns0:test_action_ref> | 4902 | ············<ns0:test_action_ref>ocil:ssg-sshd_use_approved_macs_action:testaction:1</ns0:test_action_ref> |
| 4903 | ··········</ns0:actions> | 4903 | ··········</ns0:actions> |
| 4904 | ········</ns0:questionnaire> | 4904 | ········</ns0:questionnaire> |
| 4905 | ········<ns0:questionnaire·id="ocil:ssg-sshd_ | 4905 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_loglevel_info_ocil:questionnaire:1"> |
| 4906 | ··········<ns0:title> | 4906 | ··········<ns0:title>Set·LogLevel·to·INFO</ns0:title> |
| 4907 | ··········<ns0:actions> | 4907 | ··········<ns0:actions> |
| 4908 | ············<ns0:test_action_ref>ocil:ssg-sshd_ | 4908 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_loglevel_info_action:testaction:1</ns0:test_action_ref> |
| 4909 | ··········</ns0:actions> | 4909 | ··········</ns0:actions> |
| 4910 | ········</ns0:questionnaire> | 4910 | ········</ns0:questionnaire> |
| 4911 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1"> | 4911 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1"> |
| 4912 | ··········<ns0:title>Disable·Kerberos·Authentication</ns0:title> | 4912 | ··········<ns0:title>Disable·Kerberos·Authentication</ns0:title> |
| 4913 | ··········<ns0:actions> | 4913 | ··········<ns0:actions> |
| 4914 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_kerb_auth_action:testaction:1</ns0:test_action_ref> | 4914 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_kerb_auth_action:testaction:1</ns0:test_action_ref> |
| 4915 | ··········</ns0:actions> | 4915 | ··········</ns0:actions> |
| Offset 4922, 24 lines modified | Offset 4922, 24 lines modified | ||
| 4922 | ········</ns0:questionnaire> | 4922 | ········</ns0:questionnaire> |
| 4923 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1"> | 4923 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1"> |
| 4924 | ··········<ns0:title>Disable·SSH·Support·for·.rhosts·Files</ns0:title> | 4924 | ··········<ns0:title>Disable·SSH·Support·for·.rhosts·Files</ns0:title> |
| 4925 | ··········<ns0:actions> | 4925 | ··········<ns0:actions> |
| 4926 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ns0:test_action_ref> | 4926 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ns0:test_action_ref> |
| 4927 | ··········</ns0:actions> | 4927 | ··········</ns0:actions> |
| 4928 | ········</ns0:questionnaire> | 4928 | ········</ns0:questionnaire> |
| 4929 | ········<ns0:questionnaire·id="ocil:ssg-sshd_ | 4929 | ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1"> |
| 4930 | ··········<ns0:title> | 4930 | ··········<ns0:title>Disable·SSH·Support·for·Rhosts·RSA·Authentication</ns0:title> |
| 4931 | ··········<ns0:actions> | 4931 | ··········<ns0:actions> |
| 4932 | ············<ns0:test_action_ref>ocil:ssg-sshd_ | 4932 | ············<ns0:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ns0:test_action_ref> |
| 4933 | ··········</ns0:actions> | 4933 | ··········</ns0:actions> |
| 4934 | ········</ns0:questionnaire> | 4934 | ········</ns0:questionnaire> |
| 4935 | ········<ns0:questionnaire·id="ocil:ssg-sshd_ | 4935 | ········<ns0:questionnaire·id="ocil:ssg-sshd_do_not_permit_user_env_ocil:questionnaire:1"> |
| 4936 | ··········<ns0:title> | 4936 | ··········<ns0:title>Do·Not·Allow·SSH·Environment·Options</ns0:title> |
| 4937 | ··········<ns0:actions> | 4937 | ··········<ns0:actions> |
| 4938 | ············<ns0:test_action_ref>ocil:ssg-sshd_ | 4938 | ············<ns0:test_action_ref>ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1</ns0:test_action_ref> |
| 4939 | ··········</ns0:actions> | 4939 | ··········</ns0:actions> |
| 4940 | ········</ns0:questionnaire> | 4940 | ········</ns0:questionnaire> |
| 4941 | ········<ns0:questionnaire·id="ocil:ssg-sshd_enable_x11_forwarding_ocil:questionnaire:1"> | 4941 | ········<ns0:questionnaire·id="ocil:ssg-sshd_enable_x11_forwarding_ocil:questionnaire:1"> |
| 4942 | ··········<ns0:title>Enable·Encrypted·X11·Forwarding</ns0:title> | 4942 | ··········<ns0:title>Enable·Encrypted·X11·Forwarding</ns0:title> |
| 4943 | ··········<ns0:actions> | 4943 | ··········<ns0:actions> |
| 4944 | ············<ns0:test_action_ref>ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1</ns0:test_action_ref> | 4944 | ············<ns0:test_action_ref>ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1</ns0:test_action_ref> |
| 4945 | ··········</ns0:actions> | 4945 | ··········</ns0:actions> |
| Offset 4958, 18 lines modified | Offset 4958, 18 lines modified | ||
| 4958 | ········</ns0:questionnaire> | 4958 | ········</ns0:questionnaire> |
| 4959 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_max_auth_tries_ocil:questionnaire:1"> | 4959 | ········<ns0:questionnaire·id="ocil:ssg-sshd_set_max_auth_tries_ocil:questionnaire:1"> |
| 4960 | ··········<ns0:title>Set·SSH·authentication·attempt·limit</ns0:title> | 4960 | ··········<ns0:title>Set·SSH·authentication·attempt·limit</ns0:title> |
| 4961 | ··········<ns0:actions> | 4961 | ··········<ns0:actions> |
| 4962 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_max_auth_tries_action:testaction:1</ns0:test_action_ref> | 4962 | ············<ns0:test_action_ref>ocil:ssg-sshd_set_max_auth_tries_action:testaction:1</ns0:test_action_ref> |
| 4963 | ··········</ns0:actions> | 4963 | ··········</ns0:actions> |
| 4964 | ········</ns0:questionnaire> | 4964 | ········</ns0:questionnaire> |
| 4965 | ········<ns0:questionnaire·id="ocil:ssg-sshd_ | 4965 | ········<ns0:questionnaire·id="ocil:ssg-sshd_use_strong_macs_ocil:questionnaire:1"> |
| 4966 | ··········<ns0:title> | 4966 | ··········<ns0:title>Use·Only·Strong·MACs</ns0:title> |
| 4967 | ··········<ns0:actions> | 4967 | ··········<ns0:actions> |
| 4968 | ············<ns0:test_action_ref>ocil:ssg-sshd_ | 4968 | ············<ns0:test_action_ref>ocil:ssg-sshd_use_strong_macs_action:testaction:1</ns0:test_action_ref> |
| 4969 | ··········</ns0:actions> | 4969 | ··········</ns0:actions> |
| 4970 | ········</ns0:questionnaire> | 4970 | ········</ns0:questionnaire> |
| 4971 | ········<ns0:questionnaire·id="ocil:ssg-sshd_use_priv_separation_ocil:questionnaire:1"> | 4971 | ········<ns0:questionnaire·id="ocil:ssg-sshd_use_priv_separation_ocil:questionnaire:1"> |
| 4972 | ··········<ns0:title>Enable·Use·of·Privilege·Separation</ns0:title> | 4972 | ··········<ns0:title>Enable·Use·of·Privilege·Separation</ns0:title> |
| Max diff block lines reached; 396242/406190 bytes (97.55%) of diff not shown. | |||
| Offset 3, 18 lines modified | Offset 3, 18 lines modified | ||
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 4 | ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 5 | ····<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 5 | ····<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 6 | ····<ns0:schema_version>2.0</ns0:schema_version> | 6 | ····<ns0:schema_version>2.0</ns0:schema_version> |
| 7 | ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 7 | ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:questionnaires> | 9 | ··<ns0:questionnaires> |
| 10 | ····<ns0:questionnaire·id="ocil:ssg-sshd_ | 10 | ····<ns0:questionnaire·id="ocil:ssg-sshd_enable_strictmodes_ocil:questionnaire:1"> |
| 11 | ······<ns0:title> | 11 | ······<ns0:title>Enable·Use·of·Strict·Mode·Checking</ns0:title> |
| 12 | ······<ns0:actions> | 12 | ······<ns0:actions> |
| 13 | ········<ns0:test_action_ref>ocil:ssg-sshd_ | 13 | ········<ns0:test_action_ref>ocil:ssg-sshd_enable_strictmodes_action:testaction:1</ns0:test_action_ref> |
| 14 | ······</ns0:actions> | 14 | ······</ns0:actions> |
| 15 | ····</ns0:questionnaire> | 15 | ····</ns0:questionnaire> |
| 16 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_user_known_hosts_ocil:questionnaire:1"> | 16 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_user_known_hosts_ocil:questionnaire:1"> |
| 17 | ······<ns0:title>Disable·SSH·Support·for·User·Known·Hosts</ns0:title> | 17 | ······<ns0:title>Disable·SSH·Support·for·User·Known·Hosts</ns0:title> |
| 18 | ······<ns0:actions> | 18 | ······<ns0:actions> |
| 19 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_user_known_hosts_action:testaction:1</ns0:test_action_ref> | 19 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_user_known_hosts_action:testaction:1</ns0:test_action_ref> |
| 20 | ······</ns0:actions> | 20 | ······</ns0:actions> |
| Offset 27, 36 lines modified | Offset 27, 36 lines modified | ||
| 27 | ····</ns0:questionnaire> | 27 | ····</ns0:questionnaire> |
| 28 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1"> | 28 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1"> |
| 29 | ······<ns0:title>Set·SSH·Client·Alive·Count</ns0:title> | 29 | ······<ns0:title>Set·SSH·Client·Alive·Count</ns0:title> |
| 30 | ······<ns0:actions> | 30 | ······<ns0:actions> |
| 31 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref> | 31 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref> |
| 32 | ······</ns0:actions> | 32 | ······</ns0:actions> |
| 33 | ····</ns0:questionnaire> | 33 | ····</ns0:questionnaire> |
| 34 | ····<ns0:questionnaire·id="ocil:ssg-sshd_ | 34 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"> |
| 35 | ······<ns0:title> | 35 | ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title> |
| 36 | ······<ns0:actions> | 36 | ······<ns0:actions> |
| 37 | ········<ns0:test_action_ref>ocil:ssg-sshd_ | 37 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref> |
| 38 | ······</ns0:actions> | 38 | ······</ns0:actions> |
| 39 | ····</ns0:questionnaire> | 39 | ····</ns0:questionnaire> |
| 40 | ····<ns0:questionnaire·id="ocil:ssg-sshd_enable_warning_banner_ocil:questionnaire:1"> | 40 | ····<ns0:questionnaire·id="ocil:ssg-sshd_enable_warning_banner_ocil:questionnaire:1"> |
| 41 | ······<ns0:title>Enable·SSH·Warning·Banner</ns0:title> | 41 | ······<ns0:title>Enable·SSH·Warning·Banner</ns0:title> |
| 42 | ······<ns0:actions> | 42 | ······<ns0:actions> |
| 43 | ········<ns0:test_action_ref>ocil:ssg-sshd_enable_warning_banner_action:testaction:1</ns0:test_action_ref> | 43 | ········<ns0:test_action_ref>ocil:ssg-sshd_enable_warning_banner_action:testaction:1</ns0:test_action_ref> |
| 44 | ······</ns0:actions> | 44 | ······</ns0:actions> |
| 45 | ····</ns0:questionnaire> | 45 | ····</ns0:questionnaire> |
| 46 | ····<ns0:questionnaire·id="ocil:ssg-sshd_use_approved_macs_ocil:questionnaire:1"> | 46 | ····<ns0:questionnaire·id="ocil:ssg-sshd_use_approved_macs_ocil:questionnaire:1"> |
| 47 | ······<ns0:title>Use·Only·FIPS·140-2·Validated·MACs</ns0:title> | 47 | ······<ns0:title>Use·Only·FIPS·140-2·Validated·MACs</ns0:title> |
| 48 | ······<ns0:actions> | 48 | ······<ns0:actions> |
| 49 | ········<ns0:test_action_ref>ocil:ssg-sshd_use_approved_macs_action:testaction:1</ns0:test_action_ref> | 49 | ········<ns0:test_action_ref>ocil:ssg-sshd_use_approved_macs_action:testaction:1</ns0:test_action_ref> |
| 50 | ······</ns0:actions> | 50 | ······</ns0:actions> |
| 51 | ····</ns0:questionnaire> | 51 | ····</ns0:questionnaire> |
| 52 | ····<ns0:questionnaire·id="ocil:ssg-sshd_ | 52 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_loglevel_info_ocil:questionnaire:1"> |
| 53 | ······<ns0:title> | 53 | ······<ns0:title>Set·LogLevel·to·INFO</ns0:title> |
| 54 | ······<ns0:actions> | 54 | ······<ns0:actions> |
| 55 | ········<ns0:test_action_ref>ocil:ssg-sshd_ | 55 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_loglevel_info_action:testaction:1</ns0:test_action_ref> |
| 56 | ······</ns0:actions> | 56 | ······</ns0:actions> |
| 57 | ····</ns0:questionnaire> | 57 | ····</ns0:questionnaire> |
| 58 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1"> | 58 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1"> |
| 59 | ······<ns0:title>Disable·Kerberos·Authentication</ns0:title> | 59 | ······<ns0:title>Disable·Kerberos·Authentication</ns0:title> |
| 60 | ······<ns0:actions> | 60 | ······<ns0:actions> |
| 61 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_kerb_auth_action:testaction:1</ns0:test_action_ref> | 61 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_kerb_auth_action:testaction:1</ns0:test_action_ref> |
| 62 | ······</ns0:actions> | 62 | ······</ns0:actions> |
| Offset 69, 24 lines modified | Offset 69, 24 lines modified | ||
| 69 | ····</ns0:questionnaire> | 69 | ····</ns0:questionnaire> |
| 70 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1"> | 70 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1"> |
| 71 | ······<ns0:title>Disable·SSH·Support·for·.rhosts·Files</ns0:title> | 71 | ······<ns0:title>Disable·SSH·Support·for·.rhosts·Files</ns0:title> |
| 72 | ······<ns0:actions> | 72 | ······<ns0:actions> |
| 73 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ns0:test_action_ref> | 73 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ns0:test_action_ref> |
| 74 | ······</ns0:actions> | 74 | ······</ns0:actions> |
| 75 | ····</ns0:questionnaire> | 75 | ····</ns0:questionnaire> |
| 76 | ····<ns0:questionnaire·id="ocil:ssg-sshd_ | 76 | ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1"> |
| 77 | ······<ns0:title> | 77 | ······<ns0:title>Disable·SSH·Support·for·Rhosts·RSA·Authentication</ns0:title> |
| 78 | ······<ns0:actions> | 78 | ······<ns0:actions> |
| 79 | ········<ns0:test_action_ref>ocil:ssg-sshd_ | 79 | ········<ns0:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ns0:test_action_ref> |
| 80 | ······</ns0:actions> | 80 | ······</ns0:actions> |
| 81 | ····</ns0:questionnaire> | 81 | ····</ns0:questionnaire> |
| 82 | ····<ns0:questionnaire·id="ocil:ssg-sshd_ | 82 | ····<ns0:questionnaire·id="ocil:ssg-sshd_do_not_permit_user_env_ocil:questionnaire:1"> |
| 83 | ······<ns0:title> | 83 | ······<ns0:title>Do·Not·Allow·SSH·Environment·Options</ns0:title> |
| 84 | ······<ns0:actions> | 84 | ······<ns0:actions> |
| 85 | ········<ns0:test_action_ref>ocil:ssg-sshd_ | 85 | ········<ns0:test_action_ref>ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1</ns0:test_action_ref> |
| 86 | ······</ns0:actions> | 86 | ······</ns0:actions> |
| 87 | ····</ns0:questionnaire> | 87 | ····</ns0:questionnaire> |
| 88 | ····<ns0:questionnaire·id="ocil:ssg-sshd_enable_x11_forwarding_ocil:questionnaire:1"> | 88 | ····<ns0:questionnaire·id="ocil:ssg-sshd_enable_x11_forwarding_ocil:questionnaire:1"> |
| 89 | ······<ns0:title>Enable·Encrypted·X11·Forwarding</ns0:title> | 89 | ······<ns0:title>Enable·Encrypted·X11·Forwarding</ns0:title> |
| 90 | ······<ns0:actions> | 90 | ······<ns0:actions> |
| 91 | ········<ns0:test_action_ref>ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1</ns0:test_action_ref> | 91 | ········<ns0:test_action_ref>ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1</ns0:test_action_ref> |
| 92 | ······</ns0:actions> | 92 | ······</ns0:actions> |
| Offset 105, 18 lines modified | Offset 105, 18 lines modified | ||
| 105 | ····</ns0:questionnaire> | 105 | ····</ns0:questionnaire> |
| 106 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_max_auth_tries_ocil:questionnaire:1"> | 106 | ····<ns0:questionnaire·id="ocil:ssg-sshd_set_max_auth_tries_ocil:questionnaire:1"> |
| 107 | ······<ns0:title>Set·SSH·authentication·attempt·limit</ns0:title> | 107 | ······<ns0:title>Set·SSH·authentication·attempt·limit</ns0:title> |
| 108 | ······<ns0:actions> | 108 | ······<ns0:actions> |
| 109 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_max_auth_tries_action:testaction:1</ns0:test_action_ref> | 109 | ········<ns0:test_action_ref>ocil:ssg-sshd_set_max_auth_tries_action:testaction:1</ns0:test_action_ref> |
| 110 | ······</ns0:actions> | 110 | ······</ns0:actions> |
| 111 | ····</ns0:questionnaire> | 111 | ····</ns0:questionnaire> |
| 112 | ····<ns0:questionnaire·id="ocil:ssg-sshd_ | 112 | ····<ns0:questionnaire·id="ocil:ssg-sshd_use_strong_macs_ocil:questionnaire:1"> |
| 113 | ······<ns0:title> | 113 | ······<ns0:title>Use·Only·Strong·MACs</ns0:title> |
| 114 | ······<ns0:actions> | 114 | ······<ns0:actions> |
| 115 | ········<ns0:test_action_ref>ocil:ssg-sshd_ | 115 | ········<ns0:test_action_ref>ocil:ssg-sshd_use_strong_macs_action:testaction:1</ns0:test_action_ref> |
| 116 | ······</ns0:actions> | 116 | ······</ns0:actions> |
| 117 | ····</ns0:questionnaire> | 117 | ····</ns0:questionnaire> |
| 118 | ····<ns0:questionnaire·id="ocil:ssg-sshd_use_priv_separation_ocil:questionnaire:1"> | 118 | ····<ns0:questionnaire·id="ocil:ssg-sshd_use_priv_separation_ocil:questionnaire:1"> |
| 119 | ······<ns0:title>Enable·Use·of·Privilege·Separation</ns0:title> | 119 | ······<ns0:title>Enable·Use·of·Privilege·Separation</ns0:title> |
| 120 | ······<ns0:actions> | 120 | ······<ns0:actions> |
| 121 | ········<ns0:test_action_ref>ocil:ssg-sshd_use_priv_separation_action:testaction:1</ns0:test_action_ref> | 121 | ········<ns0:test_action_ref>ocil:ssg-sshd_use_priv_separation_action:testaction:1</ns0:test_action_ref> |
| 122 | ······</ns0:actions> | 122 | ······</ns0:actions> |
| Offset 179, 15 lines modified | Offset 179, 15 lines modified | ||
| 179 | ······<ns0:title>Record·Events·that·Modify·User/Group·Information</ns0:title> | 179 | ······<ns0:title>Record·Events·that·Modify·User/Group·Information</ns0:title> |
| 180 | ······<ns0:actions> | 180 | ······<ns0:actions> |
| 181 | ········<ns0:test_action_ref>ocil:ssg-audit_rules_usergroup_modification_action:testaction:1</ns0:test_action_ref> | 181 | ········<ns0:test_action_ref>ocil:ssg-audit_rules_usergroup_modification_action:testaction:1</ns0:test_action_ref> |
| 182 | ······</ns0:actions> | 182 | ······</ns0:actions> |
| 183 | ····</ns0:questionnaire> | 183 | ····</ns0:questionnaire> |
| 184 | ··</ns0:questionnaires> | 184 | ··</ns0:questionnaires> |
| 185 | ··<ns0:test_actions> | 185 | ··<ns0:test_actions> |
| 186 | ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_ | 186 | ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_enable_strictmodes_action:testaction:1"·question_ref="ocil:ssg-sshd_enable_strictmodes_question:question:1"> |
| 187 | ······<ns0:when_true> | 187 | ······<ns0:when_true> |
| 188 | ········<ns0:result>PASS</ns0:result> | 188 | ········<ns0:result>PASS</ns0:result> |
| 189 | ······</ns0:when_true> | 189 | ······</ns0:when_true> |
| 190 | ······<ns0:when_false> | 190 | ······<ns0:when_false> |
| 191 | ········<ns0:result>FAIL</ns0:result> | 191 | ········<ns0:result>FAIL</ns0:result> |
| 192 | ······</ns0:when_false> | 192 | ······</ns0:when_false> |
| 193 | ····</ns0:boolean_question_test_action> | 193 | ····</ns0:boolean_question_test_action> |
| Offset 211, 15 lines modified | Offset 211, 15 lines modified | ||
| 211 | ······<ns0:when_true> | 211 | ······<ns0:when_true> |
| 212 | ········<ns0:result>PASS</ns0:result> | 212 | ········<ns0:result>PASS</ns0:result> |
| 213 | ······</ns0:when_true> | 213 | ······</ns0:when_true> |
| 214 | ······<ns0:when_false> | 214 | ······<ns0:when_false> |
| 215 | ········<ns0:result>FAIL</ns0:result> | 215 | ········<ns0:result>FAIL</ns0:result> |
| 216 | ······</ns0:when_false> | 216 | ······</ns0:when_false> |
| 217 | ····</ns0:boolean_question_test_action> | 217 | ····</ns0:boolean_question_test_action> |
| 218 | ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_ | 218 | ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_set_idle_timeout_action:testaction:1"·question_ref="ocil:ssg-sshd_set_idle_timeout_question:question:1"> |
| 219 | ······<ns0:when_true> | 219 | ······<ns0:when_true> |
| 220 | ········<ns0:result>PASS</ns0:result> | 220 | ········<ns0:result>PASS</ns0:result> |
| 221 | ······</ns0:when_true> | 221 | ······</ns0:when_true> |
| Max diff block lines reached; 12847/21091 bytes (60.91%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>2020-07-12T0 | 7 | ····<ns2:timestamp>2020-07-12T04:27:33</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-horizon_csrf_cookie_secure:def:1"·version="1"> | 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-horizon_csrf_cookie_secure:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:title> | 12 | ········<ns0:title>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:title> |
| 13 | ········<ns0:affected·family="unix"/> | 13 | ········<ns0:affected·family="unix"/> |
| 14 | ········<ns0:description>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:description> | 14 | ········<ns0:description>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:description> |
| Offset 198, 22 lines modified | Offset 198, 27 lines modified | ||
| 198 | ····<select·idref="neutron_api_use_ssl"·selected="true"/> | 198 | ····<select·idref="neutron_api_use_ssl"·selected="true"/> |
| 199 | ····<select·idref="nova_file_ownership"·selected="true"/> | 199 | ····<select·idref="nova_file_ownership"·selected="true"/> |
| 200 | ····<select·idref="nova_file_perms"·selected="true"/> | 200 | ····<select·idref="nova_file_perms"·selected="true"/> |
| 201 | ····<select·idref="nova_use_keystone"·selected="true"/> | 201 | ····<select·idref="nova_use_keystone"·selected="true"/> |
| 202 | ····<select·idref="nova_secure_authentication"·selected="true"/> | 202 | ····<select·idref="nova_secure_authentication"·selected="true"/> |
| 203 | ····<select·idref="nova_secure_glance"·selected="true"/> | 203 | ····<select·idref="nova_secure_glance"·selected="true"/> |
| 204 | ····<select·idref="remediation_functions"·selected="false"/> | 204 | ····<select·idref="remediation_functions"·selected="false"/> |
| 205 | ····<select·idref="docker"·selected="false"/> | ||
| 206 | ····<select·idref="obsolete"·selected="false"/> | 205 | ····<select·idref="obsolete"·selected="false"/> |
| 207 | ····<select·idref="r_services"·selected="false"/> | 206 | ····<select·idref="r_services"·selected="false"/> |
| 208 | ····<select·idref="telnet"·selected="false"/> | 207 | ····<select·idref="telnet"·selected="false"/> |
| 209 | ····<select·idref="nis"·selected="false"/> | 208 | ····<select·idref="nis"·selected="false"/> |
| 210 | ····<select·idref="tftp"·selected="false"/> | 209 | ····<select·idref="tftp"·selected="false"/> |
| 211 | ····<select·idref="inetd_and_xinetd"·selected="false"/> | 210 | ····<select·idref="inetd_and_xinetd"·selected="false"/> |
| 212 | ····<select·idref="talk"·selected="false"/> | 211 | ····<select·idref="talk"·selected="false"/> |
| 212 | ····<select·idref="imap"·selected="false"/> | ||
| 213 | ····<select·idref="configure_dovecot"·selected="false"/> | ||
| 214 | ····<select·idref="dovecot_enabling_ssl"·selected="false"/> | ||
| 215 | ····<select·idref="dovecot_allow_imap_access"·selected="false"/> | ||
| 216 | ····<select·idref="dovecot_support_necessary_protocols"·selected="false"/> | ||
| 217 | ····<select·idref="disabling_dovecot"·selected="false"/> | ||
| 213 | ····<select·idref="ftp"·selected="false"/> | 218 | ····<select·idref="ftp"·selected="false"/> |
| 214 | ····<select·idref="ftp_configure_vsftpd"·selected="false"/> | 219 | ····<select·idref="ftp_configure_vsftpd"·selected="false"/> |
| 215 | ····<select·idref="ftp_configure_firewall"·selected="false"/> | 220 | ····<select·idref="ftp_configure_firewall"·selected="false"/> |
| 216 | ····<select·idref="ftp_restrict_users"·selected="false"/> | 221 | ····<select·idref="ftp_restrict_users"·selected="false"/> |
| 217 | ····<select·idref="ftp_limit_users"·selected="false"/> | 222 | ····<select·idref="ftp_limit_users"·selected="false"/> |
| 218 | ····<select·idref="ftp_use_vsftpd"·selected="false"/> | 223 | ····<select·idref="ftp_use_vsftpd"·selected="false"/> |
| 219 | ····<select·idref="disabling_vsftpd"·selected="false"/> | 224 | ····<select·idref="disabling_vsftpd"·selected="false"/> |
| Offset 285, 20 lines modified | Offset 290, 15 lines modified | ||
| 285 | ····<select·idref="dhcp"·selected="false"/> | 290 | ····<select·idref="dhcp"·selected="false"/> |
| 286 | ····<select·idref="disabling_dhcp_client"·selected="false"/> | 291 | ····<select·idref="disabling_dhcp_client"·selected="false"/> |
| 287 | ····<select·idref="dhcp_server_configuration"·selected="false"/> | 292 | ····<select·idref="dhcp_server_configuration"·selected="false"/> |
| 288 | ····<select·idref="dhcp_server_minimize_served_info"·selected="false"/> | 293 | ····<select·idref="dhcp_server_minimize_served_info"·selected="false"/> |
| 289 | ····<select·idref="disabling_dhcp_server"·selected="false"/> | 294 | ····<select·idref="disabling_dhcp_server"·selected="false"/> |
| 290 | ····<select·idref="dhcp_client_configuration"·selected="false"/> | 295 | ····<select·idref="dhcp_client_configuration"·selected="false"/> |
| 291 | ····<select·idref="dhcp_client_restrict_options"·selected="false"/> | 296 | ····<select·idref="dhcp_client_restrict_options"·selected="false"/> |
| 292 | ····<select·idref=" | 297 | ····<select·idref="docker"·selected="false"/> |
| 293 | ····<select·idref="configure_dovecot"·selected="false"/> | ||
| 294 | ····<select·idref="dovecot_enabling_ssl"·selected="false"/> | ||
| 295 | ····<select·idref="dovecot_allow_imap_access"·selected="false"/> | ||
| 296 | ····<select·idref="dovecot_support_necessary_protocols"·selected="false"/> | ||
| 297 | ····<select·idref="disabling_dovecot"·selected="false"/> | ||
| 298 | ····<select·idref="nfs_and_rpc"·selected="false"/> | 298 | ····<select·idref="nfs_and_rpc"·selected="false"/> |
| 299 | ····<select·idref="nfs_configuring_servers"·selected="false"/> | 299 | ····<select·idref="nfs_configuring_servers"·selected="false"/> |
| 300 | ····<select·idref="export_filesystems_read_only"·selected="false"/> | 300 | ····<select·idref="export_filesystems_read_only"·selected="false"/> |
| 301 | ····<select·idref="configure_exports_restrictively"·selected="false"/> | 301 | ····<select·idref="configure_exports_restrictively"·selected="false"/> |
| 302 | ····<select·idref="use_acl_enforce_auth_restrictions"·selected="false"/> | 302 | ····<select·idref="use_acl_enforce_auth_restrictions"·selected="false"/> |
| 303 | ····<select·idref="disabling_nfs"·selected="false"/> | 303 | ····<select·idref="disabling_nfs"·selected="false"/> |
| 304 | ····<select·idref="disabling_nfs_services"·selected="false"/> | 304 | ····<select·idref="disabling_nfs_services"·selected="false"/> |
| Offset 313, 26 lines modified | Offset 313, 26 lines modified | ||
| 313 | ····<select·idref="avahi"·selected="false"/> | 313 | ····<select·idref="avahi"·selected="false"/> |
| 314 | ····<select·idref="disable_avahi_group"·selected="false"/> | 314 | ····<select·idref="disable_avahi_group"·selected="false"/> |
| 315 | ····<select·idref="avahi_configuration"·selected="false"/> | 315 | ····<select·idref="avahi_configuration"·selected="false"/> |
| 316 | ····<select·idref="ssh"·selected="false"/> | 316 | ····<select·idref="ssh"·selected="false"/> |
| 317 | ····<select·idref="ssh_server"·selected="false"/> | 317 | ····<select·idref="ssh_server"·selected="false"/> |
| 318 | ····<select·idref="sshd_strengthen_firewall"·selected="false"/> | 318 | ····<select·idref="sshd_strengthen_firewall"·selected="false"/> |
| 319 | ····<select·idref="intro"·selected="false"/> | 319 | ····<select·idref="intro"·selected="false"/> |
| 320 | ····<select·idref="how-to-use"·selected="false"/> | ||
| 321 | ····<select·idref="intro-formatting-conventions"·selected="false"/> | ||
| 322 | ····<select·idref="intro-test-non-production"·selected="false"/> | ||
| 323 | ····<select·idref="intro-root-shell-assumed"·selected="false"/> | ||
| 324 | ····<select·idref="intro-read-sections-completely"·selected="false"/> | ||
| 325 | ····<select·idref="intro-reboot-required"·selected="false"/> | ||
| 326 | ····<select·idref="general-principles"·selected="false"/> | 320 | ····<select·idref="general-principles"·selected="false"/> |
| 327 | ····<select·idref="principle-encrypt-transmitted-data"·selected="false"/> | ||
| 328 | ····<select·idref="principle-minimize-software"·selected="false"/> | 321 | ····<select·idref="principle-minimize-software"·selected="false"/> |
| 329 | ····<select·idref="principle-use-security-tools"·selected="false"/> | ||
| 330 | ····<select·idref="principle-separate-servers"·selected="false"/> | 322 | ····<select·idref="principle-separate-servers"·selected="false"/> |
| 323 | ····<select·idref="principle-use-security-tools"·selected="false"/> | ||
| 324 | ····<select·idref="principle-encrypt-transmitted-data"·selected="false"/> | ||
| 331 | ····<select·idref="principle-least-privilege"·selected="false"/> | 325 | ····<select·idref="principle-least-privilege"·selected="false"/> |
| 326 | ····<select·idref="how-to-use"·selected="false"/> | ||
| 327 | ····<select·idref="intro-read-sections-completely"·selected="false"/> | ||
| 328 | ····<select·idref="intro-test-non-production"·selected="false"/> | ||
| 329 | ····<select·idref="intro-reboot-required"·selected="false"/> | ||
| 330 | ····<select·idref="intro-root-shell-assumed"·selected="false"/> | ||
| 331 | ····<select·idref="intro-formatting-conventions"·selected="false"/> | ||
| 332 | ····<select·idref="system"·selected="false"/> | 332 | ····<select·idref="system"·selected="false"/> |
| 333 | ····<select·idref="software"·selected="false"/> | 333 | ····<select·idref="software"·selected="false"/> |
| 334 | ····<select·idref="disk_partitioning"·selected="false"/> | 334 | ····<select·idref="disk_partitioning"·selected="false"/> |
| 335 | ····<select·idref="sudo"·selected="false"/> | 335 | ····<select·idref="sudo"·selected="false"/> |
| 336 | ····<select·idref="sap"·selected="false"/> | 336 | ····<select·idref="sap"·selected="false"/> |
| 337 | ····<select·idref="integrity"·selected="false"/> | 337 | ····<select·idref="integrity"·selected="false"/> |
| 338 | ····<select·idref="certified-vendor"·selected="false"/> | 338 | ····<select·idref="certified-vendor"·selected="false"/> |
| Offset 350, 27 lines modified | Offset 350, 27 lines modified | ||
| 350 | ····<select·idref="gnome_system_settings"·selected="false"/> | 350 | ····<select·idref="gnome_system_settings"·selected="false"/> |
| 351 | ····<select·idref="gnome_login_screen"·selected="false"/> | 351 | ····<select·idref="gnome_login_screen"·selected="false"/> |
| 352 | ····<select·idref="gnome_network_settings"·selected="false"/> | 352 | ····<select·idref="gnome_network_settings"·selected="false"/> |
| 353 | ····<select·idref="gnome_remote_access_settings"·selected="false"/> | 353 | ····<select·idref="gnome_remote_access_settings"·selected="false"/> |
| 354 | ····<select·idref="logging"·selected="false"/> | 354 | ····<select·idref="logging"·selected="false"/> |
| 355 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> | 355 | ····<select·idref="rsyslog_sending_messages"·selected="false"/> |
| 356 | ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/> | 356 | ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/> |
| 357 | ····<select·idref="configure_logwatch_on_logserver"·selected="false"/> | ||
| 358 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> | 357 | ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> |
| 358 | ····<select·idref="configure_logwatch_on_logserver"·selected="false"/> | ||
| 359 | ····<select·idref="log_rotation"·selected="false"/> | 359 | ····<select·idref="log_rotation"·selected="false"/> |
| 360 | ····<select·idref="network"·selected="false"/> | 360 | ····<select·idref="network"·selected="false"/> |
| 361 | ····<select·idref="network-firewalld"·selected="false"/> | ||
| 362 | ····<select·idref="ruleset_modifications"·selected="false"/> | ||
| 363 | ····<select·idref="firewalld_activation"·selected="false"/> | ||
| 364 | ····<select·idref="network-ipsec"·selected="false"/> | ||
| 365 | ····<select·idref="network-ipv6"·selected="false"/> | 361 | ····<select·idref="network-ipv6"·selected="false"/> |
| 366 | ····<select·idref="configuring_ipv6"·selected="false"/> | 362 | ····<select·idref="configuring_ipv6"·selected="false"/> |
| 367 | ····<select·idref="disabling_ipv6_autoconfig"·selected="false"/> | 363 | ····<select·idref="disabling_ipv6_autoconfig"·selected="false"/> |
| 368 | ····<select·idref="network_ipv6_limit_requests"·selected="false"/> | 364 | ····<select·idref="network_ipv6_limit_requests"·selected="false"/> |
| 369 | ····<select·idref="disabling_ipv6"·selected="false"/> | 365 | ····<select·idref="disabling_ipv6"·selected="false"/> |
| 366 | ····<select·idref="network-ipsec"·selected="false"/> | ||
| 367 | ····<select·idref="network-firewalld"·selected="false"/> | ||
| 368 | ····<select·idref="ruleset_modifications"·selected="false"/> | ||
| 369 | ····<select·idref="firewalld_activation"·selected="false"/> | ||
| 370 | ····<select·idref="network-kernel"·selected="false"/> | 370 | ····<select·idref="network-kernel"·selected="false"/> |
| 371 | ····<select·idref="network_host_and_router_parameters"·selected="false"/> | 371 | ····<select·idref="network_host_and_router_parameters"·selected="false"/> |
| 372 | ····<select·idref="network_host_parameters"·selected="false"/> | 372 | ····<select·idref="network_host_parameters"·selected="false"/> |
| 373 | ····<select·idref="network_ssl"·selected="false"/> | 373 | ····<select·idref="network_ssl"·selected="false"/> |
| 374 | ····<select·idref="network_disable_unused_interfaces"·selected="false"/> | 374 | ····<select·idref="network_disable_unused_interfaces"·selected="false"/> |
| 375 | ····<select·idref="network-uncommon"·selected="false"/> | 375 | ····<select·idref="network-uncommon"·selected="false"/> |
| 376 | ····<select·idref="network-wireless"·selected="false"/> | 376 | ····<select·idref="network-wireless"·selected="false"/> |
| Offset 392, 16 lines modified | Offset 392, 16 lines modified | ||
| 392 | ····<select·idref="set_password_hashing_algorithm"·selected="false"/> | 392 | ····<select·idref="set_password_hashing_algorithm"·selected="false"/> |
| 393 | ····<select·idref="locking_out_password_attempts"·selected="false"/> | 393 | ····<select·idref="locking_out_password_attempts"·selected="false"/> |
| 394 | ····<select·idref="password_quality"·selected="false"/> | 394 | ····<select·idref="password_quality"·selected="false"/> |
| 395 | ····<select·idref="password_quality_pwquality"·selected="false"/> | 395 | ····<select·idref="password_quality_pwquality"·selected="false"/> |
| 396 | ····<select·idref="accounts-banners"·selected="false"/> | 396 | ····<select·idref="accounts-banners"·selected="false"/> |
| 397 | ····<select·idref="gui_login_banner"·selected="false"/> | 397 | ····<select·idref="gui_login_banner"·selected="false"/> |
| 398 | ····<select·idref="accounts-session"·selected="false"/> | 398 | ····<select·idref="accounts-session"·selected="false"/> |
| 399 | ····<select·idref="user_umask"·selected="false"/> | ||
| 400 | ····<select·idref="root_paths"·selected="false"/> | 399 | ····<select·idref="root_paths"·selected="false"/> |
| Max diff block lines reached; 366483/374097 bytes (97.96%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>2020-07-12T0 | 7 | ····<ns2:timestamp>2020-07-12T04:27:48</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>CentOS·6</ns0:title> | 12 | ········<ns0:title>CentOS·6</ns0:title> |
| 13 | ········<ns0:affected·family="unix"/> | 13 | ········<ns0:affected·family="unix"/> |
| 14 | ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/> | 14 | ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/> |
| Offset 26, 21 lines modified | Offset 26, 21 lines modified | ||
| 26 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml"/> | 26 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml"/> |
| 27 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml"/> | 27 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml"/> |
| 28 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-cpe-oval.xml"/> | 28 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-cpe-oval.xml"/> |
| 29 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml000"/> | 29 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml000"/> |
| 30 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml000"/> | 30 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml000"/> |
| 31 | ····</ds:checks> | 31 | ····</ds:checks> |
| 32 | ··</ds:data-stream> | 32 | ··</ds:data-stream> |
| 33 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel6-oval.xml"·timestamp="2020-07-1 | 33 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel6-oval.xml"·timestamp="2020-07-12T18:46:00"> |
| 34 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 34 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 35 | ······<ns0:generator> | 35 | ······<ns0:generator> |
| 36 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 36 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 37 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 37 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 38 | ········<ns2:schema_version>5.11</ns2:schema_version> | 38 | ········<ns2:schema_version>5.11</ns2:schema_version> |
| 39 | ········<ns2:timestamp>2020-07-12T0 | 39 | ········<ns2:timestamp>2020-07-12T04:27:48</ns2:timestamp> |
| 40 | ······</ns0:generator> | 40 | ······</ns0:generator> |
| 41 | ······<ns0:definitions> | 41 | ······<ns0:definitions> |
| 42 | ········<ns0:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1"> | 42 | ········<ns0:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1"> |
| 43 | ··········<ns0:metadata> | 43 | ··········<ns0:metadata> |
| 44 | ············<ns0:title>Set·Password·dcredit·Requirements</ns0:title> | 44 | ············<ns0:title>Set·Password·dcredit·Requirements</ns0:title> |
| 45 | ············<ns0:affected·family="unix"> | 45 | ············<ns0:affected·family="unix"> |
| 46 | ··············<ns0:platform>Red·Hat·Enterprise·Linux·6</ns0:platform> | 46 | ··············<ns0:platform>Red·Hat·Enterprise·Linux·6</ns0:platform> |
| Offset 27893, 87 lines modified | Offset 27893, 99 lines modified | ||
| 27893 | ········<ns0:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> | 27893 | ········<ns0:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> |
| 27894 | ········<ns0:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> | 27894 | ········<ns0:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> |
| 27895 | ········<ns0:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> | 27895 | ········<ns0:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> |
| 27896 | ········<ns0:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> | 27896 | ········<ns0:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> |
| 27897 | ······</ns0:variables> | 27897 | ······</ns0:variables> |
| 27898 | ····</ns0:oval_definitions> | 27898 | ····</ns0:oval_definitions> |
| 27899 | ··</ds:component> | 27899 | ··</ds:component> |
| 27900 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel6-ocil.xml"·timestamp="2020-07-1 | 27900 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel6-ocil.xml"·timestamp="2020-07-12T18:46:00"> |
| 27901 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> | 27901 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> |
| 27902 | ······<ns0:generator> | 27902 | ······<ns0:generator> |
| 27903 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 27903 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 27904 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 27904 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 27905 | ········<ns0:schema_version>2.0</ns0:schema_version> | 27905 | ········<ns0:schema_version>2.0</ns0:schema_version> |
| 27906 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 27906 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 27907 | ······</ns0:generator> | 27907 | ······</ns0:generator> |
| 27908 | ······<ns0:questionnaires> | 27908 | ······<ns0:questionnaires> |
| 27909 | ········<ns0:questionnaire·id="ocil:ssg- | 27909 | ········<ns0:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1"> |
| 27910 | ··········<ns0:title> | 27910 | ··········<ns0:title>Enable·Logging·of·All·FTP·Transactions</ns0:title> |
| 27911 | ··········<ns0:actions> | ||
| 27912 | ············<ns0:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ns0:test_action_ref> | ||
| 27913 | ··········</ns0:actions> | ||
| 27914 | ········</ns0:questionnaire> | ||
| 27915 | ········<ns0:questionnaire·id="ocil:ssg-package_samba_removed_ocil:questionnaire:1"> | ||
| 27916 | ··········<ns0:title>Uninstall·samba·Package</ns0:title> | ||
| 27917 | ··········<ns0:actions> | 27911 | ··········<ns0:actions> |
| 27918 | ············<ns0:test_action_ref>ocil:ssg- | 27912 | ············<ns0:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns0:test_action_ref> |
| 27919 | ··········</ns0:actions> | 27913 | ··········</ns0:actions> |
| 27920 | ········</ns0:questionnaire> | 27914 | ········</ns0:questionnaire> |
| 27921 | ········<ns0:questionnaire·id="ocil:ssg- | 27915 | ········<ns0:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1"> |
| 27922 | ··········<ns0:title> | 27916 | ··········<ns0:title>Create·Warning·Banners·for·All·FTP·Users</ns0:title> |
| 27923 | ··········<ns0:actions> | 27917 | ··········<ns0:actions> |
| 27924 | ············<ns0:test_action_ref>ocil:ssg- | 27918 | ············<ns0:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns0:test_action_ref> |
| 27925 | ··········</ns0:actions> | 27919 | ··········</ns0:actions> |
| 27926 | ········</ns0:questionnaire> | 27920 | ········</ns0:questionnaire> |
| 27927 | ········<ns0:questionnaire·id="ocil:ssg- | 27921 | ········<ns0:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1"> |
| 27928 | ··········<ns0:title> | 27922 | ··········<ns0:title>Disable·vsftpd·Service</ns0:title> |
| 27929 | ··········<ns0:actions> | 27923 | ··········<ns0:actions> |
| 27930 | ············<ns0:test_action_ref>ocil:ssg- | 27924 | ············<ns0:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns0:test_action_ref> |
| 27931 | ··········</ns0:actions> | 27925 | ··········</ns0:actions> |
| 27932 | ········</ns0:questionnaire> | 27926 | ········</ns0:questionnaire> |
| 27933 | ········<ns0:questionnaire·id="ocil:ssg- | 27927 | ········<ns0:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1"> |
| 27934 | ··········<ns0:title> | 27928 | ··········<ns0:title>Uninstall·vsftpd·Package</ns0:title> |
| 27935 | ··········<ns0:actions> | 27929 | ··········<ns0:actions> |
| 27936 | ············<ns0:test_action_ref>ocil:ssg- | 27930 | ············<ns0:test_action_ref>ocil:ssg-package_vsftpd_removed_action:testaction:1</ns0:test_action_ref> |
| 27937 | ··········</ns0:actions> | 27931 | ··········</ns0:actions> |
| 27938 | ········</ns0:questionnaire> | 27932 | ········</ns0:questionnaire> |
| 27939 | ········<ns0:questionnaire·id="ocil:ssg-service_httpd_disabled_ocil:questionnaire:1"> | 27933 | ········<ns0:questionnaire·id="ocil:ssg-service_httpd_disabled_ocil:questionnaire:1"> |
| 27940 | ··········<ns0:title>Disable·httpd·Service</ns0:title> | 27934 | ··········<ns0:title>Disable·httpd·Service</ns0:title> |
| 27941 | ··········<ns0:actions> | 27935 | ··········<ns0:actions> |
| 27942 | ············<ns0:test_action_ref>ocil:ssg-service_httpd_disabled_action:testaction:1</ns0:test_action_ref> | 27936 | ············<ns0:test_action_ref>ocil:ssg-service_httpd_disabled_action:testaction:1</ns0:test_action_ref> |
| 27943 | ··········</ns0:actions> | 27937 | ··········</ns0:actions> |
| 27944 | ········</ns0:questionnaire> | 27938 | ········</ns0:questionnaire> |
| 27945 | ········<ns0:questionnaire·id="ocil:ssg-package_httpd_removed_ocil:questionnaire:1"> | 27939 | ········<ns0:questionnaire·id="ocil:ssg-package_httpd_removed_ocil:questionnaire:1"> |
| 27946 | ··········<ns0:title>Uninstall·httpd·Package</ns0:title> | 27940 | ··········<ns0:title>Uninstall·httpd·Package</ns0:title> |
| 27947 | ··········<ns0:actions> | 27941 | ··········<ns0:actions> |
| 27948 | ············<ns0:test_action_ref>ocil:ssg-package_httpd_removed_action:testaction:1</ns0:test_action_ref> | 27942 | ············<ns0:test_action_ref>ocil:ssg-package_httpd_removed_action:testaction:1</ns0:test_action_ref> |
| 27949 | ··········</ns0:actions> | 27943 | ··········</ns0:actions> |
| 27950 | ········</ns0:questionnaire> | 27944 | ········</ns0:questionnaire> |
| 27951 | ········<ns0:questionnaire·id="ocil:ssg- | 27945 | ········<ns0:questionnaire·id="ocil:ssg-service_named_disabled_ocil:questionnaire:1"> |
| 27952 | ··········<ns0:title> | 27946 | ··········<ns0:title>Disable·DNS·Server</ns0:title> |
| 27953 | ··········<ns0:actions> | 27947 | ··········<ns0:actions> |
| 27954 | ············<ns0:test_action_ref>ocil:ssg- | 27948 | ············<ns0:test_action_ref>ocil:ssg-service_named_disabled_action:testaction:1</ns0:test_action_ref> |
| 27955 | ··········</ns0:actions> | 27949 | ··········</ns0:actions> |
| 27956 | ········</ns0:questionnaire> | 27950 | ········</ns0:questionnaire> |
| 27957 | ········<ns0:questionnaire·id="ocil:ssg-p | 27951 | ········<ns0:questionnaire·id="ocil:ssg-package_bind_removed_ocil:questionnaire:1"> |
| 27958 | ··········<ns0:title> | 27952 | ··········<ns0:title>Uninstall·bind·Package</ns0:title> |
| 27959 | ··········<ns0:actions> | 27953 | ··········<ns0:actions> |
| 27960 | ············<ns0:test_action_ref>ocil:ssg-p | 27954 | ············<ns0:test_action_ref>ocil:ssg-package_bind_removed_action:testaction:1</ns0:test_action_ref> |
| 27961 | ··········</ns0:actions> | 27955 | ··········</ns0:actions> |
| 27962 | ········</ns0:questionnaire> | 27956 | ········</ns0:questionnaire> |
| 27963 | ········<ns0:questionnaire·id="ocil:ssg- | 27957 | ········<ns0:questionnaire·id="ocil:ssg-service_smb_disabled_ocil:questionnaire:1"> |
| 27964 | ··········<ns0:title> | 27958 | ··········<ns0:title>Disable·Samba</ns0:title> |
| 27965 | ··········<ns0:actions> | 27959 | ··········<ns0:actions> |
| 27966 | ············<ns0:test_action_ref>ocil:ssg- | 27960 | ············<ns0:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ns0:test_action_ref> |
| 27967 | ··········</ns0:actions> | 27961 | ··········</ns0:actions> |
| 27968 | ········</ns0:questionnaire> | 27962 | ········</ns0:questionnaire> |
| 27969 | ········<ns0:questionnaire·id="ocil:ssg- | 27963 | ········<ns0:questionnaire·id="ocil:ssg-package_samba_removed_ocil:questionnaire:1"> |
| 27970 | ··········<ns0:title> | 27964 | ··········<ns0:title>Uninstall·samba·Package</ns0:title> |
| 27971 | ··········<ns0:actions> | 27965 | ··········<ns0:actions> |
| 27972 | ············<ns0:test_action_ref>ocil:ssg- | 27966 | ············<ns0:test_action_ref>ocil:ssg-package_samba_removed_action:testaction:1</ns0:test_action_ref> |
| 27967 | ··········</ns0:actions> | ||
| 27968 | ········</ns0:questionnaire> | ||
| 27969 | ········<ns0:questionnaire·id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1"> | ||
| 27970 | ··········<ns0:title>Install·the·Samba·Common·Package</ns0:title> | ||
| 27971 | ··········<ns0:actions> | ||
| 27972 | ············<ns0:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ns0:test_action_ref> | ||
| 27973 | ··········</ns0:actions> | ||
| 27974 | ········</ns0:questionnaire> | ||
| 27975 | ········<ns0:questionnaire·id="ocil:ssg-require_smb_client_signing_ocil:questionnaire:1"> | ||
| 27976 | ··········<ns0:title>Require·Client·SMB·Packet·Signing,·if·using·smbclient</ns0:title> | ||
| 27977 | ··········<ns0:actions> | ||
| 27978 | ············<ns0:test_action_ref>ocil:ssg-require_smb_client_signing_action:testaction:1</ns0:test_action_ref> | ||
| 27979 | ··········</ns0:actions> | ||
| 27980 | ········</ns0:questionnaire> | ||
| 27981 | ········<ns0:questionnaire·id="ocil:ssg-mount_option_smb_client_signing_ocil:questionnaire:1"> | ||
| 27982 | ··········<ns0:title>Require·Client·SMB·Packet·Signing,·if·using·mount.cifs</ns0:title> | ||
| 27983 | ··········<ns0:actions> | ||
| 27984 | ············<ns0:test_action_ref>ocil:ssg-mount_option_smb_client_signing_action:testaction:1</ns0:test_action_ref> | ||
| 27973 | ··········</ns0:actions> | 27985 | ··········</ns0:actions> |
| 27974 | ········</ns0:questionnaire> | 27986 | ········</ns0:questionnaire> |
| 27975 | ········<ns0:questionnaire·id="ocil:ssg-sssd_memcache_timeout_ocil:questionnaire:1"> | 27987 | ········<ns0:questionnaire·id="ocil:ssg-sssd_memcache_timeout_ocil:questionnaire:1"> |
| 27976 | ··········<ns0:title>Configure·SSSD's·Memory·Cache·to·Expire</ns0:title> | 27988 | ··········<ns0:title>Configure·SSSD's·Memory·Cache·to·Expire</ns0:title> |
| 27977 | ··········<ns0:actions> | 27989 | ··········<ns0:actions> |
| 27978 | ············<ns0:test_action_ref>ocil:ssg-sssd_memcache_timeout_action:testaction:1</ns0:test_action_ref> | 27990 | ············<ns0:test_action_ref>ocil:ssg-sssd_memcache_timeout_action:testaction:1</ns0:test_action_ref> |
| 27979 | ··········</ns0:actions> | 27991 | ··········</ns0:actions> |
| Max diff block lines reached; 4199928/4211171 bytes (99.73%) of diff not shown. | |||
| Offset 3, 78 lines modified | Offset 3, 90 lines modified | ||
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 4 | ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 5 | ····<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 5 | ····<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 6 | ····<ns0:schema_version>2.0</ns0:schema_version> | 6 | ····<ns0:schema_version>2.0</ns0:schema_version> |
| 7 | ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 7 | ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:questionnaires> | 9 | ··<ns0:questionnaires> |
| 10 | ····<ns0:questionnaire·id="ocil:ssg- | 10 | ····<ns0:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1"> |
| 11 | ······<ns0:title> | 11 | ······<ns0:title>Enable·Logging·of·All·FTP·Transactions</ns0:title> |
| 12 | ······<ns0:actions> | ||
| 13 | ········<ns0:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ns0:test_action_ref> | ||
| 14 | ······</ns0:actions> | ||
| 15 | ····</ns0:questionnaire> | ||
| 16 | ····<ns0:questionnaire·id="ocil:ssg-package_samba_removed_ocil:questionnaire:1"> | ||
| 17 | ······<ns0:title>Uninstall·samba·Package</ns0:title> | ||
| 18 | ······<ns0:actions> | 12 | ······<ns0:actions> |
| 19 | ········<ns0:test_action_ref>ocil:ssg- | 13 | ········<ns0:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns0:test_action_ref> |
| 20 | ······</ns0:actions> | 14 | ······</ns0:actions> |
| 21 | ····</ns0:questionnaire> | 15 | ····</ns0:questionnaire> |
| 22 | ····<ns0:questionnaire·id="ocil:ssg- | 16 | ····<ns0:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1"> |
| 23 | ······<ns0:title> | 17 | ······<ns0:title>Create·Warning·Banners·for·All·FTP·Users</ns0:title> |
| 24 | ······<ns0:actions> | 18 | ······<ns0:actions> |
| 25 | ········<ns0:test_action_ref>ocil:ssg- | 19 | ········<ns0:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns0:test_action_ref> |
| 26 | ······</ns0:actions> | 20 | ······</ns0:actions> |
| 27 | ····</ns0:questionnaire> | 21 | ····</ns0:questionnaire> |
| 28 | ····<ns0:questionnaire·id="ocil:ssg- | 22 | ····<ns0:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1"> |
| 29 | ······<ns0:title> | 23 | ······<ns0:title>Disable·vsftpd·Service</ns0:title> |
| 30 | ······<ns0:actions> | 24 | ······<ns0:actions> |
| 31 | ········<ns0:test_action_ref>ocil:ssg- | 25 | ········<ns0:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns0:test_action_ref> |
| 32 | ······</ns0:actions> | 26 | ······</ns0:actions> |
| 33 | ····</ns0:questionnaire> | 27 | ····</ns0:questionnaire> |
| 34 | ····<ns0:questionnaire·id="ocil:ssg- | 28 | ····<ns0:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1"> |
| 35 | ······<ns0:title> | 29 | ······<ns0:title>Uninstall·vsftpd·Package</ns0:title> |
| 36 | ······<ns0:actions> | 30 | ······<ns0:actions> |
| 37 | ········<ns0:test_action_ref>ocil:ssg- | 31 | ········<ns0:test_action_ref>ocil:ssg-package_vsftpd_removed_action:testaction:1</ns0:test_action_ref> |
| 38 | ······</ns0:actions> | 32 | ······</ns0:actions> |
| 39 | ····</ns0:questionnaire> | 33 | ····</ns0:questionnaire> |
| 40 | ····<ns0:questionnaire·id="ocil:ssg-service_httpd_disabled_ocil:questionnaire:1"> | 34 | ····<ns0:questionnaire·id="ocil:ssg-service_httpd_disabled_ocil:questionnaire:1"> |
| 41 | ······<ns0:title>Disable·httpd·Service</ns0:title> | 35 | ······<ns0:title>Disable·httpd·Service</ns0:title> |
| 42 | ······<ns0:actions> | 36 | ······<ns0:actions> |
| 43 | ········<ns0:test_action_ref>ocil:ssg-service_httpd_disabled_action:testaction:1</ns0:test_action_ref> | 37 | ········<ns0:test_action_ref>ocil:ssg-service_httpd_disabled_action:testaction:1</ns0:test_action_ref> |
| 44 | ······</ns0:actions> | 38 | ······</ns0:actions> |
| 45 | ····</ns0:questionnaire> | 39 | ····</ns0:questionnaire> |
| 46 | ····<ns0:questionnaire·id="ocil:ssg-package_httpd_removed_ocil:questionnaire:1"> | 40 | ····<ns0:questionnaire·id="ocil:ssg-package_httpd_removed_ocil:questionnaire:1"> |
| 47 | ······<ns0:title>Uninstall·httpd·Package</ns0:title> | 41 | ······<ns0:title>Uninstall·httpd·Package</ns0:title> |
| 48 | ······<ns0:actions> | 42 | ······<ns0:actions> |
| 49 | ········<ns0:test_action_ref>ocil:ssg-package_httpd_removed_action:testaction:1</ns0:test_action_ref> | 43 | ········<ns0:test_action_ref>ocil:ssg-package_httpd_removed_action:testaction:1</ns0:test_action_ref> |
| 50 | ······</ns0:actions> | 44 | ······</ns0:actions> |
| 51 | ····</ns0:questionnaire> | 45 | ····</ns0:questionnaire> |
| 52 | ····<ns0:questionnaire·id="ocil:ssg- | 46 | ····<ns0:questionnaire·id="ocil:ssg-service_named_disabled_ocil:questionnaire:1"> |
| 53 | ······<ns0:title> | 47 | ······<ns0:title>Disable·DNS·Server</ns0:title> |
| 54 | ······<ns0:actions> | 48 | ······<ns0:actions> |
| 55 | ········<ns0:test_action_ref>ocil:ssg- | 49 | ········<ns0:test_action_ref>ocil:ssg-service_named_disabled_action:testaction:1</ns0:test_action_ref> |
| 56 | ······</ns0:actions> | 50 | ······</ns0:actions> |
| 57 | ····</ns0:questionnaire> | 51 | ····</ns0:questionnaire> |
| 58 | ····<ns0:questionnaire·id="ocil:ssg-p | 52 | ····<ns0:questionnaire·id="ocil:ssg-package_bind_removed_ocil:questionnaire:1"> |
| 59 | ······<ns0:title> | 53 | ······<ns0:title>Uninstall·bind·Package</ns0:title> |
| 60 | ······<ns0:actions> | 54 | ······<ns0:actions> |
| 61 | ········<ns0:test_action_ref>ocil:ssg-p | 55 | ········<ns0:test_action_ref>ocil:ssg-package_bind_removed_action:testaction:1</ns0:test_action_ref> |
| 62 | ······</ns0:actions> | 56 | ······</ns0:actions> |
| 63 | ····</ns0:questionnaire> | 57 | ····</ns0:questionnaire> |
| 64 | ····<ns0:questionnaire·id="ocil:ssg- | 58 | ····<ns0:questionnaire·id="ocil:ssg-service_smb_disabled_ocil:questionnaire:1"> |
| 65 | ······<ns0:title> | 59 | ······<ns0:title>Disable·Samba</ns0:title> |
| 66 | ······<ns0:actions> | 60 | ······<ns0:actions> |
| 67 | ········<ns0:test_action_ref>ocil:ssg- | 61 | ········<ns0:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ns0:test_action_ref> |
| 68 | ······</ns0:actions> | 62 | ······</ns0:actions> |
| 69 | ····</ns0:questionnaire> | 63 | ····</ns0:questionnaire> |
| 70 | ····<ns0:questionnaire·id="ocil:ssg- | 64 | ····<ns0:questionnaire·id="ocil:ssg-package_samba_removed_ocil:questionnaire:1"> |
| 71 | ······<ns0:title> | 65 | ······<ns0:title>Uninstall·samba·Package</ns0:title> |
| 72 | ······<ns0:actions> | 66 | ······<ns0:actions> |
| 73 | ········<ns0:test_action_ref>ocil:ssg- | 67 | ········<ns0:test_action_ref>ocil:ssg-package_samba_removed_action:testaction:1</ns0:test_action_ref> |
| 68 | ······</ns0:actions> | ||
| 69 | ····</ns0:questionnaire> | ||
| 70 | ····<ns0:questionnaire·id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1"> | ||
| 71 | ······<ns0:title>Install·the·Samba·Common·Package</ns0:title> | ||
| 72 | ······<ns0:actions> | ||
| 73 | ········<ns0:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ns0:test_action_ref> | ||
| 74 | ······</ns0:actions> | ||
| 75 | ····</ns0:questionnaire> | ||
| 76 | ····<ns0:questionnaire·id="ocil:ssg-require_smb_client_signing_ocil:questionnaire:1"> | ||
| 77 | ······<ns0:title>Require·Client·SMB·Packet·Signing,·if·using·smbclient</ns0:title> | ||
| 78 | ······<ns0:actions> | ||
| 79 | ········<ns0:test_action_ref>ocil:ssg-require_smb_client_signing_action:testaction:1</ns0:test_action_ref> | ||
| 80 | ······</ns0:actions> | ||
| 81 | ····</ns0:questionnaire> | ||
| 82 | ····<ns0:questionnaire·id="ocil:ssg-mount_option_smb_client_signing_ocil:questionnaire:1"> | ||
| 83 | ······<ns0:title>Require·Client·SMB·Packet·Signing,·if·using·mount.cifs</ns0:title> | ||
| 84 | ······<ns0:actions> | ||
| 85 | ········<ns0:test_action_ref>ocil:ssg-mount_option_smb_client_signing_action:testaction:1</ns0:test_action_ref> | ||
| 74 | ······</ns0:actions> | 86 | ······</ns0:actions> |
| 75 | ····</ns0:questionnaire> | 87 | ····</ns0:questionnaire> |
| 76 | ····<ns0:questionnaire·id="ocil:ssg-sssd_memcache_timeout_ocil:questionnaire:1"> | 88 | ····<ns0:questionnaire·id="ocil:ssg-sssd_memcache_timeout_ocil:questionnaire:1"> |
| 77 | ······<ns0:title>Configure·SSSD's·Memory·Cache·to·Expire</ns0:title> | 89 | ······<ns0:title>Configure·SSSD's·Memory·Cache·to·Expire</ns0:title> |
| 78 | ······<ns0:actions> | 90 | ······<ns0:actions> |
| 79 | ········<ns0:test_action_ref>ocil:ssg-sssd_memcache_timeout_action:testaction:1</ns0:test_action_ref> | 91 | ········<ns0:test_action_ref>ocil:ssg-sssd_memcache_timeout_action:testaction:1</ns0:test_action_ref> |
| 80 | ······</ns0:actions> | 92 | ······</ns0:actions> |
| Offset 99, 48 lines modified | Offset 111, 42 lines modified | ||
| 99 | ····</ns0:questionnaire> | 111 | ····</ns0:questionnaire> |
| 100 | ····<ns0:questionnaire·id="ocil:ssg-service_sssd_enabled_ocil:questionnaire:1"> | 112 | ····<ns0:questionnaire·id="ocil:ssg-service_sssd_enabled_ocil:questionnaire:1"> |
| 101 | ······<ns0:title>Enable·the·SSSD·Service</ns0:title> | 113 | ······<ns0:title>Enable·the·SSSD·Service</ns0:title> |
| 102 | ······<ns0:actions> | 114 | ······<ns0:actions> |
| 103 | ········<ns0:test_action_ref>ocil:ssg-service_sssd_enabled_action:testaction:1</ns0:test_action_ref> | 115 | ········<ns0:test_action_ref>ocil:ssg-service_sssd_enabled_action:testaction:1</ns0:test_action_ref> |
| 104 | ······</ns0:actions> | 116 | ······</ns0:actions> |
| 105 | ····</ns0:questionnaire> | 117 | ····</ns0:questionnaire> |
| 106 | ····<ns0:questionnaire·id="ocil:ssg-sysconfig_networking_bootproto_ifcfg_ocil:questionnaire:1"> | ||
| 107 | ······<ns0:title>Disable·DHCP·Client</ns0:title> | ||
| 108 | ······<ns0:actions> | ||
| 109 | ········<ns0:test_action_ref>ocil:ssg-sysconfig_networking_bootproto_ifcfg_action:testaction:1</ns0:test_action_ref> | ||
| 110 | ······</ns0:actions> | ||
| 111 | ····</ns0:questionnaire> | ||
| 112 | ····<ns0:questionnaire·id="ocil:ssg-package_dhcp_removed_ocil:questionnaire:1"> | ||
| 113 | ······<ns0:title>Uninstall·DHCP·Server·Package</ns0:title> | ||
| 114 | ······<ns0:actions> | ||
| 115 | ········<ns0:test_action_ref>ocil:ssg-package_dhcp_removed_action:testaction:1</ns0:test_action_ref> | ||
| 116 | ······</ns0:actions> | ||
| 117 | ····</ns0:questionnaire> | ||
| 118 | ····<ns0:questionnaire·id="ocil:ssg-service_dhcpd_disabled_ocil:questionnaire:1"> | ||
| 119 | ······<ns0:title>Disable·DHCP·Service</ns0:title> | ||
| 120 | ······<ns0:actions> | ||
| 121 | ········<ns0:test_action_ref>ocil:ssg-service_dhcpd_disabled_action:testaction:1</ns0:test_action_ref> | ||
| 122 | ······</ns0:actions> | ||
| 123 | ····</ns0:questionnaire> | ||
| 124 | ····<ns0:questionnaire·id="ocil:ssg-service_ntpd_enabled_ocil:questionnaire:1"> | 118 | ····<ns0:questionnaire·id="ocil:ssg-service_ntpd_enabled_ocil:questionnaire:1"> |
| 125 | ······<ns0:title>Enable·the·NTP·Daemon</ns0:title> | 119 | ······<ns0:title>Enable·the·NTP·Daemon</ns0:title> |
| 126 | ······<ns0:actions> | 120 | ······<ns0:actions> |
| 127 | ········<ns0:test_action_ref>ocil:ssg-service_ntpd_enabled_action:testaction:1</ns0:test_action_ref> | 121 | ········<ns0:test_action_ref>ocil:ssg-service_ntpd_enabled_action:testaction:1</ns0:test_action_ref> |
| 128 | ······</ns0:actions> | 122 | ······</ns0:actions> |
| Max diff block lines reached; 429590/438406 bytes (97.99%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>2020-07-12T0 | 7 | ····<ns2:timestamp>2020-07-12T04:27:48</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1"> | 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Set·Password·dcredit·Requirements</ns0:title> | 12 | ········<ns0:title>Set·Password·dcredit·Requirements</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:platform>Red·Hat·Enterprise·Linux·6</ns0:platform> | 14 | ··········<ns0:platform>Red·Hat·Enterprise·Linux·6</ns0:platform> |
| Offset 162, 1325 lines modified | Offset 162, 14 lines modified | ||
| 162 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> | 162 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> |
| 163 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> | 163 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> |
| 164 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·<jcerny@redhat.com></dc:contributor> | 164 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·<jcerny@redhat.com></dc:contributor> |
| 165 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·<msrubar@redhat.com></dc:contributor> | 165 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·<msrubar@redhat.com></dc:contributor> |
| 166 | ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> | 166 | ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> |
| 167 | ··</metadata> | 167 | ··</metadata> |
| 168 | ··<model·system="urn:xccdf:scoring:default"/> | 168 | ··<model·system="urn:xccdf:scoring:default"/> |
| 169 | ··<Profile·id="usgcb-rhel6-server"> | ||
| 170 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">United·States·Government·Configuration·Baseline·(USGCB)</title> | ||
| 171 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·is·a·working·draft·for·a·USGCB·submission·against | ||
| 172 | RHEL6·Server.</description> | ||
| 173 | ····<select·idref="kernel_disable_entropy_contribution_for_solid_state_drives"·selected="true"/> | ||
| 174 | ····<select·idref="partition_for_tmp"·selected="true"/> | ||
| 175 | ····<select·idref="partition_for_var"·selected="true"/> | ||
| 176 | ····<select·idref="partition_for_var_log"·selected="true"/> | ||
| 177 | ····<select·idref="partition_for_var_log_audit"·selected="true"/> | ||
| 178 | ····<select·idref="partition_for_home"·selected="true"/> | ||
| 179 | ····<select·idref="ensure_redhat_gpgkey_installed"·selected="true"/> | ||
| 180 | ····<select·idref="service_rhnsd_disabled"·selected="true"/> | ||
| 181 | ····<select·idref="security_patches_up_to_date"·selected="true"/> | ||
| 182 | ····<select·idref="ensure_gpgcheck_globally_activated"·selected="true"/> | ||
| 183 | ····<select·idref="ensure_gpgcheck_never_disabled"·selected="true"/> | ||
| 184 | ····<select·idref="package_aide_installed"·selected="true"/> | ||
| 185 | ····<select·idref="rpm_verify_permissions"·selected="true"/> | ||
| 186 | ····<select·idref="rpm_verify_hashes"·selected="true"/> | ||
| 187 | ····<select·idref="mount_option_nodev_nonroot_local_partitions"·selected="true"/> | ||
| 188 | ····<select·idref="mount_option_nodev_removable_partitions"·selected="true"/> | ||
| 189 | ····<select·idref="mount_option_noexec_removable_partitions"·selected="true"/> | ||
| 190 | ····<select·idref="mount_option_nosuid_removable_partitions"·selected="true"/> | ||
| 191 | ····<select·idref="mount_option_tmp_nodev"·selected="true"/> | ||
| 192 | ····<select·idref="mount_option_tmp_nosuid"·selected="true"/> | ||
| 193 | ····<select·idref="mount_option_tmp_noexec"·selected="true"/> | ||
| 194 | ····<select·idref="mount_option_dev_shm_nodev"·selected="true"/> | ||
| 195 | ····<select·idref="mount_option_dev_shm_nosuid"·selected="true"/> | ||
| 196 | ····<select·idref="mount_option_dev_shm_noexec"·selected="true"/> | ||
| 197 | ····<select·idref="mount_option_var_tmp_bind"·selected="true"/> | ||
| 198 | ····<select·idref="kernel_module_cramfs_disabled"·selected="true"/> | ||
| 199 | ····<select·idref="kernel_module_freevxfs_disabled"·selected="true"/> | ||
| 200 | ····<select·idref="kernel_module_hfs_disabled"·selected="true"/> | ||
| 201 | ····<select·idref="kernel_module_hfsplus_disabled"·selected="true"/> | ||
| 202 | ····<select·idref="kernel_module_jffs2_disabled"·selected="true"/> | ||
| 203 | ····<select·idref="kernel_module_squashfs_disabled"·selected="true"/> | ||
| 204 | ····<select·idref="kernel_module_udf_disabled"·selected="true"/> | ||
| 205 | ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> | ||
| 206 | ····<select·idref="file_owner_etc_gshadow"·selected="true"/> | ||
| 207 | ····<select·idref="file_groupowner_etc_gshadow"·selected="true"/> | ||
| 208 | ····<select·idref="file_permissions_etc_shadow"·selected="true"/> | ||
| 209 | ····<select·idref="userowner_shadow_file"·selected="true"/> | ||
| 210 | ····<select·idref="groupowner_shadow_file"·selected="true"/> | ||
| 211 | ····<select·idref="file_permissions_etc_group"·selected="true"/> | ||
| 212 | ····<select·idref="file_owner_etc_group"·selected="true"/> | ||
| 213 | ····<select·idref="file_groupowner_etc_group"·selected="true"/> | ||
| 214 | ····<select·idref="file_permissions_etc_passwd"·selected="true"/> | ||
| 215 | ····<select·idref="file_owner_etc_passwd"·selected="true"/> | ||
| 216 | ····<select·idref="file_groupowner_etc_passwd"·selected="true"/> | ||
| 217 | ····<select·idref="dir_perms_world_writable_sticky_bits"·selected="true"/> | ||
| 218 | ····<select·idref="file_permissions_unauthorized_world_writable"·selected="true"/> | ||
| 219 | ····<select·idref="file_permissions_unauthorized_sgid"·selected="true"/> | ||
| 220 | ····<select·idref="file_permissions_unauthorized_suid"·selected="true"/> | ||
| 221 | ····<select·idref="no_files_unowned_by_user"·selected="true"/> | ||
| 222 | ····<select·idref="file_permissions_ungroupowned"·selected="true"/> | ||
| 223 | ····<select·idref="dir_perms_world_writable_system_owned"·selected="true"/> | ||
| 224 | ····<select·idref="umask_for_daemons"·selected="true"/> | ||
| 225 | ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/> | ||
| 226 | ····<select·idref="disable_users_coredumps"·selected="true"/> | ||
| 227 | ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> | ||
| 228 | ····<select·idref="sysctl_kernel_exec_shield"·selected="true"/> | ||
| 229 | ····<select·idref="install_PAE_kernel_on_x86-32"·selected="true"/> | ||
| 230 | ····<select·idref="securetty_root_login_console_only"·selected="true"/> | ||
| 231 | ····<select·idref="restrict_serial_port_logins"·selected="true"/> | ||
| 232 | ····<select·idref="no_empty_passwords"·selected="true"/> | ||
| 233 | ····<select·idref="accounts_password_all_shadowed"·selected="true"/> | ||
| 234 | ····<select·idref="accounts_no_uid_except_zero"·selected="true"/> | ||
| 235 | ····<select·idref="accounts_password_warn_age_login_defs"·selected="true"/> | ||
| 236 | ····<select·idref="accounts_maximum_age_login_defs"·selected="true"/> | ||
| 237 | ····<select·idref="accounts_password_minlen_login_defs"·selected="true"/> | ||
| 238 | ····<select·idref="accounts_password_pam_retry"·selected="true"/> | ||
| 239 | ····<select·idref="accounts_password_pam_dcredit"·selected="true"/> | ||
| 240 | ····<select·idref="accounts_password_pam_ucredit"·selected="true"/> | ||
| 241 | ····<select·idref="accounts_password_pam_lcredit"·selected="true"/> | ||
| 242 | ····<select·idref="accounts_password_pam_ocredit"·selected="true"/> | ||
| 243 | ····<select·idref="accounts_password_pam_difok"·selected="true"/> | ||
| 244 | ····<select·idref="accounts_passwords_pam_faillock_deny"·selected="true"/> | ||
| 245 | ····<select·idref="set_password_hashing_algorithm_systemauth"·selected="true"/> | ||
| 246 | ····<select·idref="set_password_hashing_algorithm_logindefs"·selected="true"/> | ||
| 247 | ····<select·idref="accounts_password_pam_unix_remember"·selected="true"/> | ||
| 248 | ····<select·idref="root_path_no_dot"·selected="true"/> | ||
| 249 | ····<select·idref="accounts_root_path_dirs_no_write"·selected="true"/> | ||
| 250 | ····<select·idref="file_permissions_home_dirs"·selected="true"/> | ||
| 251 | ····<select·idref="accounts_umask_etc_bashrc"·selected="true"/> | ||
| 252 | ····<select·idref="accounts_umask_etc_csh_cshrc"·selected="true"/> | ||
| 253 | ····<select·idref="accounts_umask_etc_profile"·selected="true"/> | ||
| 254 | ····<select·idref="accounts_umask_etc_login_defs"·selected="true"/> | ||
| 255 | ····<select·idref="file_user_owner_grub_conf"·selected="true"/> | ||
| 256 | ····<select·idref="file_group_owner_grub_conf"·selected="true"/> | ||
| 257 | ····<select·idref="file_permissions_grub_conf"·selected="true"/> | ||
| 258 | ····<select·idref="bootloader_password"·selected="true"/> | ||
| 259 | ····<select·idref="disable_interactive_boot"·selected="true"/> | ||
| 260 | ····<select·idref="gconf_gnome_screensaver_idle_delay"·selected="true"/> | ||
| 261 | ····<select·idref="gconf_gnome_screensaver_idle_activation_enabled"·selected="true"/> | ||
| 262 | ····<select·idref="gconf_gnome_screensaver_lock_enabled"·selected="true"/> | ||
| 263 | ····<select·idref="gconf_gnome_screensaver_mode_blank"·selected="true"/> | ||
| 264 | ····<select·idref="banner_etc_issue"·selected="true"/> | ||
| 265 | ····<select·idref="selinux_state"·selected="true"/> | ||
| 266 | ····<select·idref="selinux_policytype"·selected="true"/> | ||
| 267 | ····<select·idref="enable_selinux_bootloader"·selected="true"/> | ||
| 268 | ····<select·idref="selinux_confinement_of_daemons"·selected="true"/> | ||
| 269 | ····<select·idref="selinux_all_devicefiles_labeled"·selected="true"/> | ||
| 270 | ····<select·idref="sysctl_net_ipv4_ip_forward"·selected="true"/> | ||
| 271 | ····<select·idref="sysctl_net_ipv4_conf_all_send_redirects"·selected="true"/> | ||
| 272 | ····<select·idref="sysctl_net_ipv4_conf_default_send_redirects"·selected="true"/> | ||
| 273 | ····<select·idref="sysctl_net_ipv4_conf_all_secure_redirects"·selected="true"/> | ||
| 274 | ····<select·idref="sysctl_net_ipv4_conf_all_accept_redirects"·selected="true"/> | ||
| 275 | ····<select·idref="sysctl_net_ipv4_conf_default_accept_source_route"·selected="true"/> | ||
| 276 | ····<select·idref="sysctl_net_ipv4_conf_default_secure_redirects"·selected="true"/> | ||
| 277 | ····<select·idref="sysctl_net_ipv4_conf_default_accept_redirects"·selected="true"/> | ||
| 278 | ····<select·idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses"·selected="true"/> | ||
| 279 | ····<select·idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts"·selected="true"/> | ||
| 280 | ····<select·idref="sysctl_net_ipv4_conf_all_log_martians"·selected="true"/> | ||
| 281 | ····<select·idref="sysctl_net_ipv4_conf_all_rp_filter"·selected="true"/> | ||
| 282 | ····<select·idref="sysctl_net_ipv4_tcp_syncookies"·selected="true"/> | ||
| 283 | ····<select·idref="sysctl_net_ipv4_conf_default_rp_filter"·selected="true"/> | ||
| 284 | ····<select·idref="wireless_disable_in_bios"·selected="true"/> | ||
| 285 | ····<select·idref="service_bluetooth_disabled"·selected="true"/> | ||
| 286 | ····<select·idref="network_ipv6_disable_rpc"·selected="true"/> | ||
| 287 | ····<select·idref="sysctl_net_ipv6_conf_default_accept_ra"·selected="true"/> | ||
| 288 | ····<select·idref="sysctl_net_ipv6_conf_default_accept_redirects"·selected="true"/> | ||
| Max diff block lines reached; 2087069/2176096 bytes (95.91%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>2020-07-12T0 | 7 | ····<ns2:timestamp>2020-07-12T04:32:03</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2"> | 10 | ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>CentOS·6</ns0:title> | 12 | ········<ns0:title>CentOS·6</ns0:title> |
| 13 | ········<ns0:affected·family="unix"/> | 13 | ········<ns0:affected·family="unix"/> |
| 14 | ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/> | 14 | ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/> |
| Offset 26, 21 lines modified | Offset 26, 21 lines modified | ||
| 26 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/> | 26 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/> |
| 27 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml"/> | 27 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml"/> |
| 28 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-cpe-oval.xml"/> | 28 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-cpe-oval.xml"/> |
| 29 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml000"/> | 29 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml000"/> |
| 30 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml000"/> | 30 | ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml000"/> |
| 31 | ····</ds:checks> | 31 | ····</ds:checks> |
| 32 | ··</ds:data-stream> | 32 | ··</ds:data-stream> |
| 33 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"·timestamp="2020-07-1 | 33 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"·timestamp="2020-07-12T18:46:05"> |
| 34 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 34 | ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 35 | ······<ns0:generator> | 35 | ······<ns0:generator> |
| 36 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 36 | ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 37 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 37 | ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 38 | ········<ns2:schema_version>5.11</ns2:schema_version> | 38 | ········<ns2:schema_version>5.11</ns2:schema_version> |
| 39 | ········<ns2:timestamp>2020-07-12T0 | 39 | ········<ns2:timestamp>2020-07-12T04:32:03</ns2:timestamp> |
| 40 | ······</ns0:generator> | 40 | ······</ns0:generator> |
| 41 | ······<ns0:definitions> | 41 | ······<ns0:definitions> |
| 42 | ········<ns0:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1"> | 42 | ········<ns0:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1"> |
| 43 | ··········<ns0:metadata> | 43 | ··········<ns0:metadata> |
| 44 | ············<ns0:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns0:title> | 44 | ············<ns0:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns0:title> |
| 45 | ············<ns0:affected·family="unix"> | 45 | ············<ns0:affected·family="unix"> |
| 46 | ··············<ns0:platform>Red·Hat·Enterprise·Linux·7</ns0:platform> | 46 | ··············<ns0:platform>Red·Hat·Enterprise·Linux·7</ns0:platform> |
| Offset 31871, 29 lines modified | Offset 31871, 23 lines modified | ||
| 31871 | ········<ns0:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> | 31871 | ········<ns0:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> |
| 31872 | ········<ns0:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> | 31872 | ········<ns0:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> |
| 31873 | ········<ns0:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> | 31873 | ········<ns0:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> |
| 31874 | ········<ns0:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> | 31874 | ········<ns0:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> |
| 31875 | ······</ns0:variables> | 31875 | ······</ns0:variables> |
| 31876 | ····</ns0:oval_definitions> | 31876 | ····</ns0:oval_definitions> |
| 31877 | ··</ds:component> | 31877 | ··</ds:component> |
| 31878 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel7-ocil.xml"·timestamp="2020-07-1 | 31878 | ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel7-ocil.xml"·timestamp="2020-07-12T18:46:05"> |
| 31879 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> | 31879 | ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> |
| 31880 | ······<ns0:generator> | 31880 | ······<ns0:generator> |
| 31881 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 31881 | ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 31882 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 31882 | ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 31883 | ········<ns0:schema_version>2.0</ns0:schema_version> | 31883 | ········<ns0:schema_version>2.0</ns0:schema_version> |
| 31884 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 31884 | ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 31885 | ······</ns0:generator> | 31885 | ······</ns0:generator> |
| 31886 | ······<ns0:questionnaires> | 31886 | ······<ns0:questionnaires> |
| 31887 | ········<ns0:questionnaire·id="ocil:ssg-service_docker_enabled_ocil:questionnaire:1"> | ||
| 31888 | ··········<ns0:title>Enable·the·Docker·service</ns0:title> | ||
| 31889 | ··········<ns0:actions> | ||
| 31890 | ············<ns0:test_action_ref>ocil:ssg-service_docker_enabled_action:testaction:1</ns0:test_action_ref> | ||
| 31891 | ··········</ns0:actions> | ||
| 31892 | ········</ns0:questionnaire> | ||
| 31893 | ········<ns0:questionnaire·id="ocil:ssg-package_rsh_removed_ocil:questionnaire:1"> | 31887 | ········<ns0:questionnaire·id="ocil:ssg-package_rsh_removed_ocil:questionnaire:1"> |
| 31894 | ··········<ns0:title>Uninstall·rsh·Package</ns0:title> | 31888 | ··········<ns0:title>Uninstall·rsh·Package</ns0:title> |
| 31895 | ··········<ns0:actions> | 31889 | ··········<ns0:actions> |
| 31896 | ············<ns0:test_action_ref>ocil:ssg-package_rsh_removed_action:testaction:1</ns0:test_action_ref> | 31890 | ············<ns0:test_action_ref>ocil:ssg-package_rsh_removed_action:testaction:1</ns0:test_action_ref> |
| 31897 | ··········</ns0:actions> | 31891 | ··········</ns0:actions> |
| 31898 | ········</ns0:questionnaire> | 31892 | ········</ns0:questionnaire> |
| 31899 | ········<ns0:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1"> | 31893 | ········<ns0:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1"> |
| Offset 31952, 26 lines modified | Offset 31946, 26 lines modified | ||
| 31952 | ········</ns0:questionnaire> | 31946 | ········</ns0:questionnaire> |
| 31953 | ········<ns0:questionnaire·id="ocil:ssg-package_telnet-server_removed_ocil:questionnaire:1"> | 31947 | ········<ns0:questionnaire·id="ocil:ssg-package_telnet-server_removed_ocil:questionnaire:1"> |
| 31954 | ··········<ns0:title>Uninstall·telnet-server·Package</ns0:title> | 31948 | ··········<ns0:title>Uninstall·telnet-server·Package</ns0:title> |
| 31955 | ··········<ns0:actions> | 31949 | ··········<ns0:actions> |
| 31956 | ············<ns0:test_action_ref>ocil:ssg-package_telnet-server_removed_action:testaction:1</ns0:test_action_ref> | 31950 | ············<ns0:test_action_ref>ocil:ssg-package_telnet-server_removed_action:testaction:1</ns0:test_action_ref> |
| 31957 | ··········</ns0:actions> | 31951 | ··········</ns0:actions> |
| 31958 | ········</ns0:questionnaire> | 31952 | ········</ns0:questionnaire> |
| 31959 | ········<ns0:questionnaire·id="ocil:ssg-service_ypbind_disabled_ocil:questionnaire:1"> | ||
| 31960 | ··········<ns0:title>Disable·ypbind·Service</ns0:title> | ||
| 31961 | ··········<ns0:actions> | ||
| 31962 | ············<ns0:test_action_ref>ocil:ssg-service_ypbind_disabled_action:testaction:1</ns0:test_action_ref> | ||
| 31963 | ··········</ns0:actions> | ||
| 31964 | ········</ns0:questionnaire> | ||
| 31965 | ········<ns0:questionnaire·id="ocil:ssg-package_ypbind_removed_ocil:questionnaire:1"> | 31953 | ········<ns0:questionnaire·id="ocil:ssg-package_ypbind_removed_ocil:questionnaire:1"> |
| 31966 | ··········<ns0:title>Remove·NIS·Client</ns0:title> | 31954 | ··········<ns0:title>Remove·NIS·Client</ns0:title> |
| 31967 | ··········<ns0:actions> | 31955 | ··········<ns0:actions> |
| 31968 | ············<ns0:test_action_ref>ocil:ssg-package_ypbind_removed_action:testaction:1</ns0:test_action_ref> | 31956 | ············<ns0:test_action_ref>ocil:ssg-package_ypbind_removed_action:testaction:1</ns0:test_action_ref> |
| 31969 | ··········</ns0:actions> | 31957 | ··········</ns0:actions> |
| 31970 | ········</ns0:questionnaire> | 31958 | ········</ns0:questionnaire> |
| 31959 | ········<ns0:questionnaire·id="ocil:ssg-service_ypbind_disabled_ocil:questionnaire:1"> | ||
| 31960 | ··········<ns0:title>Disable·ypbind·Service</ns0:title> | ||
| 31961 | ··········<ns0:actions> | ||
| 31962 | ············<ns0:test_action_ref>ocil:ssg-service_ypbind_disabled_action:testaction:1</ns0:test_action_ref> | ||
| 31963 | ··········</ns0:actions> | ||
| 31964 | ········</ns0:questionnaire> | ||
| 31971 | ········<ns0:questionnaire·id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1"> | 31965 | ········<ns0:questionnaire·id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1"> |
| 31972 | ··········<ns0:title>Uninstall·ypserv·Package</ns0:title> | 31966 | ··········<ns0:title>Uninstall·ypserv·Package</ns0:title> |
| 31973 | ··········<ns0:actions> | 31967 | ··········<ns0:actions> |
| 31974 | ············<ns0:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ns0:test_action_ref> | 31968 | ············<ns0:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ns0:test_action_ref> |
| 31975 | ··········</ns0:actions> | 31969 | ··········</ns0:actions> |
| 31976 | ········</ns0:questionnaire> | 31970 | ········</ns0:questionnaire> |
| 31977 | ········<ns0:questionnaire·id="ocil:ssg-package_tftp_removed_ocil:questionnaire:1"> | 31971 | ········<ns0:questionnaire·id="ocil:ssg-package_tftp_removed_ocil:questionnaire:1"> |
| Offset 31994, 26 lines modified | Offset 31988, 26 lines modified | ||
| 31994 | ········</ns0:questionnaire> | 31988 | ········</ns0:questionnaire> |
| 31995 | ········<ns0:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1"> | 31989 | ········<ns0:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1"> |
| 31996 | ··········<ns0:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns0:title> | 31990 | ··········<ns0:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns0:title> |
| 31997 | ··········<ns0:actions> | 31991 | ··········<ns0:actions> |
| 31998 | ············<ns0:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns0:test_action_ref> | 31992 | ············<ns0:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns0:test_action_ref> |
| 31999 | ··········</ns0:actions> | 31993 | ··········</ns0:actions> |
| 32000 | ········</ns0:questionnaire> | 31994 | ········</ns0:questionnaire> |
| 32001 | ········<ns0:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> | ||
| 32002 | ··········<ns0:title>Disable·xinetd·Service</ns0:title> | ||
| 32003 | ··········<ns0:actions> | ||
| 32004 | ············<ns0:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns0:test_action_ref> | ||
| 32005 | ··········</ns0:actions> | ||
| 32006 | ········</ns0:questionnaire> | ||
| 32007 | ········<ns0:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1"> | 31995 | ········<ns0:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1"> |
| 32008 | ··········<ns0:title>Install·tcp_wrappers·Package</ns0:title> | 31996 | ··········<ns0:title>Install·tcp_wrappers·Package</ns0:title> |
| 32009 | ··········<ns0:actions> | 31997 | ··········<ns0:actions> |
| 32010 | ············<ns0:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns0:test_action_ref> | 31998 | ············<ns0:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns0:test_action_ref> |
| 32011 | ··········</ns0:actions> | 31999 | ··········</ns0:actions> |
| 32012 | ········</ns0:questionnaire> | 32000 | ········</ns0:questionnaire> |
| 32001 | ········<ns0:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> | ||
| 32002 | ··········<ns0:title>Disable·xinetd·Service</ns0:title> | ||
| 32003 | ··········<ns0:actions> | ||
| 32004 | ············<ns0:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns0:test_action_ref> | ||
| 32005 | ··········</ns0:actions> | ||
| 32006 | ········</ns0:questionnaire> | ||
| 32013 | ········<ns0:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1"> | 32007 | ········<ns0:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1"> |
| 32014 | ··········<ns0:title>Uninstall·xinetd·Package</ns0:title> | 32008 | ··········<ns0:title>Uninstall·xinetd·Package</ns0:title> |
| 32015 | ··········<ns0:actions> | 32009 | ··········<ns0:actions> |
| 32016 | ············<ns0:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns0:test_action_ref> | 32010 | ············<ns0:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns0:test_action_ref> |
| 32017 | ··········</ns0:actions> | 32011 | ··········</ns0:actions> |
| 32018 | ········</ns0:questionnaire> | 32012 | ········</ns0:questionnaire> |
| 32019 | ········<ns0:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1"> | 32013 | ········<ns0:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1"> |
| Offset 32024, 26 lines modified | Offset 32018, 38 lines modified | ||
| 32024 | ········</ns0:questionnaire> | 32018 | ········</ns0:questionnaire> |
| 32025 | ········<ns0:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1"> | 32019 | ········<ns0:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1"> |
| 32026 | ··········<ns0:title>Uninstall·talk-server·Package</ns0:title> | 32020 | ··········<ns0:title>Uninstall·talk-server·Package</ns0:title> |
| 32027 | ··········<ns0:actions> | 32021 | ··········<ns0:actions> |
| 32028 | ············<ns0:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns0:test_action_ref> | 32022 | ············<ns0:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns0:test_action_ref> |
| 32029 | ··········</ns0:actions> | 32023 | ··········</ns0:actions> |
| 32030 | ········</ns0:questionnaire> | 32024 | ········</ns0:questionnaire> |
| 32031 | ········<ns0:questionnaire·id="ocil:ssg- | 32025 | ········<ns0:questionnaire·id="ocil:ssg-service_dovecot_disabled_ocil:questionnaire:1"> |
| 32032 | ··········<ns0:title> | 32026 | ··········<ns0:title>Disable·Dovecot·Service</ns0:title> |
| Max diff block lines reached; 5576108/5585186 bytes (99.84%) of diff not shown. | |||
| Offset 3, 20 lines modified | Offset 3, 14 lines modified | ||
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> | 4 | ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> |
| 5 | ····<ns0:product_version>ssg:·0.1.39</ns0:product_version> | 5 | ····<ns0:product_version>ssg:·0.1.39</ns0:product_version> |
| 6 | ····<ns0:schema_version>2.0</ns0:schema_version> | 6 | ····<ns0:schema_version>2.0</ns0:schema_version> |
| 7 | ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> | 7 | ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:questionnaires> | 9 | ··<ns0:questionnaires> |
| 10 | ····<ns0:questionnaire·id="ocil:ssg-service_docker_enabled_ocil:questionnaire:1"> | ||
| 11 | ······<ns0:title>Enable·the·Docker·service</ns0:title> | ||
| 12 | ······<ns0:actions> | ||
| 13 | ········<ns0:test_action_ref>ocil:ssg-service_docker_enabled_action:testaction:1</ns0:test_action_ref> | ||
| 14 | ······</ns0:actions> | ||
| 15 | ····</ns0:questionnaire> | ||
| 16 | ····<ns0:questionnaire·id="ocil:ssg-package_rsh_removed_ocil:questionnaire:1"> | 10 | ····<ns0:questionnaire·id="ocil:ssg-package_rsh_removed_ocil:questionnaire:1"> |
| 17 | ······<ns0:title>Uninstall·rsh·Package</ns0:title> | 11 | ······<ns0:title>Uninstall·rsh·Package</ns0:title> |
| 18 | ······<ns0:actions> | 12 | ······<ns0:actions> |
| 19 | ········<ns0:test_action_ref>ocil:ssg-package_rsh_removed_action:testaction:1</ns0:test_action_ref> | 13 | ········<ns0:test_action_ref>ocil:ssg-package_rsh_removed_action:testaction:1</ns0:test_action_ref> |
| 20 | ······</ns0:actions> | 14 | ······</ns0:actions> |
| 21 | ····</ns0:questionnaire> | 15 | ····</ns0:questionnaire> |
| 22 | ····<ns0:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1"> | 16 | ····<ns0:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1"> |
| Offset 75, 26 lines modified | Offset 69, 26 lines modified | ||
| 75 | ····</ns0:questionnaire> | 69 | ····</ns0:questionnaire> |
| 76 | ····<ns0:questionnaire·id="ocil:ssg-package_telnet-server_removed_ocil:questionnaire:1"> | 70 | ····<ns0:questionnaire·id="ocil:ssg-package_telnet-server_removed_ocil:questionnaire:1"> |
| 77 | ······<ns0:title>Uninstall·telnet-server·Package</ns0:title> | 71 | ······<ns0:title>Uninstall·telnet-server·Package</ns0:title> |
| 78 | ······<ns0:actions> | 72 | ······<ns0:actions> |
| 79 | ········<ns0:test_action_ref>ocil:ssg-package_telnet-server_removed_action:testaction:1</ns0:test_action_ref> | 73 | ········<ns0:test_action_ref>ocil:ssg-package_telnet-server_removed_action:testaction:1</ns0:test_action_ref> |
| 80 | ······</ns0:actions> | 74 | ······</ns0:actions> |
| 81 | ····</ns0:questionnaire> | 75 | ····</ns0:questionnaire> |
| 82 | ····<ns0:questionnaire·id="ocil:ssg-service_ypbind_disabled_ocil:questionnaire:1"> | ||
| 83 | ······<ns0:title>Disable·ypbind·Service</ns0:title> | ||
| 84 | ······<ns0:actions> | ||
| 85 | ········<ns0:test_action_ref>ocil:ssg-service_ypbind_disabled_action:testaction:1</ns0:test_action_ref> | ||
| 86 | ······</ns0:actions> | ||
| 87 | ····</ns0:questionnaire> | ||
| 88 | ····<ns0:questionnaire·id="ocil:ssg-package_ypbind_removed_ocil:questionnaire:1"> | 76 | ····<ns0:questionnaire·id="ocil:ssg-package_ypbind_removed_ocil:questionnaire:1"> |
| 89 | ······<ns0:title>Remove·NIS·Client</ns0:title> | 77 | ······<ns0:title>Remove·NIS·Client</ns0:title> |
| 90 | ······<ns0:actions> | 78 | ······<ns0:actions> |
| 91 | ········<ns0:test_action_ref>ocil:ssg-package_ypbind_removed_action:testaction:1</ns0:test_action_ref> | 79 | ········<ns0:test_action_ref>ocil:ssg-package_ypbind_removed_action:testaction:1</ns0:test_action_ref> |
| 92 | ······</ns0:actions> | 80 | ······</ns0:actions> |
| 93 | ····</ns0:questionnaire> | 81 | ····</ns0:questionnaire> |
| 82 | ····<ns0:questionnaire·id="ocil:ssg-service_ypbind_disabled_ocil:questionnaire:1"> | ||
| 83 | ······<ns0:title>Disable·ypbind·Service</ns0:title> | ||
| 84 | ······<ns0:actions> | ||
| 85 | ········<ns0:test_action_ref>ocil:ssg-service_ypbind_disabled_action:testaction:1</ns0:test_action_ref> | ||
| 86 | ······</ns0:actions> | ||
| 87 | ····</ns0:questionnaire> | ||
| 94 | ····<ns0:questionnaire·id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1"> | 88 | ····<ns0:questionnaire·id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1"> |
| 95 | ······<ns0:title>Uninstall·ypserv·Package</ns0:title> | 89 | ······<ns0:title>Uninstall·ypserv·Package</ns0:title> |
| 96 | ······<ns0:actions> | 90 | ······<ns0:actions> |
| 97 | ········<ns0:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ns0:test_action_ref> | 91 | ········<ns0:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ns0:test_action_ref> |
| 98 | ······</ns0:actions> | 92 | ······</ns0:actions> |
| 99 | ····</ns0:questionnaire> | 93 | ····</ns0:questionnaire> |
| 100 | ····<ns0:questionnaire·id="ocil:ssg-package_tftp_removed_ocil:questionnaire:1"> | 94 | ····<ns0:questionnaire·id="ocil:ssg-package_tftp_removed_ocil:questionnaire:1"> |
| Offset 117, 26 lines modified | Offset 111, 26 lines modified | ||
| 117 | ····</ns0:questionnaire> | 111 | ····</ns0:questionnaire> |
| 118 | ····<ns0:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1"> | 112 | ····<ns0:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1"> |
| 119 | ······<ns0:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns0:title> | 113 | ······<ns0:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns0:title> |
| 120 | ······<ns0:actions> | 114 | ······<ns0:actions> |
| 121 | ········<ns0:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns0:test_action_ref> | 115 | ········<ns0:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns0:test_action_ref> |
| 122 | ······</ns0:actions> | 116 | ······</ns0:actions> |
| 123 | ····</ns0:questionnaire> | 117 | ····</ns0:questionnaire> |
| 124 | ····<ns0:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> | ||
| 125 | ······<ns0:title>Disable·xinetd·Service</ns0:title> | ||
| 126 | ······<ns0:actions> | ||
| 127 | ········<ns0:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns0:test_action_ref> | ||
| 128 | ······</ns0:actions> | ||
| 129 | ····</ns0:questionnaire> | ||
| 130 | ····<ns0:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1"> | 118 | ····<ns0:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1"> |
| 131 | ······<ns0:title>Install·tcp_wrappers·Package</ns0:title> | 119 | ······<ns0:title>Install·tcp_wrappers·Package</ns0:title> |
| 132 | ······<ns0:actions> | 120 | ······<ns0:actions> |
| 133 | ········<ns0:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns0:test_action_ref> | 121 | ········<ns0:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns0:test_action_ref> |
| 134 | ······</ns0:actions> | 122 | ······</ns0:actions> |
| 135 | ····</ns0:questionnaire> | 123 | ····</ns0:questionnaire> |
| 124 | ····<ns0:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> | ||
| 125 | ······<ns0:title>Disable·xinetd·Service</ns0:title> | ||
| 126 | ······<ns0:actions> | ||
| 127 | ········<ns0:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns0:test_action_ref> | ||
| 128 | ······</ns0:actions> | ||
| 129 | ····</ns0:questionnaire> | ||
| 136 | ····<ns0:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1"> | 130 | ····<ns0:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1"> |
| 137 | ······<ns0:title>Uninstall·xinetd·Package</ns0:title> | 131 | ······<ns0:title>Uninstall·xinetd·Package</ns0:title> |
| 138 | ······<ns0:actions> | 132 | ······<ns0:actions> |
| 139 | ········<ns0:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns0:test_action_ref> | 133 | ········<ns0:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns0:test_action_ref> |
| 140 | ······</ns0:actions> | 134 | ······</ns0:actions> |
| 141 | ····</ns0:questionnaire> | 135 | ····</ns0:questionnaire> |
| 142 | ····<ns0:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1"> | 136 | ····<ns0:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1"> |
| Offset 147, 26 lines modified | Offset 141, 38 lines modified | ||
| 147 | ····</ns0:questionnaire> | 141 | ····</ns0:questionnaire> |
| 148 | ····<ns0:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1"> | 142 | ····<ns0:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1"> |
| 149 | ······<ns0:title>Uninstall·talk-server·Package</ns0:title> | 143 | ······<ns0:title>Uninstall·talk-server·Package</ns0:title> |
| 150 | ······<ns0:actions> | 144 | ······<ns0:actions> |
| 151 | ········<ns0:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns0:test_action_ref> | 145 | ········<ns0:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns0:test_action_ref> |
| 152 | ······</ns0:actions> | 146 | ······</ns0:actions> |
| 153 | ····</ns0:questionnaire> | 147 | ····</ns0:questionnaire> |
| 154 | ····<ns0:questionnaire·id="ocil:ssg- | 148 | ····<ns0:questionnaire·id="ocil:ssg-service_dovecot_disabled_ocil:questionnaire:1"> |
| 155 | ······<ns0:title> | 149 | ······<ns0:title>Disable·Dovecot·Service</ns0:title> |
| 156 | ······<ns0:actions> | 150 | ······<ns0:actions> |
| 157 | ········<ns0:test_action_ref>ocil:ssg- | 151 | ········<ns0:test_action_ref>ocil:ssg-service_dovecot_disabled_action:testaction:1</ns0:test_action_ref> |
| 152 | ······</ns0:actions> | ||
| 153 | ····</ns0:questionnaire> | ||
| 154 | ····<ns0:questionnaire·id="ocil:ssg-package_dovecot_removed_ocil:questionnaire:1"> | ||
| 155 | ······<ns0:title>Uninstall·dovecot·Package</ns0:title> | ||
| 156 | ······<ns0:actions> | ||
| 157 | ········<ns0:test_action_ref>ocil:ssg-package_dovecot_removed_action:testaction:1</ns0:test_action_ref> | ||
| 158 | ······</ns0:actions> | 158 | ······</ns0:actions> |
| 159 | ····</ns0:questionnaire> | 159 | ····</ns0:questionnaire> |
| 160 | ····<ns0:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1"> | 160 | ····<ns0:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1"> |
| 161 | ······<ns0:title>Enable·Logging·of·All·FTP·Transactions</ns0:title> | 161 | ······<ns0:title>Enable·Logging·of·All·FTP·Transactions</ns0:title> |
| 162 | ······<ns0:actions> | 162 | ······<ns0:actions> |
| 163 | ········<ns0:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns0:test_action_ref> | 163 | ········<ns0:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns0:test_action_ref> |
| 164 | ······</ns0:actions> | 164 | ······</ns0:actions> |
| 165 | ····</ns0:questionnaire> | 165 | ····</ns0:questionnaire> |
| 166 | ····<ns0:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1"> | ||
| 167 | ······<ns0:title>Create·Warning·Banners·for·All·FTP·Users</ns0:title> | ||
| 168 | ······<ns0:actions> | ||
| 169 | ········<ns0:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns0:test_action_ref> | ||
| 170 | ······</ns0:actions> | ||
| 171 | ····</ns0:questionnaire> | ||
| 166 | ····<ns0:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1"> | 172 | ····<ns0:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1"> |
| 167 | ······<ns0:title>Disable·vsftpd·Service</ns0:title> | 173 | ······<ns0:title>Disable·vsftpd·Service</ns0:title> |
| 168 | ······<ns0:actions> | 174 | ······<ns0:actions> |
| 169 | ········<ns0:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns0:test_action_ref> | 175 | ········<ns0:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns0:test_action_ref> |
| 170 | ······</ns0:actions> | 176 | ······</ns0:actions> |
| 171 | ····</ns0:questionnaire> | 177 | ····</ns0:questionnaire> |
| 172 | ····<ns0:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1"> | 178 | ····<ns0:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1"> |
| Offset 225, 26 lines modified | Offset 231, 26 lines modified | ||
| 225 | ····</ns0:questionnaire> | 231 | ····</ns0:questionnaire> |
| Max diff block lines reached; 694596/701458 bytes (99.02%) of diff not shown. | |||
| Offset 1, 14 lines modified | Offset 1, 14 lines modified | ||
| 1 | <?xml·version="1.0"·encoding="utf-8"?> | 1 | <?xml·version="1.0"·encoding="utf-8"?> |
| 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 2 | <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 3 | ··<ns0:generator> | 3 | ··<ns0:generator> |
| 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> | 4 | ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name> |
| 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> | 5 | ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version> |
| 6 | ····<ns2:schema_version>5.11</ns2:schema_version> | 6 | ····<ns2:schema_version>5.11</ns2:schema_version> |
| 7 | ····<ns2:timestamp>2020-07-12T0 | 7 | ····<ns2:timestamp>2020-07-12T04:32:03</ns2:timestamp> |
| 8 | ··</ns0:generator> | 8 | ··</ns0:generator> |
| 9 | ··<ns0:definitions> | 9 | ··<ns0:definitions> |
| 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1"> | 10 | ····<ns0:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1"> |
| 11 | ······<ns0:metadata> | 11 | ······<ns0:metadata> |
| 12 | ········<ns0:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns0:title> | 12 | ········<ns0:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns0:title> |
| 13 | ········<ns0:affected·family="unix"> | 13 | ········<ns0:affected·family="unix"> |
| 14 | ··········<ns0:platform>Red·Hat·Enterprise·Linux·7</ns0:platform> | 14 | ··········<ns0:platform>Red·Hat·Enterprise·Linux·7</ns0:platform> |
| Offset 162, 348 lines modified | Offset 162, 14 lines modified | ||
| 162 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> | 162 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> |
| 163 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> | 163 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> |
| 164 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·<jcerny@redhat.com></dc:contributor> | 164 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·<jcerny@redhat.com></dc:contributor> |
| 165 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·<msrubar@redhat.com></dc:contributor> | 165 | ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·<msrubar@redhat.com></dc:contributor> |
| 166 | ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> | 166 | ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> |
| 167 | ··</metadata> | 167 | ··</metadata> |
| 168 | ··<model·system="urn:xccdf:scoring:default"/> | 168 | ··<model·system="urn:xccdf:scoring:default"/> |
| 169 | ··<Profile·id="hipaa"> | ||
| 170 | ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Health·Insurance·Portability·and·Accountability·Act·(HIPAA)</title> | ||
| 171 | ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">The·HIPAA·Security·Rule·establishes·U.S.·national·standards·to·protect·individuals’ | ||
| 172 | electronic·personal·health·information·that·is·created,·received,·used,·or | ||
| 173 | maintained·by·a·covered·entity.·The·Security·Rule·requires·appropriate | ||
| 174 | administrative,·physical·and·technical·safeguards·to·ensure·the | ||
| 175 | confidentiality,·integrity,·and·security·of·electronic·protected·health | ||
| 176 | information. | ||
| 177 | This·profile·configures·Red·Hat·Enterprise·Linux·7·to·the·HIPAA·Security | ||
| 178 | Rule·identified·for·securing·of·electronic·protected·health·information.</description> | ||
| 179 | ····<select·idref="bootloader_password"·selected="true"/> | ||
| 180 | ····<select·idref="bootloader_uefi_password"·selected="true"/> | ||
| 181 | ····<select·idref="file_group_owner_grub2_cfg"·selected="true"/> | ||
| 182 | ····<select·idref="file_permissions_grub2_cfg"·selected="true"/> | ||
| 183 | ····<select·idref="file_user_owner_grub2_cfg"·selected="true"/> | ||
| 184 | ····<select·idref="disable_interactive_boot"·selected="true"/> | ||
| 185 | ····<select·idref="no_direct_root_logins"·selected="true"/> | ||
| 186 | ····<select·idref="no_empty_passwords"·selected="true"/> | ||
| 187 | ····<select·idref="require_singleuser_auth"·selected="true"/> | ||
| 188 | ····<select·idref="restrict_serial_port_logins"·selected="true"/> | ||
| 189 | ····<select·idref="securetty_root_login_console_only"·selected="true"/> | ||
| 190 | ····<select·idref="service_debug-shell_disabled"·selected="true"/> | ||
| 191 | ····<select·idref="disable_ctrlaltdel_reboot"·selected="true"/> | ||
| 192 | ····<select·idref="disable_ctrlaltdel_burstaction"·selected="true"/> | ||
| 193 | ····<select·idref="dconf_gnome_remote_access_credential_prompt"·selected="true"/> | ||
| 194 | ····<select·idref="dconf_gnome_remote_access_encryption"·selected="true"/> | ||
| 195 | ····<select·idref="sshd_disable_empty_passwords"·selected="true"/> | ||
| 196 | ····<select·idref="sshd_disable_root_login"·selected="true"/> | ||
| 197 | ····<select·idref="libreswan_approved_tunnels"·selected="true"/> | ||
| 198 | ····<select·idref="no_rsh_trust_files"·selected="true"/> | ||
| 199 | ····<select·idref="package_rsh_removed"·selected="true"/> | ||
| 200 | ····<select·idref="package_rsh-server_removed"·selected="true"/> | ||
| 201 | ····<select·idref="package_talk_removed"·selected="true"/> | ||
| 202 | ····<select·idref="package_talk-server_removed"·selected="true"/> | ||
| 203 | ····<select·idref="package_telnet_removed"·selected="true"/> | ||
| 204 | ····<select·idref="package_telnet-server_removed"·selected="true"/> | ||
| 205 | ····<select·idref="package_xinetd_removed"·selected="true"/> | ||
| 206 | ····<select·idref="package_ypbind_removed"·selected="true"/> | ||
| 207 | ····<select·idref="package_ypserv_removed"·selected="true"/> | ||
| 208 | ····<select·idref="service_crond_enabled"·selected="true"/> | ||
| 209 | ····<select·idref="service_rexec_disabled"·selected="true"/> | ||
| 210 | ····<select·idref="service_rlogin_disabled"·selected="true"/> | ||
| 211 | ····<select·idref="service_rsh_disabled"·selected="true"/> | ||
| 212 | ····<select·idref="service_telnet_disabled"·selected="true"/> | ||
| 213 | ····<select·idref="service_xinetd_disabled"·selected="true"/> | ||
| 214 | ····<select·idref="service_ypbind_disabled"·selected="true"/> | ||
| 215 | ····<select·idref="service_zebra_disabled"·selected="true"/> | ||
| 216 | ····<select·idref="use_kerberos_security_all_exports"·selected="true"/> | ||
| 217 | ····<select·idref="disable_host_auth"·selected="true"/> | ||
| 218 | ····<select·idref="sshd_allow_only_protocol2"·selected="true"/> | ||
| 219 | ····<select·idref="sshd_disable_compression"·selected="true"/> | ||
| 220 | ····<select·idref="sshd_disable_gssapi_auth"·selected="true"/> | ||
| 221 | ····<select·idref="sshd_disable_kerb_auth"·selected="true"/> | ||
| 222 | ····<select·idref="sshd_disable_rhosts_rsa"·selected="true"/> | ||
| 223 | ····<select·idref="sshd_disable_rhosts"·selected="true"/> | ||
| 224 | ····<select·idref="sshd_disable_user_known_hosts"·selected="true"/> | ||
| 225 | ····<select·idref="sshd_do_not_permit_user_env"·selected="true"/> | ||
| 226 | ····<select·idref="sshd_enable_strictmodes"·selected="true"/> | ||
| 227 | ····<select·idref="sshd_enable_warning_banner"·selected="true"/> | ||
| 228 | ····<select·idref="sshd_set_keepalive"·selected="true"/> | ||
| 229 | ····<select·idref="sshd_use_priv_separation"·selected="true"/> | ||
| 230 | ····<select·idref="encrypt_partitions"·selected="true"/> | ||
| 231 | ····<select·idref="sshd_use_approved_ciphers"·selected="true"/> | ||
| 232 | ····<select·idref="sshd_use_approved_macs"·selected="true"/> | ||
| 233 | ····<select·idref="enable_selinux_bootloader"·selected="true"/> | ||
| 234 | ····<select·idref="sebool_selinuxuser_execheap"·selected="true"/> | ||
| 235 | ····<select·idref="sebool_selinuxuser_execmod"·selected="true"/> | ||
| 236 | ····<select·idref="sebool_selinuxuser_execstack"·selected="true"/> | ||
| 237 | ····<select·idref="selinux_confinement_of_daemons"·selected="true"/> | ||
| 238 | ····<select·idref="selinux_policytype"·selected="true"/> | ||
| 239 | ····<select·idref="selinux_state"·selected="true"/> | ||
| 240 | ····<select·idref="service_kdump_disabled"·selected="true"/> | ||
| 241 | ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/> | ||
| 242 | ····<select·idref="sysctl_kernel_dmesg_restrict"·selected="true"/> | ||
| 243 | ····<select·idref="sysctl_kernel_exec_shield"·selected="true"/> | ||
| 244 | ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> | ||
| 245 | ····<select·idref="rpm_verify_hashes"·selected="true"/> | ||
| 246 | ····<select·idref="rpm_verify_permissions"·selected="true"/> | ||
| 247 | ····<select·idref="ensure_redhat_gpgkey_installed"·selected="true"/> | ||
| 248 | ····<select·idref="ensure_gpgcheck_globally_activated"·selected="true"/> | ||
| 249 | ····<select·idref="ensure_gpgcheck_never_disabled"·selected="true"/> | ||
| 250 | ····<select·idref="ensure_gpgcheck_repo_metadata"·selected="true"/> | ||
| 251 | ····<select·idref="ensure_gpgcheck_local_packages"·selected="true"/> | ||
| 252 | ····<select·idref="bootloader_audit_argument"·selected="true"/> | ||
| 253 | ····<select·idref="service_auditd_enabled"·selected="true"/> | ||
| 254 | ····<select·idref="audit_rules_privileged_commands_sudo"·selected="true"/> | ||
| 255 | ····<select·idref="audit_rules_privileged_commands_su"·selected="true"/> | ||
| 256 | ····<select·idref="audit_rules_immutable"·selected="true"/> | ||
| 257 | ····<select·idref="kernel_module_usb-storage_disabled"·selected="true"/> | ||
| 258 | ····<select·idref="service_autofs_disabled"·selected="true"/> | ||
| 259 | ····<select·idref="auditd_audispd_syslog_plugin_activated"·selected="true"/> | ||
| 260 | ····<select·idref="rsyslog_remote_loghost"·selected="true"/> | ||
| 261 | ····<select·idref="auditd_data_retention_flush"·selected="true"/> | ||
| 262 | ····<select·idref="audit_rules_dac_modification_chmod"·selected="true"/> | ||
| 263 | ····<select·idref="audit_rules_dac_modification_chown"·selected="true"/> | ||
| 264 | ····<select·idref="audit_rules_dac_modification_fchmodat"·selected="true"/> | ||
| 265 | ····<select·idref="audit_rules_dac_modification_fchmod"·selected="true"/> | ||
| 266 | ····<select·idref="audit_rules_dac_modification_fchownat"·selected="true"/> | ||
| 267 | ····<select·idref="audit_rules_dac_modification_fchown"·selected="true"/> | ||
| 268 | ····<select·idref="audit_rules_dac_modification_fremovexattr"·selected="true"/> | ||
| 269 | ····<select·idref="audit_rules_dac_modification_fsetxattr"·selected="true"/> | ||
| 270 | ····<select·idref="audit_rules_dac_modification_lchown"·selected="true"/> | ||
| 271 | ····<select·idref="audit_rules_dac_modification_lremovexattr"·selected="true"/> | ||
| 272 | ····<select·idref="audit_rules_dac_modification_lsetxattr"·selected="true"/> | ||
| 273 | ····<select·idref="audit_rules_dac_modification_removexattr"·selected="true"/> | ||
| 274 | ····<select·idref="audit_rules_dac_modification_setxattr"·selected="true"/> | ||
| 275 | ····<select·idref="audit_rules_execution_chcon"·selected="true"/> | ||
| 276 | ····<select·idref="audit_rules_execution_restorecon"·selected="true"/> | ||
| 277 | ····<select·idref="audit_rules_execution_semanage"·selected="true"/> | ||
| 278 | ····<select·idref="audit_rules_execution_setsebool"·selected="true"/> | ||
| 279 | ····<select·idref="audit_rules_file_deletion_events_renameat"·selected="true"/> | ||
| 280 | ····<select·idref="audit_rules_file_deletion_events_rename"·selected="true"/> | ||
| 281 | ····<select·idref="audit_rules_file_deletion_events_rmdir"·selected="true"/> | ||
| 282 | ····<select·idref="audit_rules_file_deletion_events_unlinkat"·selected="true"/> | ||
| 283 | ····<select·idref="audit_rules_file_deletion_events_unlink"·selected="true"/> | ||
| 284 | ····<select·idref="audit_rules_kernel_module_loading_delete"·selected="true"/> | ||
| 285 | ····<select·idref="audit_rules_kernel_module_loading_init"·selected="true"/> | ||
| 286 | ····<select·idref="audit_rules_kernel_module_loading_insmod"·selected="true"/> | ||
| 287 | ····<select·idref="audit_rules_kernel_module_loading_modprobe"·selected="true"/> | ||
| Max diff block lines reached; 2192057/2214806 bytes (98.97%) of diff not shown. | |||
| Offset 26, 21 lines modified | Offset 26, 21 lines modified | ||
| 26 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml"/> | 26 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml"/> |
| 27 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml"/> | 27 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml"/> |
| 28 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-cpe-oval.xml"/> | 28 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-cpe-oval.xml"/> |
| 29 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml000"/> | 29 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml000"/> |
| 30 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml000"/> | 30 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml000"/> |
| 31 | ····</ns0:checks> | 31 | ····</ns0:checks> |
| 32 | ··</ns0:data-stream> | 32 | ··</ns0:data-stream> |
| 33 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-oval.xml"·timestamp="2020-07-1 | 33 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-oval.xml"·timestamp="2020-07-12T18:46:00"> |
| 34 | ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 34 | ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 35 | ······<ns3:generator> | 35 | ······<ns3:generator> |
| 36 | ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name> | 36 | ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name> |
| 37 | ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version> | 37 | ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version> |
| 38 | ········<ns5:schema_version>5.11</ns5:schema_version> | 38 | ········<ns5:schema_version>5.11</ns5:schema_version> |
| 39 | ········<ns5:timestamp>2020-07-12T0 | 39 | ········<ns5:timestamp>2020-07-12T04:27:48</ns5:timestamp> |
| 40 | ······</ns3:generator> | 40 | ······</ns3:generator> |
| 41 | ······<ns3:definitions> | 41 | ······<ns3:definitions> |
| 42 | ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1"> | 42 | ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1"> |
| 43 | ··········<ns3:metadata> | 43 | ··········<ns3:metadata> |
| 44 | ············<ns3:title>Set·Password·dcredit·Requirements</ns3:title> | 44 | ············<ns3:title>Set·Password·dcredit·Requirements</ns3:title> |
| 45 | ············<ns3:affected·family="unix"> | 45 | ············<ns3:affected·family="unix"> |
| 46 | ··············<ns3:platform>Red·Hat·Enterprise·Linux·6</ns3:platform> | 46 | ··············<ns3:platform>Red·Hat·Enterprise·Linux·6</ns3:platform> |
| Offset 27893, 87 lines modified | Offset 27893, 99 lines modified | ||
| 27893 | ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> | 27893 | ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> |
| 27894 | ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> | 27894 | ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> |
| 27895 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> | 27895 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> |
| 27896 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> | 27896 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> |
| 27897 | ······</ns3:variables> | 27897 | ······</ns3:variables> |
| 27898 | ····</ns3:oval_definitions> | 27898 | ····</ns3:oval_definitions> |
| 27899 | ··</ns0:component> | 27899 | ··</ns0:component> |
| 27900 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-ocil.xml"·timestamp="2020-07-1 | 27900 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-ocil.xml"·timestamp="2020-07-12T18:46:00"> |
| 27901 | ····<ns9:ocil> | 27901 | ····<ns9:ocil> |
| 27902 | ······<ns9:generator> | 27902 | ······<ns9:generator> |
| 27903 | ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name> | 27903 | ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name> |
| 27904 | ········<ns9:product_version>ssg:·0.1.39</ns9:product_version> | 27904 | ········<ns9:product_version>ssg:·0.1.39</ns9:product_version> |
| 27905 | ········<ns9:schema_version>2.0</ns9:schema_version> | 27905 | ········<ns9:schema_version>2.0</ns9:schema_version> |
| 27906 | ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp> | 27906 | ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp> |
| 27907 | ······</ns9:generator> | 27907 | ······</ns9:generator> |
| 27908 | ······<ns9:questionnaires> | 27908 | ······<ns9:questionnaires> |
| 27909 | ········<ns9:questionnaire·id="ocil:ssg- | 27909 | ········<ns9:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1"> |
| 27910 | ··········<ns9:title> | 27910 | ··········<ns9:title>Enable·Logging·of·All·FTP·Transactions</ns9:title> |
| 27911 | ··········<ns9:actions> | ||
| 27912 | ············<ns9:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ns9:test_action_ref> | ||
| 27913 | ··········</ns9:actions> | ||
| 27914 | ········</ns9:questionnaire> | ||
| 27915 | ········<ns9:questionnaire·id="ocil:ssg-package_samba_removed_ocil:questionnaire:1"> | ||
| 27916 | ··········<ns9:title>Uninstall·samba·Package</ns9:title> | ||
| 27917 | ··········<ns9:actions> | 27911 | ··········<ns9:actions> |
| 27918 | ············<ns9:test_action_ref>ocil:ssg- | 27912 | ············<ns9:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns9:test_action_ref> |
| 27919 | ··········</ns9:actions> | 27913 | ··········</ns9:actions> |
| 27920 | ········</ns9:questionnaire> | 27914 | ········</ns9:questionnaire> |
| 27921 | ········<ns9:questionnaire·id="ocil:ssg- | 27915 | ········<ns9:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1"> |
| 27922 | ··········<ns9:title> | 27916 | ··········<ns9:title>Create·Warning·Banners·for·All·FTP·Users</ns9:title> |
| 27923 | ··········<ns9:actions> | 27917 | ··········<ns9:actions> |
| 27924 | ············<ns9:test_action_ref>ocil:ssg- | 27918 | ············<ns9:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns9:test_action_ref> |
| 27925 | ··········</ns9:actions> | 27919 | ··········</ns9:actions> |
| 27926 | ········</ns9:questionnaire> | 27920 | ········</ns9:questionnaire> |
| 27927 | ········<ns9:questionnaire·id="ocil:ssg- | 27921 | ········<ns9:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1"> |
| 27928 | ··········<ns9:title> | 27922 | ··········<ns9:title>Disable·vsftpd·Service</ns9:title> |
| 27929 | ··········<ns9:actions> | 27923 | ··········<ns9:actions> |
| 27930 | ············<ns9:test_action_ref>ocil:ssg- | 27924 | ············<ns9:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns9:test_action_ref> |
| 27931 | ··········</ns9:actions> | 27925 | ··········</ns9:actions> |
| 27932 | ········</ns9:questionnaire> | 27926 | ········</ns9:questionnaire> |
| 27933 | ········<ns9:questionnaire·id="ocil:ssg- | 27927 | ········<ns9:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1"> |
| 27934 | ··········<ns9:title> | 27928 | ··········<ns9:title>Uninstall·vsftpd·Package</ns9:title> |
| 27935 | ··········<ns9:actions> | 27929 | ··········<ns9:actions> |
| 27936 | ············<ns9:test_action_ref>ocil:ssg- | 27930 | ············<ns9:test_action_ref>ocil:ssg-package_vsftpd_removed_action:testaction:1</ns9:test_action_ref> |
| 27937 | ··········</ns9:actions> | 27931 | ··········</ns9:actions> |
| 27938 | ········</ns9:questionnaire> | 27932 | ········</ns9:questionnaire> |
| 27939 | ········<ns9:questionnaire·id="ocil:ssg-service_httpd_disabled_ocil:questionnaire:1"> | 27933 | ········<ns9:questionnaire·id="ocil:ssg-service_httpd_disabled_ocil:questionnaire:1"> |
| 27940 | ··········<ns9:title>Disable·httpd·Service</ns9:title> | 27934 | ··········<ns9:title>Disable·httpd·Service</ns9:title> |
| 27941 | ··········<ns9:actions> | 27935 | ··········<ns9:actions> |
| 27942 | ············<ns9:test_action_ref>ocil:ssg-service_httpd_disabled_action:testaction:1</ns9:test_action_ref> | 27936 | ············<ns9:test_action_ref>ocil:ssg-service_httpd_disabled_action:testaction:1</ns9:test_action_ref> |
| 27943 | ··········</ns9:actions> | 27937 | ··········</ns9:actions> |
| 27944 | ········</ns9:questionnaire> | 27938 | ········</ns9:questionnaire> |
| 27945 | ········<ns9:questionnaire·id="ocil:ssg-package_httpd_removed_ocil:questionnaire:1"> | 27939 | ········<ns9:questionnaire·id="ocil:ssg-package_httpd_removed_ocil:questionnaire:1"> |
| 27946 | ··········<ns9:title>Uninstall·httpd·Package</ns9:title> | 27940 | ··········<ns9:title>Uninstall·httpd·Package</ns9:title> |
| 27947 | ··········<ns9:actions> | 27941 | ··········<ns9:actions> |
| 27948 | ············<ns9:test_action_ref>ocil:ssg-package_httpd_removed_action:testaction:1</ns9:test_action_ref> | 27942 | ············<ns9:test_action_ref>ocil:ssg-package_httpd_removed_action:testaction:1</ns9:test_action_ref> |
| 27949 | ··········</ns9:actions> | 27943 | ··········</ns9:actions> |
| 27950 | ········</ns9:questionnaire> | 27944 | ········</ns9:questionnaire> |
| 27951 | ········<ns9:questionnaire·id="ocil:ssg- | 27945 | ········<ns9:questionnaire·id="ocil:ssg-service_named_disabled_ocil:questionnaire:1"> |
| 27952 | ··········<ns9:title> | 27946 | ··········<ns9:title>Disable·DNS·Server</ns9:title> |
| 27953 | ··········<ns9:actions> | 27947 | ··········<ns9:actions> |
| 27954 | ············<ns9:test_action_ref>ocil:ssg- | 27948 | ············<ns9:test_action_ref>ocil:ssg-service_named_disabled_action:testaction:1</ns9:test_action_ref> |
| 27955 | ··········</ns9:actions> | 27949 | ··········</ns9:actions> |
| 27956 | ········</ns9:questionnaire> | 27950 | ········</ns9:questionnaire> |
| 27957 | ········<ns9:questionnaire·id="ocil:ssg-p | 27951 | ········<ns9:questionnaire·id="ocil:ssg-package_bind_removed_ocil:questionnaire:1"> |
| 27958 | ··········<ns9:title> | 27952 | ··········<ns9:title>Uninstall·bind·Package</ns9:title> |
| 27959 | ··········<ns9:actions> | 27953 | ··········<ns9:actions> |
| 27960 | ············<ns9:test_action_ref>ocil:ssg-p | 27954 | ············<ns9:test_action_ref>ocil:ssg-package_bind_removed_action:testaction:1</ns9:test_action_ref> |
| 27961 | ··········</ns9:actions> | 27955 | ··········</ns9:actions> |
| 27962 | ········</ns9:questionnaire> | 27956 | ········</ns9:questionnaire> |
| 27963 | ········<ns9:questionnaire·id="ocil:ssg- | 27957 | ········<ns9:questionnaire·id="ocil:ssg-service_smb_disabled_ocil:questionnaire:1"> |
| 27964 | ··········<ns9:title> | 27958 | ··········<ns9:title>Disable·Samba</ns9:title> |
| 27965 | ··········<ns9:actions> | 27959 | ··········<ns9:actions> |
| 27966 | ············<ns9:test_action_ref>ocil:ssg- | 27960 | ············<ns9:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ns9:test_action_ref> |
| 27967 | ··········</ns9:actions> | 27961 | ··········</ns9:actions> |
| 27968 | ········</ns9:questionnaire> | 27962 | ········</ns9:questionnaire> |
| 27969 | ········<ns9:questionnaire·id="ocil:ssg- | 27963 | ········<ns9:questionnaire·id="ocil:ssg-package_samba_removed_ocil:questionnaire:1"> |
| 27970 | ··········<ns9:title> | 27964 | ··········<ns9:title>Uninstall·samba·Package</ns9:title> |
| 27971 | ··········<ns9:actions> | 27965 | ··········<ns9:actions> |
| 27972 | ············<ns9:test_action_ref>ocil:ssg- | 27966 | ············<ns9:test_action_ref>ocil:ssg-package_samba_removed_action:testaction:1</ns9:test_action_ref> |
| 27967 | ··········</ns9:actions> | ||
| 27968 | ········</ns9:questionnaire> | ||
| 27969 | ········<ns9:questionnaire·id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1"> | ||
| 27970 | ··········<ns9:title>Install·the·Samba·Common·Package</ns9:title> | ||
| 27971 | ··········<ns9:actions> | ||
| 27972 | ············<ns9:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ns9:test_action_ref> | ||
| 27973 | ··········</ns9:actions> | ||
| 27974 | ········</ns9:questionnaire> | ||
| 27975 | ········<ns9:questionnaire·id="ocil:ssg-require_smb_client_signing_ocil:questionnaire:1"> | ||
| 27976 | ··········<ns9:title>Require·Client·SMB·Packet·Signing,·if·using·smbclient</ns9:title> | ||
| 27977 | ··········<ns9:actions> | ||
| 27978 | ············<ns9:test_action_ref>ocil:ssg-require_smb_client_signing_action:testaction:1</ns9:test_action_ref> | ||
| 27979 | ··········</ns9:actions> | ||
| 27980 | ········</ns9:questionnaire> | ||
| 27981 | ········<ns9:questionnaire·id="ocil:ssg-mount_option_smb_client_signing_ocil:questionnaire:1"> | ||
| 27982 | ··········<ns9:title>Require·Client·SMB·Packet·Signing,·if·using·mount.cifs</ns9:title> | ||
| 27983 | ··········<ns9:actions> | ||
| 27984 | ············<ns9:test_action_ref>ocil:ssg-mount_option_smb_client_signing_action:testaction:1</ns9:test_action_ref> | ||
| 27973 | ··········</ns9:actions> | 27985 | ··········</ns9:actions> |
| 27974 | ········</ns9:questionnaire> | 27986 | ········</ns9:questionnaire> |
| 27975 | ········<ns9:questionnaire·id="ocil:ssg-sssd_memcache_timeout_ocil:questionnaire:1"> | 27987 | ········<ns9:questionnaire·id="ocil:ssg-sssd_memcache_timeout_ocil:questionnaire:1"> |
| 27976 | ··········<ns9:title>Configure·SSSD's·Memory·Cache·to·Expire</ns9:title> | 27988 | ··········<ns9:title>Configure·SSSD's·Memory·Cache·to·Expire</ns9:title> |
| 27977 | ··········<ns9:actions> | 27989 | ··········<ns9:actions> |
| 27978 | ············<ns9:test_action_ref>ocil:ssg-sssd_memcache_timeout_action:testaction:1</ns9:test_action_ref> | 27990 | ············<ns9:test_action_ref>ocil:ssg-sssd_memcache_timeout_action:testaction:1</ns9:test_action_ref> |
| 27979 | ··········</ns9:actions> | 27991 | ··········</ns9:actions> |
| Max diff block lines reached; 3871933/3882742 bytes (99.72%) of diff not shown. | |||
| Offset 221, 1325 lines modified | Offset 221, 14 lines modified | ||
| 221 | ····<dc:contributor>Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> | 221 | ····<dc:contributor>Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> |
| 222 | ····<dc:contributor>Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> | 222 | ····<dc:contributor>Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> |
| 223 | ····<dc:contributor>Jan·Černý·<jcerny@redhat.com></dc:contributor> | 223 | ····<dc:contributor>Jan·Černý·<jcerny@redhat.com></dc:contributor> |
| 224 | ····<dc:contributor>Michal·Šrubař·<msrubar@redhat.com></dc:contributor> | 224 | ····<dc:contributor>Michal·Šrubař·<msrubar@redhat.com></dc:contributor> |
| 225 | ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> | 225 | ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> |
| 226 | ··</ns0:metadata> | 226 | ··</ns0:metadata> |
| 227 | ··<ns0:model·system="urn:xccdf:scoring:default"/> | 227 | ··<ns0:model·system="urn:xccdf:scoring:default"/> |
| 228 | ··<ns0:Profile·id="usgcb-rhel6-server"> | ||
| 229 | ····<ns0:title·override="true"·xml:lang="en-US">United·States·Government·Configuration·Baseline·(USGCB)</ns0:title> | ||
| 230 | ····<ns0:description·override="true"·xml:lang="en-US">This·profile·is·a·working·draft·for·a·USGCB·submission·against | ||
| 231 | RHEL6·Server.</ns0:description> | ||
| 232 | ····<ns0:select·idref="kernel_disable_entropy_contribution_for_solid_state_drives"·selected="true"/> | ||
| 233 | ····<ns0:select·idref="partition_for_tmp"·selected="true"/> | ||
| 234 | ····<ns0:select·idref="partition_for_var"·selected="true"/> | ||
| 235 | ····<ns0:select·idref="partition_for_var_log"·selected="true"/> | ||
| 236 | ····<ns0:select·idref="partition_for_var_log_audit"·selected="true"/> | ||
| 237 | ····<ns0:select·idref="partition_for_home"·selected="true"/> | ||
| 238 | ····<ns0:select·idref="ensure_redhat_gpgkey_installed"·selected="true"/> | ||
| 239 | ····<ns0:select·idref="service_rhnsd_disabled"·selected="true"/> | ||
| 240 | ····<ns0:select·idref="security_patches_up_to_date"·selected="true"/> | ||
| 241 | ····<ns0:select·idref="ensure_gpgcheck_globally_activated"·selected="true"/> | ||
| 242 | ····<ns0:select·idref="ensure_gpgcheck_never_disabled"·selected="true"/> | ||
| 243 | ····<ns0:select·idref="package_aide_installed"·selected="true"/> | ||
| 244 | ····<ns0:select·idref="rpm_verify_permissions"·selected="true"/> | ||
| 245 | ····<ns0:select·idref="rpm_verify_hashes"·selected="true"/> | ||
| 246 | ····<ns0:select·idref="mount_option_nodev_nonroot_local_partitions"·selected="true"/> | ||
| 247 | ····<ns0:select·idref="mount_option_nodev_removable_partitions"·selected="true"/> | ||
| 248 | ····<ns0:select·idref="mount_option_noexec_removable_partitions"·selected="true"/> | ||
| 249 | ····<ns0:select·idref="mount_option_nosuid_removable_partitions"·selected="true"/> | ||
| 250 | ····<ns0:select·idref="mount_option_tmp_nodev"·selected="true"/> | ||
| 251 | ····<ns0:select·idref="mount_option_tmp_nosuid"·selected="true"/> | ||
| 252 | ····<ns0:select·idref="mount_option_tmp_noexec"·selected="true"/> | ||
| 253 | ····<ns0:select·idref="mount_option_dev_shm_nodev"·selected="true"/> | ||
| 254 | ····<ns0:select·idref="mount_option_dev_shm_nosuid"·selected="true"/> | ||
| 255 | ····<ns0:select·idref="mount_option_dev_shm_noexec"·selected="true"/> | ||
| 256 | ····<ns0:select·idref="mount_option_var_tmp_bind"·selected="true"/> | ||
| 257 | ····<ns0:select·idref="kernel_module_cramfs_disabled"·selected="true"/> | ||
| 258 | ····<ns0:select·idref="kernel_module_freevxfs_disabled"·selected="true"/> | ||
| 259 | ····<ns0:select·idref="kernel_module_hfs_disabled"·selected="true"/> | ||
| 260 | ····<ns0:select·idref="kernel_module_hfsplus_disabled"·selected="true"/> | ||
| 261 | ····<ns0:select·idref="kernel_module_jffs2_disabled"·selected="true"/> | ||
| 262 | ····<ns0:select·idref="kernel_module_squashfs_disabled"·selected="true"/> | ||
| 263 | ····<ns0:select·idref="kernel_module_udf_disabled"·selected="true"/> | ||
| 264 | ····<ns0:select·idref="file_permissions_etc_gshadow"·selected="true"/> | ||
| 265 | ····<ns0:select·idref="file_owner_etc_gshadow"·selected="true"/> | ||
| 266 | ····<ns0:select·idref="file_groupowner_etc_gshadow"·selected="true"/> | ||
| 267 | ····<ns0:select·idref="file_permissions_etc_shadow"·selected="true"/> | ||
| 268 | ····<ns0:select·idref="userowner_shadow_file"·selected="true"/> | ||
| 269 | ····<ns0:select·idref="groupowner_shadow_file"·selected="true"/> | ||
| 270 | ····<ns0:select·idref="file_permissions_etc_group"·selected="true"/> | ||
| 271 | ····<ns0:select·idref="file_owner_etc_group"·selected="true"/> | ||
| 272 | ····<ns0:select·idref="file_groupowner_etc_group"·selected="true"/> | ||
| 273 | ····<ns0:select·idref="file_permissions_etc_passwd"·selected="true"/> | ||
| 274 | ····<ns0:select·idref="file_owner_etc_passwd"·selected="true"/> | ||
| 275 | ····<ns0:select·idref="file_groupowner_etc_passwd"·selected="true"/> | ||
| 276 | ····<ns0:select·idref="dir_perms_world_writable_sticky_bits"·selected="true"/> | ||
| 277 | ····<ns0:select·idref="file_permissions_unauthorized_world_writable"·selected="true"/> | ||
| 278 | ····<ns0:select·idref="file_permissions_unauthorized_sgid"·selected="true"/> | ||
| 279 | ····<ns0:select·idref="file_permissions_unauthorized_suid"·selected="true"/> | ||
| 280 | ····<ns0:select·idref="no_files_unowned_by_user"·selected="true"/> | ||
| 281 | ····<ns0:select·idref="file_permissions_ungroupowned"·selected="true"/> | ||
| 282 | ····<ns0:select·idref="dir_perms_world_writable_system_owned"·selected="true"/> | ||
| 283 | ····<ns0:select·idref="umask_for_daemons"·selected="true"/> | ||
| 284 | ····<ns0:select·idref="sysctl_fs_suid_dumpable"·selected="true"/> | ||
| 285 | ····<ns0:select·idref="disable_users_coredumps"·selected="true"/> | ||
| 286 | ····<ns0:select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> | ||
| 287 | ····<ns0:select·idref="sysctl_kernel_exec_shield"·selected="true"/> | ||
| 288 | ····<ns0:select·idref="install_PAE_kernel_on_x86-32"·selected="true"/> | ||
| 289 | ····<ns0:select·idref="securetty_root_login_console_only"·selected="true"/> | ||
| 290 | ····<ns0:select·idref="restrict_serial_port_logins"·selected="true"/> | ||
| 291 | ····<ns0:select·idref="no_empty_passwords"·selected="true"/> | ||
| 292 | ····<ns0:select·idref="accounts_password_all_shadowed"·selected="true"/> | ||
| 293 | ····<ns0:select·idref="accounts_no_uid_except_zero"·selected="true"/> | ||
| 294 | ····<ns0:select·idref="accounts_password_warn_age_login_defs"·selected="true"/> | ||
| 295 | ····<ns0:select·idref="accounts_maximum_age_login_defs"·selected="true"/> | ||
| 296 | ····<ns0:select·idref="accounts_password_minlen_login_defs"·selected="true"/> | ||
| 297 | ····<ns0:select·idref="accounts_password_pam_retry"·selected="true"/> | ||
| 298 | ····<ns0:select·idref="accounts_password_pam_dcredit"·selected="true"/> | ||
| 299 | ····<ns0:select·idref="accounts_password_pam_ucredit"·selected="true"/> | ||
| 300 | ····<ns0:select·idref="accounts_password_pam_lcredit"·selected="true"/> | ||
| 301 | ····<ns0:select·idref="accounts_password_pam_ocredit"·selected="true"/> | ||
| 302 | ····<ns0:select·idref="accounts_password_pam_difok"·selected="true"/> | ||
| 303 | ····<ns0:select·idref="accounts_passwords_pam_faillock_deny"·selected="true"/> | ||
| 304 | ····<ns0:select·idref="set_password_hashing_algorithm_systemauth"·selected="true"/> | ||
| 305 | ····<ns0:select·idref="set_password_hashing_algorithm_logindefs"·selected="true"/> | ||
| 306 | ····<ns0:select·idref="accounts_password_pam_unix_remember"·selected="true"/> | ||
| 307 | ····<ns0:select·idref="root_path_no_dot"·selected="true"/> | ||
| 308 | ····<ns0:select·idref="accounts_root_path_dirs_no_write"·selected="true"/> | ||
| 309 | ····<ns0:select·idref="file_permissions_home_dirs"·selected="true"/> | ||
| 310 | ····<ns0:select·idref="accounts_umask_etc_bashrc"·selected="true"/> | ||
| 311 | ····<ns0:select·idref="accounts_umask_etc_csh_cshrc"·selected="true"/> | ||
| 312 | ····<ns0:select·idref="accounts_umask_etc_profile"·selected="true"/> | ||
| 313 | ····<ns0:select·idref="accounts_umask_etc_login_defs"·selected="true"/> | ||
| 314 | ····<ns0:select·idref="file_user_owner_grub_conf"·selected="true"/> | ||
| 315 | ····<ns0:select·idref="file_group_owner_grub_conf"·selected="true"/> | ||
| 316 | ····<ns0:select·idref="file_permissions_grub_conf"·selected="true"/> | ||
| 317 | ····<ns0:select·idref="bootloader_password"·selected="true"/> | ||
| 318 | ····<ns0:select·idref="disable_interactive_boot"·selected="true"/> | ||
| 319 | ····<ns0:select·idref="gconf_gnome_screensaver_idle_delay"·selected="true"/> | ||
| 320 | ····<ns0:select·idref="gconf_gnome_screensaver_idle_activation_enabled"·selected="true"/> | ||
| 321 | ····<ns0:select·idref="gconf_gnome_screensaver_lock_enabled"·selected="true"/> | ||
| 322 | ····<ns0:select·idref="gconf_gnome_screensaver_mode_blank"·selected="true"/> | ||
| 323 | ····<ns0:select·idref="banner_etc_issue"·selected="true"/> | ||
| 324 | ····<ns0:select·idref="selinux_state"·selected="true"/> | ||
| 325 | ····<ns0:select·idref="selinux_policytype"·selected="true"/> | ||
| 326 | ····<ns0:select·idref="enable_selinux_bootloader"·selected="true"/> | ||
| 327 | ····<ns0:select·idref="selinux_confinement_of_daemons"·selected="true"/> | ||
| 328 | ····<ns0:select·idref="selinux_all_devicefiles_labeled"·selected="true"/> | ||
| 329 | ····<ns0:select·idref="sysctl_net_ipv4_ip_forward"·selected="true"/> | ||
| 330 | ····<ns0:select·idref="sysctl_net_ipv4_conf_all_send_redirects"·selected="true"/> | ||
| 331 | ····<ns0:select·idref="sysctl_net_ipv4_conf_default_send_redirects"·selected="true"/> | ||
| 332 | ····<ns0:select·idref="sysctl_net_ipv4_conf_all_secure_redirects"·selected="true"/> | ||
| 333 | ····<ns0:select·idref="sysctl_net_ipv4_conf_all_accept_redirects"·selected="true"/> | ||
| 334 | ····<ns0:select·idref="sysctl_net_ipv4_conf_default_accept_source_route"·selected="true"/> | ||
| 335 | ····<ns0:select·idref="sysctl_net_ipv4_conf_default_secure_redirects"·selected="true"/> | ||
| 336 | ····<ns0:select·idref="sysctl_net_ipv4_conf_default_accept_redirects"·selected="true"/> | ||
| 337 | ····<ns0:select·idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses"·selected="true"/> | ||
| 338 | ····<ns0:select·idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts"·selected="true"/> | ||
| 339 | ····<ns0:select·idref="sysctl_net_ipv4_conf_all_log_martians"·selected="true"/> | ||
| 340 | ····<ns0:select·idref="sysctl_net_ipv4_conf_all_rp_filter"·selected="true"/> | ||
| 341 | ····<ns0:select·idref="sysctl_net_ipv4_tcp_syncookies"·selected="true"/> | ||
| 342 | ····<ns0:select·idref="sysctl_net_ipv4_conf_default_rp_filter"·selected="true"/> | ||
| 343 | ····<ns0:select·idref="wireless_disable_in_bios"·selected="true"/> | ||
| 344 | ····<ns0:select·idref="service_bluetooth_disabled"·selected="true"/> | ||
| 345 | ····<ns0:select·idref="network_ipv6_disable_rpc"·selected="true"/> | ||
| 346 | ····<ns0:select·idref="sysctl_net_ipv6_conf_default_accept_ra"·selected="true"/> | ||
| 347 | ····<ns0:select·idref="sysctl_net_ipv6_conf_default_accept_redirects"·selected="true"/> | ||
| Max diff block lines reached; 1662681/1756404 bytes (94.66%) of diff not shown. | |||
| Offset 26, 21 lines modified | Offset 26, 21 lines modified | ||
| 26 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/> | 26 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/> |
| 27 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml"/> | 27 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml"/> |
| 28 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-cpe-oval.xml"/> | 28 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-cpe-oval.xml"/> |
| 29 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml000"/> | 29 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml000"/> |
| 30 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml000"/> | 30 | ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml000"/> |
| 31 | ····</ns0:checks> | 31 | ····</ns0:checks> |
| 32 | ··</ns0:data-stream> | 32 | ··</ns0:data-stream> |
| 33 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"·timestamp="2020-07-1 | 33 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"·timestamp="2020-07-12T18:46:05"> |
| 34 | ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> | 34 | ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd"> |
| 35 | ······<ns3:generator> | 35 | ······<ns3:generator> |
| 36 | ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name> | 36 | ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name> |
| 37 | ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version> | 37 | ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version> |
| 38 | ········<ns5:schema_version>5.11</ns5:schema_version> | 38 | ········<ns5:schema_version>5.11</ns5:schema_version> |
| 39 | ········<ns5:timestamp>2020-07-12T0 | 39 | ········<ns5:timestamp>2020-07-12T04:32:03</ns5:timestamp> |
| 40 | ······</ns3:generator> | 40 | ······</ns3:generator> |
| 41 | ······<ns3:definitions> | 41 | ······<ns3:definitions> |
| 42 | ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1"> | 42 | ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1"> |
| 43 | ··········<ns3:metadata> | 43 | ··········<ns3:metadata> |
| 44 | ············<ns3:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns3:title> | 44 | ············<ns3:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns3:title> |
| 45 | ············<ns3:affected·family="unix"> | 45 | ············<ns3:affected·family="unix"> |
| 46 | ··············<ns3:platform>Red·Hat·Enterprise·Linux·7</ns3:platform> | 46 | ··············<ns3:platform>Red·Hat·Enterprise·Linux·7</ns3:platform> |
| Offset 31871, 29 lines modified | Offset 31871, 23 lines modified | ||
| 31871 | ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> | 31871 | ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/> |
| 31872 | ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> | 31872 | ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/> |
| 31873 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> | 31873 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/> |
| 31874 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> | 31874 | ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/> |
| 31875 | ······</ns3:variables> | 31875 | ······</ns3:variables> |
| 31876 | ····</ns3:oval_definitions> | 31876 | ····</ns3:oval_definitions> |
| 31877 | ··</ns0:component> | 31877 | ··</ns0:component> |
| 31878 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-ocil.xml"·timestamp="2020-07-1 | 31878 | ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-ocil.xml"·timestamp="2020-07-12T18:46:05"> |
| 31879 | ····<ns9:ocil> | 31879 | ····<ns9:ocil> |
| 31880 | ······<ns9:generator> | 31880 | ······<ns9:generator> |
| 31881 | ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name> | 31881 | ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name> |
| 31882 | ········<ns9:product_version>ssg:·0.1.39</ns9:product_version> | 31882 | ········<ns9:product_version>ssg:·0.1.39</ns9:product_version> |
| 31883 | ········<ns9:schema_version>2.0</ns9:schema_version> | 31883 | ········<ns9:schema_version>2.0</ns9:schema_version> |
| 31884 | ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp> | 31884 | ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp> |
| 31885 | ······</ns9:generator> | 31885 | ······</ns9:generator> |
| 31886 | ······<ns9:questionnaires> | 31886 | ······<ns9:questionnaires> |
| 31887 | ········<ns9:questionnaire·id="ocil:ssg-service_docker_enabled_ocil:questionnaire:1"> | ||
| 31888 | ··········<ns9:title>Enable·the·Docker·service</ns9:title> | ||
| 31889 | ··········<ns9:actions> | ||
| 31890 | ············<ns9:test_action_ref>ocil:ssg-service_docker_enabled_action:testaction:1</ns9:test_action_ref> | ||
| 31891 | ··········</ns9:actions> | ||
| 31892 | ········</ns9:questionnaire> | ||
| 31893 | ········<ns9:questionnaire·id="ocil:ssg-package_rsh_removed_ocil:questionnaire:1"> | 31887 | ········<ns9:questionnaire·id="ocil:ssg-package_rsh_removed_ocil:questionnaire:1"> |
| 31894 | ··········<ns9:title>Uninstall·rsh·Package</ns9:title> | 31888 | ··········<ns9:title>Uninstall·rsh·Package</ns9:title> |
| 31895 | ··········<ns9:actions> | 31889 | ··········<ns9:actions> |
| 31896 | ············<ns9:test_action_ref>ocil:ssg-package_rsh_removed_action:testaction:1</ns9:test_action_ref> | 31890 | ············<ns9:test_action_ref>ocil:ssg-package_rsh_removed_action:testaction:1</ns9:test_action_ref> |
| 31897 | ··········</ns9:actions> | 31891 | ··········</ns9:actions> |
| 31898 | ········</ns9:questionnaire> | 31892 | ········</ns9:questionnaire> |
| 31899 | ········<ns9:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1"> | 31893 | ········<ns9:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1"> |
| Offset 31952, 26 lines modified | Offset 31946, 26 lines modified | ||
| 31952 | ········</ns9:questionnaire> | 31946 | ········</ns9:questionnaire> |
| 31953 | ········<ns9:questionnaire·id="ocil:ssg-package_telnet-server_removed_ocil:questionnaire:1"> | 31947 | ········<ns9:questionnaire·id="ocil:ssg-package_telnet-server_removed_ocil:questionnaire:1"> |
| 31954 | ··········<ns9:title>Uninstall·telnet-server·Package</ns9:title> | 31948 | ··········<ns9:title>Uninstall·telnet-server·Package</ns9:title> |
| 31955 | ··········<ns9:actions> | 31949 | ··········<ns9:actions> |
| 31956 | ············<ns9:test_action_ref>ocil:ssg-package_telnet-server_removed_action:testaction:1</ns9:test_action_ref> | 31950 | ············<ns9:test_action_ref>ocil:ssg-package_telnet-server_removed_action:testaction:1</ns9:test_action_ref> |
| 31957 | ··········</ns9:actions> | 31951 | ··········</ns9:actions> |
| 31958 | ········</ns9:questionnaire> | 31952 | ········</ns9:questionnaire> |
| 31959 | ········<ns9:questionnaire·id="ocil:ssg-service_ypbind_disabled_ocil:questionnaire:1"> | ||
| 31960 | ··········<ns9:title>Disable·ypbind·Service</ns9:title> | ||
| 31961 | ··········<ns9:actions> | ||
| 31962 | ············<ns9:test_action_ref>ocil:ssg-service_ypbind_disabled_action:testaction:1</ns9:test_action_ref> | ||
| 31963 | ··········</ns9:actions> | ||
| 31964 | ········</ns9:questionnaire> | ||
| 31965 | ········<ns9:questionnaire·id="ocil:ssg-package_ypbind_removed_ocil:questionnaire:1"> | 31953 | ········<ns9:questionnaire·id="ocil:ssg-package_ypbind_removed_ocil:questionnaire:1"> |
| 31966 | ··········<ns9:title>Remove·NIS·Client</ns9:title> | 31954 | ··········<ns9:title>Remove·NIS·Client</ns9:title> |
| 31967 | ··········<ns9:actions> | 31955 | ··········<ns9:actions> |
| 31968 | ············<ns9:test_action_ref>ocil:ssg-package_ypbind_removed_action:testaction:1</ns9:test_action_ref> | 31956 | ············<ns9:test_action_ref>ocil:ssg-package_ypbind_removed_action:testaction:1</ns9:test_action_ref> |
| 31969 | ··········</ns9:actions> | 31957 | ··········</ns9:actions> |
| 31970 | ········</ns9:questionnaire> | 31958 | ········</ns9:questionnaire> |
| 31959 | ········<ns9:questionnaire·id="ocil:ssg-service_ypbind_disabled_ocil:questionnaire:1"> | ||
| 31960 | ··········<ns9:title>Disable·ypbind·Service</ns9:title> | ||
| 31961 | ··········<ns9:actions> | ||
| 31962 | ············<ns9:test_action_ref>ocil:ssg-service_ypbind_disabled_action:testaction:1</ns9:test_action_ref> | ||
| 31963 | ··········</ns9:actions> | ||
| 31964 | ········</ns9:questionnaire> | ||
| 31971 | ········<ns9:questionnaire·id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1"> | 31965 | ········<ns9:questionnaire·id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1"> |
| 31972 | ··········<ns9:title>Uninstall·ypserv·Package</ns9:title> | 31966 | ··········<ns9:title>Uninstall·ypserv·Package</ns9:title> |
| 31973 | ··········<ns9:actions> | 31967 | ··········<ns9:actions> |
| 31974 | ············<ns9:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ns9:test_action_ref> | 31968 | ············<ns9:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ns9:test_action_ref> |
| 31975 | ··········</ns9:actions> | 31969 | ··········</ns9:actions> |
| 31976 | ········</ns9:questionnaire> | 31970 | ········</ns9:questionnaire> |
| 31977 | ········<ns9:questionnaire·id="ocil:ssg-package_tftp_removed_ocil:questionnaire:1"> | 31971 | ········<ns9:questionnaire·id="ocil:ssg-package_tftp_removed_ocil:questionnaire:1"> |
| Offset 31994, 26 lines modified | Offset 31988, 26 lines modified | ||
| 31994 | ········</ns9:questionnaire> | 31988 | ········</ns9:questionnaire> |
| 31995 | ········<ns9:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1"> | 31989 | ········<ns9:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1"> |
| 31996 | ··········<ns9:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns9:title> | 31990 | ··········<ns9:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns9:title> |
| 31997 | ··········<ns9:actions> | 31991 | ··········<ns9:actions> |
| 31998 | ············<ns9:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns9:test_action_ref> | 31992 | ············<ns9:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns9:test_action_ref> |
| 31999 | ··········</ns9:actions> | 31993 | ··········</ns9:actions> |
| 32000 | ········</ns9:questionnaire> | 31994 | ········</ns9:questionnaire> |
| 32001 | ········<ns9:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> | ||
| 32002 | ··········<ns9:title>Disable·xinetd·Service</ns9:title> | ||
| 32003 | ··········<ns9:actions> | ||
| 32004 | ············<ns9:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns9:test_action_ref> | ||
| 32005 | ··········</ns9:actions> | ||
| 32006 | ········</ns9:questionnaire> | ||
| 32007 | ········<ns9:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1"> | 31995 | ········<ns9:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1"> |
| 32008 | ··········<ns9:title>Install·tcp_wrappers·Package</ns9:title> | 31996 | ··········<ns9:title>Install·tcp_wrappers·Package</ns9:title> |
| 32009 | ··········<ns9:actions> | 31997 | ··········<ns9:actions> |
| 32010 | ············<ns9:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns9:test_action_ref> | 31998 | ············<ns9:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns9:test_action_ref> |
| 32011 | ··········</ns9:actions> | 31999 | ··········</ns9:actions> |
| 32012 | ········</ns9:questionnaire> | 32000 | ········</ns9:questionnaire> |
| 32001 | ········<ns9:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> | ||
| 32002 | ··········<ns9:title>Disable·xinetd·Service</ns9:title> | ||
| 32003 | ··········<ns9:actions> | ||
| 32004 | ············<ns9:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns9:test_action_ref> | ||
| 32005 | ··········</ns9:actions> | ||
| 32006 | ········</ns9:questionnaire> | ||
| 32013 | ········<ns9:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1"> | 32007 | ········<ns9:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1"> |
| 32014 | ··········<ns9:title>Uninstall·xinetd·Package</ns9:title> | 32008 | ··········<ns9:title>Uninstall·xinetd·Package</ns9:title> |
| 32015 | ··········<ns9:actions> | 32009 | ··········<ns9:actions> |
| 32016 | ············<ns9:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns9:test_action_ref> | 32010 | ············<ns9:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns9:test_action_ref> |
| 32017 | ··········</ns9:actions> | 32011 | ··········</ns9:actions> |
| 32018 | ········</ns9:questionnaire> | 32012 | ········</ns9:questionnaire> |
| 32019 | ········<ns9:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1"> | 32013 | ········<ns9:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1"> |
| Offset 32024, 26 lines modified | Offset 32018, 38 lines modified | ||
| 32024 | ········</ns9:questionnaire> | 32018 | ········</ns9:questionnaire> |
| 32025 | ········<ns9:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1"> | 32019 | ········<ns9:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1"> |
| 32026 | ··········<ns9:title>Uninstall·talk-server·Package</ns9:title> | 32020 | ··········<ns9:title>Uninstall·talk-server·Package</ns9:title> |
| 32027 | ··········<ns9:actions> | 32021 | ··········<ns9:actions> |
| 32028 | ············<ns9:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns9:test_action_ref> | 32022 | ············<ns9:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns9:test_action_ref> |
| 32029 | ··········</ns9:actions> | 32023 | ··········</ns9:actions> |
| 32030 | ········</ns9:questionnaire> | 32024 | ········</ns9:questionnaire> |
| 32031 | ········<ns9:questionnaire·id="ocil:ssg- | 32025 | ········<ns9:questionnaire·id="ocil:ssg-service_dovecot_disabled_ocil:questionnaire:1"> |
| 32032 | ··········<ns9:title> | 32026 | ··········<ns9:title>Disable·Dovecot·Service</ns9:title> |
| Max diff block lines reached; 5529958/5538602 bytes (99.84%) of diff not shown. | |||
| Offset 221, 348 lines modified | Offset 221, 14 lines modified | ||
| 221 | ····<dc:contributor>Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> | 221 | ····<dc:contributor>Xirui·Yang·<xirui.yang@oracle.com></dc:contributor> |
| 222 | ····<dc:contributor>Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> | 222 | ····<dc:contributor>Kevin·Zimmerman·<kevin.zimmerman@kitware.com></dc:contributor> |
| 223 | ····<dc:contributor>Jan·Černý·<jcerny@redhat.com></dc:contributor> | 223 | ····<dc:contributor>Jan·Černý·<jcerny@redhat.com></dc:contributor> |
| 224 | ····<dc:contributor>Michal·Šrubař·<msrubar@redhat.com></dc:contributor> | 224 | ····<dc:contributor>Michal·Šrubař·<msrubar@redhat.com></dc:contributor> |
| 225 | ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> | 225 | ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> |
| 226 | ··</ns0:metadata> | 226 | ··</ns0:metadata> |
| 227 | ··<ns0:model·system="urn:xccdf:scoring:default"/> | 227 | ··<ns0:model·system="urn:xccdf:scoring:default"/> |
| 228 | ··<ns0:Profile·id="hipaa"> | ||
| 229 | ····<ns0:title·override="true"·xml:lang="en-US">Health·Insurance·Portability·and·Accountability·Act·(HIPAA)</ns0:title> | ||
| 230 | ····<ns0:description·override="true"·xml:lang="en-US">The·HIPAA·Security·Rule·establishes·U.S.·national·standards·to·protect·individuals’ | ||
| 231 | electronic·personal·health·information·that·is·created,·received,·used,·or | ||
| 232 | maintained·by·a·covered·entity.·The·Security·Rule·requires·appropriate | ||
| 233 | administrative,·physical·and·technical·safeguards·to·ensure·the | ||
| 234 | confidentiality,·integrity,·and·security·of·electronic·protected·health | ||
| 235 | information. | ||
| 236 | This·profile·configures·Red·Hat·Enterprise·Linux·7·to·the·HIPAA·Security | ||
| 237 | Rule·identified·for·securing·of·electronic·protected·health·information.</ns0:description> | ||
| 238 | ····<ns0:select·idref="bootloader_password"·selected="true"/> | ||
| 239 | ····<ns0:select·idref="bootloader_uefi_password"·selected="true"/> | ||
| 240 | ····<ns0:select·idref="file_group_owner_grub2_cfg"·selected="true"/> | ||
| 241 | ····<ns0:select·idref="file_permissions_grub2_cfg"·selected="true"/> | ||
| 242 | ····<ns0:select·idref="file_user_owner_grub2_cfg"·selected="true"/> | ||
| 243 | ····<ns0:select·idref="disable_interactive_boot"·selected="true"/> | ||
| 244 | ····<ns0:select·idref="no_direct_root_logins"·selected="true"/> | ||
| 245 | ····<ns0:select·idref="no_empty_passwords"·selected="true"/> | ||
| 246 | ····<ns0:select·idref="require_singleuser_auth"·selected="true"/> | ||
| 247 | ····<ns0:select·idref="restrict_serial_port_logins"·selected="true"/> | ||
| 248 | ····<ns0:select·idref="securetty_root_login_console_only"·selected="true"/> | ||
| 249 | ····<ns0:select·idref="service_debug-shell_disabled"·selected="true"/> | ||
| 250 | ····<ns0:select·idref="disable_ctrlaltdel_reboot"·selected="true"/> | ||
| 251 | ····<ns0:select·idref="disable_ctrlaltdel_burstaction"·selected="true"/> | ||
| 252 | ····<ns0:select·idref="dconf_gnome_remote_access_credential_prompt"·selected="true"/> | ||
| 253 | ····<ns0:select·idref="dconf_gnome_remote_access_encryption"·selected="true"/> | ||
| 254 | ····<ns0:select·idref="sshd_disable_empty_passwords"·selected="true"/> | ||
| 255 | ····<ns0:select·idref="sshd_disable_root_login"·selected="true"/> | ||
| 256 | ····<ns0:select·idref="libreswan_approved_tunnels"·selected="true"/> | ||
| 257 | ····<ns0:select·idref="no_rsh_trust_files"·selected="true"/> | ||
| 258 | ····<ns0:select·idref="package_rsh_removed"·selected="true"/> | ||
| 259 | ····<ns0:select·idref="package_rsh-server_removed"·selected="true"/> | ||
| 260 | ····<ns0:select·idref="package_talk_removed"·selected="true"/> | ||
| 261 | ····<ns0:select·idref="package_talk-server_removed"·selected="true"/> | ||
| 262 | ····<ns0:select·idref="package_telnet_removed"·selected="true"/> | ||
| 263 | ····<ns0:select·idref="package_telnet-server_removed"·selected="true"/> | ||
| 264 | ····<ns0:select·idref="package_xinetd_removed"·selected="true"/> | ||
| 265 | ····<ns0:select·idref="package_ypbind_removed"·selected="true"/> | ||
| 266 | ····<ns0:select·idref="package_ypserv_removed"·selected="true"/> | ||
| 267 | ····<ns0:select·idref="service_crond_enabled"·selected="true"/> | ||
| 268 | ····<ns0:select·idref="service_rexec_disabled"·selected="true"/> | ||
| 269 | ····<ns0:select·idref="service_rlogin_disabled"·selected="true"/> | ||
| 270 | ····<ns0:select·idref="service_rsh_disabled"·selected="true"/> | ||
| 271 | ····<ns0:select·idref="service_telnet_disabled"·selected="true"/> | ||
| 272 | ····<ns0:select·idref="service_xinetd_disabled"·selected="true"/> | ||
| 273 | ····<ns0:select·idref="service_ypbind_disabled"·selected="true"/> | ||
| 274 | ····<ns0:select·idref="service_zebra_disabled"·selected="true"/> | ||
| 275 | ····<ns0:select·idref="use_kerberos_security_all_exports"·selected="true"/> | ||
| 276 | ····<ns0:select·idref="disable_host_auth"·selected="true"/> | ||
| 277 | ····<ns0:select·idref="sshd_allow_only_protocol2"·selected="true"/> | ||
| 278 | ····<ns0:select·idref="sshd_disable_compression"·selected="true"/> | ||
| 279 | ····<ns0:select·idref="sshd_disable_gssapi_auth"·selected="true"/> | ||
| 280 | ····<ns0:select·idref="sshd_disable_kerb_auth"·selected="true"/> | ||
| 281 | ····<ns0:select·idref="sshd_disable_rhosts_rsa"·selected="true"/> | ||
| 282 | ····<ns0:select·idref="sshd_disable_rhosts"·selected="true"/> | ||
| 283 | ····<ns0:select·idref="sshd_disable_user_known_hosts"·selected="true"/> | ||
| 284 | ····<ns0:select·idref="sshd_do_not_permit_user_env"·selected="true"/> | ||
| 285 | ····<ns0:select·idref="sshd_enable_strictmodes"·selected="true"/> | ||
| 286 | ····<ns0:select·idref="sshd_enable_warning_banner"·selected="true"/> | ||
| 287 | ····<ns0:select·idref="sshd_set_keepalive"·selected="true"/> | ||
| 288 | ····<ns0:select·idref="sshd_use_priv_separation"·selected="true"/> | ||
| 289 | ····<ns0:select·idref="encrypt_partitions"·selected="true"/> | ||
| 290 | ····<ns0:select·idref="sshd_use_approved_ciphers"·selected="true"/> | ||
| 291 | ····<ns0:select·idref="sshd_use_approved_macs"·selected="true"/> | ||
| 292 | ····<ns0:select·idref="enable_selinux_bootloader"·selected="true"/> | ||
| 293 | ····<ns0:select·idref="sebool_selinuxuser_execheap"·selected="true"/> | ||
| 294 | ····<ns0:select·idref="sebool_selinuxuser_execmod"·selected="true"/> | ||
| 295 | ····<ns0:select·idref="sebool_selinuxuser_execstack"·selected="true"/> | ||
| 296 | ····<ns0:select·idref="selinux_confinement_of_daemons"·selected="true"/> | ||
| 297 | ····<ns0:select·idref="selinux_policytype"·selected="true"/> | ||
| 298 | ····<ns0:select·idref="selinux_state"·selected="true"/> | ||
| 299 | ····<ns0:select·idref="service_kdump_disabled"·selected="true"/> | ||
| 300 | ····<ns0:select·idref="sysctl_fs_suid_dumpable"·selected="true"/> | ||
| 301 | ····<ns0:select·idref="sysctl_kernel_dmesg_restrict"·selected="true"/> | ||
| 302 | ····<ns0:select·idref="sysctl_kernel_exec_shield"·selected="true"/> | ||
| 303 | ····<ns0:select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> | ||
| 304 | ····<ns0:select·idref="rpm_verify_hashes"·selected="true"/> | ||
| 305 | ····<ns0:select·idref="rpm_verify_permissions"·selected="true"/> | ||
| 306 | ····<ns0:select·idref="ensure_redhat_gpgkey_installed"·selected="true"/> | ||
| 307 | ····<ns0:select·idref="ensure_gpgcheck_globally_activated"·selected="true"/> | ||
| 308 | ····<ns0:select·idref="ensure_gpgcheck_never_disabled"·selected="true"/> | ||
| 309 | ····<ns0:select·idref="ensure_gpgcheck_repo_metadata"·selected="true"/> | ||
| 310 | ····<ns0:select·idref="ensure_gpgcheck_local_packages"·selected="true"/> | ||
| 311 | ····<ns0:select·idref="bootloader_audit_argument"·selected="true"/> | ||
| 312 | ····<ns0:select·idref="service_auditd_enabled"·selected="true"/> | ||
| 313 | ····<ns0:select·idref="audit_rules_privileged_commands_sudo"·selected="true"/> | ||
| 314 | ····<ns0:select·idref="audit_rules_privileged_commands_su"·selected="true"/> | ||
| 315 | ····<ns0:select·idref="audit_rules_immutable"·selected="true"/> | ||
| 316 | ····<ns0:select·idref="kernel_module_usb-storage_disabled"·selected="true"/> | ||
| 317 | ····<ns0:select·idref="service_autofs_disabled"·selected="true"/> | ||
| 318 | ····<ns0:select·idref="auditd_audispd_syslog_plugin_activated"·selected="true"/> | ||
| 319 | ····<ns0:select·idref="rsyslog_remote_loghost"·selected="true"/> | ||
| 320 | ····<ns0:select·idref="auditd_data_retention_flush"·selected="true"/> | ||
| 321 | ····<ns0:select·idref="audit_rules_dac_modification_chmod"·selected="true"/> | ||
| 322 | ····<ns0:select·idref="audit_rules_dac_modification_chown"·selected="true"/> | ||
| 323 | ····<ns0:select·idref="audit_rules_dac_modification_fchmodat"·selected="true"/> | ||
| 324 | ····<ns0:select·idref="audit_rules_dac_modification_fchmod"·selected="true"/> | ||
| 325 | ····<ns0:select·idref="audit_rules_dac_modification_fchownat"·selected="true"/> | ||
| 326 | ····<ns0:select·idref="audit_rules_dac_modification_fchown"·selected="true"/> | ||
| 327 | ····<ns0:select·idref="audit_rules_dac_modification_fremovexattr"·selected="true"/> | ||
| 328 | ····<ns0:select·idref="audit_rules_dac_modification_fsetxattr"·selected="true"/> | ||
| 329 | ····<ns0:select·idref="audit_rules_dac_modification_lchown"·selected="true"/> | ||
| 330 | ····<ns0:select·idref="audit_rules_dac_modification_lremovexattr"·selected="true"/> | ||
| 331 | ····<ns0:select·idref="audit_rules_dac_modification_lsetxattr"·selected="true"/> | ||
| 332 | ····<ns0:select·idref="audit_rules_dac_modification_removexattr"·selected="true"/> | ||
| 333 | ····<ns0:select·idref="audit_rules_dac_modification_setxattr"·selected="true"/> | ||
| 334 | ····<ns0:select·idref="audit_rules_execution_chcon"·selected="true"/> | ||
| 335 | ····<ns0:select·idref="audit_rules_execution_restorecon"·selected="true"/> | ||
| 336 | ····<ns0:select·idref="audit_rules_execution_semanage"·selected="true"/> | ||
| 337 | ····<ns0:select·idref="audit_rules_execution_setsebool"·selected="true"/> | ||
| 338 | ····<ns0:select·idref="audit_rules_file_deletion_events_renameat"·selected="true"/> | ||
| 339 | ····<ns0:select·idref="audit_rules_file_deletion_events_rename"·selected="true"/> | ||
| 340 | ····<ns0:select·idref="audit_rules_file_deletion_events_rmdir"·selected="true"/> | ||
| 341 | ····<ns0:select·idref="audit_rules_file_deletion_events_unlinkat"·selected="true"/> | ||
| 342 | ····<ns0:select·idref="audit_rules_file_deletion_events_unlink"·selected="true"/> | ||
| 343 | ····<ns0:select·idref="audit_rules_kernel_module_loading_delete"·selected="true"/> | ||
| 344 | ····<ns0:select·idref="audit_rules_kernel_module_loading_init"·selected="true"/> | ||
| 345 | ····<ns0:select·idref="audit_rules_kernel_module_loading_insmod"·selected="true"/> | ||
| 346 | ····<ns0:select·idref="audit_rules_kernel_module_loading_modprobe"·selected="true"/> | ||
| Max diff block lines reached; 1966174/1989941 bytes (98.81%) of diff not shown. | |||